about projects people publications resources resources visit us visit us search search

RBVI's VPN (Virtual Private Network) Setup Guide

Introduction and Account Setup

In order to provide secure access for remote "mobile" users to our NIH-supported Resource Center and the associated computer services and data we provide, the RBVI maintains a hardware appliance (called "hal2") to support secure, fast, and encrypted VPN connections. RBVI's VPN uses the IPsec suite of protocols. Access requires an VPN user name/password and the installation of a "mobile vpn profile" as described below.

The first step in setting up a VPN connection is to to obtain a VPN user name and initial password. (You'll need to do this even if you've been using our old VPN system.) Send email to vpn-user@cgl.ucsf.edu requesting this. In most cases, the VPN user name assigned to you will be the same as your RBVI/Wynton user name. After receiving confirmation that your account is set up, you will need to login to the RBVI's host plato and set a password of your choice. You will not be able to use the VPN until you have done so.

If you've haven't logged into RBVI or Wynton recently and want to confirm your Kerberos credentials are working correctly, visit the Kerberos Authentication Test web page. If you have problems getting Kerberos authentication to work for you, please send email to kerberos-help@cgl.ucsf.edu.

Once you receive email with your assigned VPN user name, log on to host plato.cgl.ucsf.edu and execute the command "vpnpasswd". You will be prompted for a new password, which must adhere to the UCSF Enterprise Password Standard. Your password must be changed at least annually. It is important that you choose a different password than your existing RBVI/Wynton password in order to keep your account as secure as possible. It may take up to 10 minutes for your new password to propagate onto the VPN server.

Next, install a Mobile Client Profile onto your computer using the instructions given here:

• macOS
• iOS/iPad
• Windows 10
• Linux

(Platforms not listed here are not supported)

Known Problem: On at least some clients (macOS for sure, but maybe others) the connection resets after 8 hours. The connection should automatically renew without user intervention after 8 hours, but that isn't happening.

---

Two-Factor Authentication (2FA)

As of 2/18/22, Duo 2FA is required to log in to the RBVI VPN. Duo is the same 2FA used by the UCSF campus, of course, but the RBVI VPN uses a Duo account named "UCSF PharmChem" instead of the campus "UCSF" account. (If you access either the Wynton cluster or RBVI's Plato cluster from outside of UCSF, then you already have the PharmChem account installed in your phone's Duo app.) With 2FA when you connect to the VPN you will receive a notification on your phone/tablet asking you to confirm that it's you attempting to connect. You then just click on the Duo "OK, it's me" box and your VPN connection will complete. That's all there is to it!

Testing your account: If you want to test the PharmChem 2FA Duo account, try using the ssh or scp applications to access plato.cgl.ucsf.edu from a location outside of UCSF. You'll first need the Duo app installed on your phone or tablet of course. This campus IT Multi-factor Authentication page describes how to do that. Once registered with Duo and if the PharmChem account is not set up on your device, then when you try to ssh/scp to plato Duo should pop up and tell you that you need a PharmChem account to continue. Follow the instructions Duo provides and you should be able to successfully connect to plato using 2FA. If you take too long completing the setup steps you may need to try connecting again because the connection request times out after a while (30 seconds?).

---

Profile Installation: macOS 10.13 (High Sierra) and later

(The user interface changed slightly in macOS 12 (Monterey), so be sure to note the differences below.)

1. Download this Mobile Profile (You'll need to use your RBVI/Wynton user name and password to access this file. If the file appears in your browser as an xml document, right-click on the page and select Save Page As..., and then delete the ".xml" file suffix if it was added by your browser.)
2. Open a Finder window and locate the file, then double-click on it.
3. On macOS 10.13 a Profiles window should pop up; click on Continue. An Are You Sure dialog will appear; click on Continue. An Enter Settings dialog will appear; enter your VPN user name but leave the password field blank, then click on Install and, when prompted, enter the administrative password for your computer to install the new profile. Navigate to System Preferences→Network, locate "RBVI VPN (hal2)" in the left hand panel and highlight the entry. If not already checked, click on the box "Show VPN status in Menu bar" and then click Apply.
   On macOS 12 (Monterey) you instead need open System Preferences after double-clicking on the file you downloaded. Click on the Profile icon, select the "RBVI VPN (hal2)" entry and click on Install. Next click on the Network icon in System Preferences, then find the "RBVI VPN (hal2)" entry in the list of networks and click on it. Click on Authentication Settings and select Username from the list. Enter your VPN user name but leave the password field blank, then click on OK followed by Apply.
4. Since you checked the "Show VPN status..." box in the previous step, an icon should now be displayed on the right hand side of the top menu bar, typically next to the WiFi icon (it looks similar to a miniature luggage tag). If you mouse down on this icon and select "Connect RBVI VPN (hal2)" you should be prompted to provide your VPN password. A Duo 2FA alert should then pop up on your phone asking you to verify that's it really you that's logging in. If your computer successfully connects, the Status line will say "Connected" and the Connect Time will increment each second as long as your connection remains active. To disconnect an active VPN connection, click on the same menu bar icon and select Disconnect.

