Secure Remote Access: Connect with IPSec (Linux)

Overview

The Secure Remote Access service is the preferred mechanism to establish virtual private network (VPN) connections to PCs, servers, databases and printers on the University network. This service (often referred to by the shorthand “SRemote”) allows client systems running the Pulse Secure application to set up a VPN session with resources in a University network zone. These sessions can be used to connect to a printer, a file share, a database or to establish a remote desktop connection to a PC or server.

The University also supports an alternative VPN service that is based on the IPSec network security protocol. This service was established to support specialized VPN needs such as clients running a Linux/Unix operating system as well as high-performance applications that require more capacity than the Secure Remote Access service can support.

The IPSec service was created to fill specific remote access needs that may have been addressed by recent changes to the Secure Remote Access service. Before attempting to set up a VPN session using IPSec, you should investigate whether suitable VPN access is available using the Pulse client.

Multifactor and Secure Remote Access 

If you use the University’s Secure Remote Access service, either through the recommended Pulse client or via the IPSec client, you will need to use multifactor authentication for your secure remote connections. This requirement affects all students, faculty, and staff who use the Secure Remote Access service.

Note that you must already have registered a device for multifactor authentication before you can complete the steps below.

Connection Requirements

You must be approved by your Responsibility Center Account Administrator to access restricted network resources using a virtual private network connection. Contact the Technology Help Desk at 412-624-HELP [4357] to request the service.

Prior to configuring the connection, you must obtain the following:

  • membership in an IPSec access group (set up by your department’s RC Administrator).
  • A pre-shared text key (provided by your department’s IT administrator or Responsibility Center administrator)
  • Group name information (provided by your department’s IT administrator or Responsibility Center administrator)

Configure the Virtual Private Network Connection

  1. Use Yum or Aptitude-get to install “vpnc” by typing: $ sudo apt-get install vpnc
  2. Edit the configuration file by typing: $ sudo nano /etc/vpnc/pittvpn.conf
  3. Enter the following configuration settings:
    IPSec gateway vpn.pitt.edu
    IPSec ID <your department’s group name>
    IPSec secret <your department’s pre-shared text key>
    Xauth username <your University Computing Account username>

Establish a Secure Connection

  1. Type the following command: $ sudo vpnc pittvpn

  2. Enter Your Password with Duo Multifactor Authentication

    You will be presented with a password prompt. You have several options to authenticate with multifactor authentication:

  • Type your password only. This will use the default multifactor authentication method you selected when registering your device. For example, if you chose to always receive a Push notification, then typing your password will automatically send a Duo Push notification to your registered device. Accept the Push notification to complete the authentication process. 
  • If you want to use the "Call Me" option for multifactor authentication, type your password followed by the word phone in this format: password,phone.  This will automatically call your registered device. Press 1 on your dialpad to authenticate.
  • If you want to authenticate with a passcode, generate a passcode within the Duo mobile app, then type your password followed by Duo passcode in this format: password,token. For example, if the passcode you generated was 123456, you would type password,123456 in the Password field.
  • If you want to be sent a passcode via text message (SMS), then type your password followed by sms in this format: password,sms. Your login attempt will fail and you will receive a six-digit passcode via text message. Retype your password followed by the passcode that you received in this format: password,123456.

Disconnect from the Service

  1. Close any applications that are using the secure connection.
  2. Type the following command: $ sudo vpnc-disconnect

Note: You may use the secure connection for up to four hours at a time or may be idle up to 30 minutes before you will be automatically disconnected from the service.

Tags: Secure Remote Access Linux Help Sheet