Change to Campus Remote Access VPN IP Address Ranges

March 14, 2018

The IST-Telecommunications networking group will begin piloting the new bSecure Campus VPN service in the coming weeks. Eventually, this service will become the replacement for the existing Cisco AnyConnect based Campus Remote Access VPN service.

For the time being the pilot will be opt in, with certain groups within IST and some departments testing the new service. In order to smooth the transition we'd like to make everyone aware of the Campus VPN service IP address ranges. Some IT services on campus employ these address ranges in firewall rules and other access controls, and we'd like to ensure that as we transition, administrators of those services have as much time as necessary to make required adjustments to any rules they have.

The network team has address ranges allocated for use by remote access VPN services, which have been published in the past. The existing Remote Access VPN service uses a subset of those addresses, and these ranges have also been published. In order to clarify the addressing of these services, you will find below the existing VPN service address ranges, the new Campus VPN Service address ranges and the overall set of addresses in which the networking group deploys VPN services.

We encourage anyone who restricts network traffic based on VPN address ranges to verify their firewall and other access lists and controls to make sure they are up to date. If you currently permit all Berkeley campus address ranges, these services are already covered by those rules, and you probably do not need to take any action.

Campus Remote Access VPN

Split Tunnel IPv4 Users - 10.136.10.0/23
Full Tunnel IPv4 Users - 136.152.208.0/23
IPv6 Users - 2607:f140:800:80::/64

If you have firewall rules explicitly permitting the above address ranges, you should add the following:

New bSecure VPN Services

On Campus IPv4 - 10.136.64.0/18, 10.136.16.0/21
Off Campus/NAT Pool - 136.152.210.0/25, 136.152.210.128/25
IPv6 - 2607:f140:800:1::/64, 2607:f140:800:2::/64

Overall, the network group deploys remote access VPN services in the following address ranges:

RFC 1918 IPv4 - 10.136.0.0/16
Globally Routable IPv4 - 136.152.208.0/22
IPv6 - f607:f140:800::/48

The information above is also published at https://ucb.service-now.com/kb_view.do?sysparm_article=KB0012280.

Global address group objects will be made available in Panorama for those who have transitioned to the bSecure Data Center Firewall Service.

Any questions regarding the information above can be directed to the networking group by contacting Campus Shared Services:
Phone: (510) 664-9000
Email: itcsshelp@berkeley.edu
https://sharedservices.berkeley.edu/

More information on the bSecure project is available at https://bsecure.berkeley.edu/ and queries may be directed to bsecure@berkeley.edu.