Known to work on: macOS 10.13 (High Sierra), 10.14 (Mojave), 10.15 (Catalina), 11 (Big Sur) and 12 (Monterey).

---

Profile Installation: iOS 13 and later

1. Send yourself an email with the same Mobileconfig Profile downloaded in step #1 above
2. Open the email on your iOS device and tap the attached profile. A Profile Downloaded panel should pop up that directs you to the Settings app. Tap on Close to dismiss the popup.
3. Navigate to Settings→General→Profile→RBVI VPN (hal2) and tap on Install. You will be prompted to enter your device's passcode.
4. A Warning screen will appear calling your attention that certificate "VPNCA" is about to be added to your list of trusted certificates. Tap on Install.
5. An Enter Username screen will appear. Enter your VPN user name and tap on Next.
6. You will be prompted to enter your password. Enter your VPN password and tap on Next.
7. A Profile Installed confirmation screen will appear. Tap on Done.
8. To start the VPN connection, navigate to Settings→VPN and tap on the Not Connected switch icon. The switch icon will change to green and a box labeled "VPN" will appear in the top right corner of the screen.
9. To stop the VPN connection, navigate to the same VPN screen and tap on the Connected icon. The icon will turn gray and the status will change to Not Connected.

Known to work on: iPadOS 13.7 and 14.2

---

Profile Installation: Windows 10

1. Download this Mobile Profile to your Downloads directory (you'll need to use your RBVI/Wynton user name and password to access this file).
2. Extract the contents of the zip file (right click and choose "Extract All..."). This will create a directory named RBVI_VPN_(hal2) that contains two files: add_pfSense_vpn_client.ps1 and a certificate file.
3. Run Windows PowerShell as administrator (find the icon in the Start menu and click "Run as Administrator"). The title bar of the PowerShell window should say "Administrator: Windows PowerShell".
4. In the PowerShell window, navigate to the RBVI_VPN_(hal2) directory:

   cd "$env:userprofile\Downloads\RBVI_VPN_(hal2)"

5. For this PowerShell window only, allow unsigned PowerShell scripts to run:

   Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
    
   and answer "Y" when asked if the execution policy should be changed.

6. Run the add_pfSense_vpn_client.ps1 PowerShell script:

   .\add_pfSense_vpn_client.ps1

7. Your VPN connection is now set up.
8. To start or stop the VPN connection, click on the network icon in the task bar or navigate to Settings / Network & Internet / VPN and click on RBVI VPN (hal2). Then either click on Connect to start connection or Disconnect to end a connection.

---

Profile Installation: Linux

1. Download the Hal2 certificate
2. On your linux machine, install the following packages:
   • strongswan
   • strongswan-libipsec
   • strongswan-charon-nm*
   • NetworkManager-strongswan*
   • NetworkManager-strongswan-gnome*
   * required for NetworkManager integration
3. If you are not using network manager (note this may be different on different distros):
   1. Edit /etc/strongswan.d/ipsec.conf and add a section for hal:

           # Add connections here.
           conn hal2
               right=hal2.cgl.ucsf.edu
               rightid=%hal2.cgl.ucsf.edu
               rightsubnet=169.230.0.0/16,64.54.0.0/16,128.218.0.0/16
               rightauth=pubkey
               leftsourceip=%config
               leftauth=eap
               eap_identity=<your VPN username>
               keyexchange=ikev2
               ike=aes128gcm128-sha256-modp2048
               esp=aes128gcm128
               #esp=aes128gcm128,aes256gcm128,prfsha256
               #dh=modp2048,ecp384
               auto=add
      
            ca hal2
               cacert=/etc/ipsec.d/cacert/pfSense_ikev2_5f710b1b24235.pem

      Assuming you put the Hal2 certificate in /etc/ipsec.d/cacert.
   
   
   2. To start things up, just do

      strongswan start

      and then

      strongswan up hal2

      Type in your VPN password and you should be good to go.
   
   
   3. To bring down the VPN, just do

      strongswan down

4. If you are using Network Manager:
   1. Click on the NetworkManager icon, then "Network Settings"
   2. Click "+" to add a network, then click "IPsec/IKEv2 (strongswan)".
   3. In the "Identity" section, make the following changes:

          Name: hal2nm (or whatever you want, obviously)
          Server
             Address: hal2.cgl.ucsf.edu
             Certificate: ~/.cert/pfSense_ikev2_5f710b1b24235.pem
                          (For this, first you have to "mkdir ~/.cert" and then put the
                           pfSense cert in there.  Be sure you 'cp' it there (rather
                           than mv) so it gets the right selinux context.)
          Client
            Username: your username
          Options
            Check "Request an inner IP address"
          Cipher proposals
            Check "Enable custom proposals"
            IKE: aes128gcm128-sha256-modp2048
            ESP: aes128gcm128 
          

   4. After that, just click on the slider to connect to the VPN and then you'll be prompted for your VPN password.

---

About RBVI | Projects | People | Publications | Resources | Visit Us

Copyright 2020 Regents of the University of California. All rights reserved.