RBVI's Virtual Private Network (VPN) "How To" Guide
In order to provide secure access to our Resource Center and associated computer services, the RBVI has installed hardware to support Virtual Private Network (VPN) connections from anywhere on the Internet. The RBVI VPN service allows secure, reliable, encrypted, high-performance remote access to the RBVI and other UCSF restricted sites (e.g., certain RBVI computing resources, UCSF Library databases and journals).
The first step to setting up a VPN connection is to confirm you have a valid login. Authentication to the RBVI VPN is accomplished via Kerberos, a secure network authentication system. To confirm your Kerberos password is working correctly visit the Kerberos Authentication Test web page. If you have problems getting Kerberos authentication to work for you, please send e-mail to firstname.lastname@example.org.
Select your OS:
OSX 10.6 and later
(Note you can set up a VPN connection on a iPhone in a similar manner as described here. Just go to Settings --> General --> Network --> VPN --> Add VPN Configuration.)
Open System Preferences --> Network, then click the plus sign to create a new service. Choose VPN as the interface and Cisco IPSec as the VPN type, then enter "RBVI VPN" as the service name.
You should now see a new interface in the left window pane named "RBVI VPN". Highlight this interface to display the configuration fields and enter the following information:
Server Address: vpn.cgl.ucsf.edu
Account Name: ***Your RBVI Username***
Password: leave this blank
Also check the box that says "Show VPN status in menu bar". Now click on Authentication Settings to access the Machine Authentication screen. Select Shared Secret and enter the Shared Secret provided by this link . Then enter "rbvi_vpn" in the Group Name field. Finally click on OK, and then Apply.
Since you checked the "Show VPN status..." box, an icon will now be displayed on the right hand side of the top menu bar, next to the Bluetooth icon (it sort of looks like a minature luggage tag). If you click on this icon the first item should be "Connect to RBVI VPN." Just select that and type your password in the panel that pops up. Upon successfull authentication a welcome screen will appear indicating you've connected to the RBVI VPN. To disconnect an active VPN connection, click on the same menu bar icon and select Disconnect.
The network VPN settings are on a per-computer basis. So if different user on your Mac tries to connect to the RBVI VPN, a panel will pop up defaulting to your user ID. Other users can't connect without a password (that's why you left the password field blank in the configuration steps above), so it's no big deal. Just something to be aware of.
Bring up the Windows 10 Settings and select Network & Internet. On the Network & Internet dialog, you should see VPN as an option on the left. Select that and click on Add a VPN connection (Figure 1). This will bring up a dialog that creates the initial connection:
Fill in the form as follows (Figure 2):
Then hit Save. This will save the initial configuration, but not enough to complete the connection.
- VPN provider:
- Windows (built-in)
- Connection name:
- RBVI VPN
- Server name or address:
- VPN type:
- Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec)
- Type of sign-in info:
- User name and password
- User Name (optional):
- ***Your RBVI Username***
- Password (optional):
- leave blank
Once you have created the initial VPN connection, under Related settings you should see Change adapter options. Select that to bring up the Network Connections section of the control panel. Now, right click on the VPN connection you created (should be called RBVI VPN) and bring up the Properties (Figure 3).
Go to the Security tab of the Properties sheet (Figure 4) and click on Advanced settings. In the Advanced settings dialog, select Use preshared key for authentication and use the key provided by this link and click OK. Then under the Authentication section of the Security tab in the Properties dialog, click on Allow these protocols and select only Unencrypted password (PAP) (your password will be encrypted when it is sent, but needs to be the clear-text password for us to it on the server). Finally, click OK.
To connect the VPN, just right-click on the connection and select Connect/Disconnect to get back to the Settings dialog. Once there click on Connect, provide your username and password and you should be able to connect.
Windows 7 requires installation of a separate application. Download the Cisco VPN Client zip file for Windows to a temporary location on your system, then double click on the downloaded file to unzip and follow the unusal installation instructions.
Start the Cisco VPN ClientNavigate to Start -> All Programs -> Cisco Systems VPN Client -> VPN Client to start up the Client.
Import RBVI specific profileDownload the RBVI profile file to a temporary location from here, then import it into the client by clicking on the Import icon. A panel will appear that allows you to select the downloaded file for importing:
Check Transport settings in RBVI profileEnsure that the Transport setting is using UDP by clicking Modify in the Cisco client:
This will bring up a new panel where you can verify under the Transport tab that "IPSec over UDP (NAT/PAT)" is selected. After confirming, click on Save which will return you to the Cisco Client window:
Windows - Starting VPN session to the RBVI VPNSelect the "RBVI" Connection Entry in VPN Client window and click on the Connect icon. (Users who have previously installed the Cisco VPN client to connect to other servers may have more than one entry in the Connection Entry table.)
A Login panel should appear. Enter your username and Kerberos password to start the VPN session. Status messages will appear at the bottom of the client window indicating negotation and connection set up. Afterwards a panel will pop up, welcoming you to the RBVI VPN server. This indicates the connection has succeeded.
While NetworkManager provides support for VPNs, we have been unable to make it work. Therefore, we recomment using the vpnc and vpnc-script packages from your local package manager. Once these have been installed, create a file in
/etc/vpnc/called rbvi.conf, or any name that makes sense to you. The contents of the file should look something like:Then, to connect to the VPN, type:
IPSec gateway vpn.cgl.ucsf.edu
IPSec ID rbvi_vpn
IPSec secret <enter the secret from here>
Xauth username <your user name>and enter your password when prompted. To disconnect the VPN, just do
sudo vpnc /etc/vpnc/rbvi.conf