School of Computing Science

Automatic:

1. Download and run the SoCS VPN Configurator. You will need to log in with your SoCS Windows credentials.

You may encounter one or more browser warnings against downloading .exe files, which you will have to acknowledge – the exact format will depend on your browser. You may additionally encounter a blue Windows SmartScreen window blocking the program from running - click More info and Run anyway.

1. Adjust your connection settings if required, or accept the defaults, and click Add connection.
2. Click the network icon in the system tray (bottom-right of the screen), select the newly created connection, and click Connect.

The first time you connect, you will be prompted to enter your SoCS Windows credentials. If you checked the relevant box in step 2, you will not be asked again on subsequent connections.

Manual:

If you prefer not to run downloaded code on your computer, you can manually add the connection with the following steps, which the above utility automates:

1. Click Start -> Settings -> Network & Internet -> VPN -> Add a VPN Connection.
2. Fill in the form as follows:
1. VPN Provider: Windows (built-in)
2. Connection name: SoCS VPN (or any other name preferred)
3. Server name: crago.dcs.gla.ac.uk
4. VPN Type: IKEv2
5. Type of sign-in info: Username and password
6. Username and password: Your SoCS Windows credentials – alternatively leave blank to enter details every time you use the VPN
3. Click Save.

At this stage, attempting to connect will present you with a “Policy match error”. To remedy that:

1. Open a PowerShell terminal.
2. Enter the following command, replacing “SoCS VPN” with the name chosen earlier if necessary:

Set-VpnConnectionIPsecConfiguration -ConnectionName "SoCS VPN" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -DHGroup Group14 -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force

Optional but strongly recommended: to use this connection for traffic to the school only, rather than all your Internet traffic, follow the following steps:

1. Click Start -> Settings -> Network & Internet -> Change Adapter Options
2. Right click the connection with the name you used above and select Properties
3. Click the Networking tab.
4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
5. Click Advanced...
6. Uncheck Use default gateway on remote network.
7. Click OK.
8. Click OK.
9. Repeat steps 4-8 for the IPv6 protocol.
10. Click OK to exit.

Finally, click the network icon in the system tray (bottom-right of the screen), select the newly created connection, and click Connect.

Manual configuration is not possible under macOS - the connection must be configured using the profile provided. The profile itself is a plain XML file (albeit with binary portions at the beginning and end representing the profile signature) whose contents can be verified manually, or using the Apple Configurator from the Mac App Store.

1. Download the VPN profile.
2. Double-click the file in Finder. A message will pop-up inviting you to install the profile through System Preferences.
3. Open System Preferences, and click Profiles. The profile will be shown as pending installation.
4. Click Install, and follow the instructions. If asked for credentials, enter your SoCS Windows credentials.
5. Go back to the main System Preferences screen, and click Network.
6. Click on the newly created SoCS VPN – Crago connection on the left-hand side.
7. If you were asked for your credentials earlier, please skip this step.

If not, click "Authentication Settings...", and enter your SoCS Windows credentials.

1. Click Connect.

Split tunneling

Although split tunneling (using the VPN for School traffic only) is generally recommended, it is not natively supported in macOS. For pointers on how to enable it if required, please contact Support.

Similar to macOS, the connection must be configured using the profile provided.

1. Download the VPN profile.
2. If using Safari, click Allow in the message that appears. If using a different app, you might have to click the Share button, then click Save to Files, and then find the profile in the Files app and open it. A message will pop-up inviting you to review the profile in the Settings app.
3. In the Settings app, click More for your iPhone if it appears, and under Profile Downloaded click View Profile.
4. Click Install in the top-right corner. You will be asked to enter your passcode, and shown a warning screen about your traffic being monitored by the VPN server. Click Install again, and again a third time.
5. Enter your SoCS Windows credentials.
6. In the main menu of the Settings app, select VPN. Ensure the SoCS VPN – Crago option is ticked, and click the switch near the top of the screen to connect.

NOTE: iOS does not support split tunneling, however the VPN should be automatically disconnected shortly after the phone display goes to sleep, as long as it is not plugged in. This is default behaviour that cannot be easily changed.

1. Install the strongSwan VPN Client from the Play Store.
2. Open the app and click ADD VPN PROFILE.
3. Fill in the form as follows:
1. Server: crago.dcs.gla.ac.uk
2. Username: Your SoCS Windows username
3. Password: Your SoCS Windows password, or leave blank to enter details every time you use the VPN
4. Optional: add a profile name of your choice
5. Optional, recommended: for split tunneling, click Advanced settings, and under Applications near the bottom select which individual apps you need to use the VPN, leaving other traffic through your normal connection
6. Optional, recommended: To speed up the connection process slightly, or in case of connection issues, add the following under the Algorithmssection of Advanced settings:

• IKEv2 Algorithms: aes256gcm16-prfsha256-modp2048
• IPsec/ESP Algorithms: aes256gcm16-prfsha256

1. Click the name of the newly added profile on the main app screen to connect.

Connectivity for Linux machines has been tested using the Strongswan suite. Other IPSec implementations such as Libreswan and Openswan may work, but have not been tested.

The exact configuration process may vary depending on your distribution and desktop environment – instructions based on Ubuntu 22.04 and Fedora 36 using GNOME are provided below.

Ubuntu

1. Install the necessary packages:

apt install network-manager-strongswan libcharon-extra-plugins libstrongswan-extra-plugins

1. Under the Identity tab:
1. Name: your preferred name for the connection.
2. Address: crago.dcs.gla.ac.uk
3. Authentication: EAP (Username/Password)
4. Username: Your SoCS Windows username, without the “DCS\” prefix
5. Password: Your SoCS Windows password, or leave blank to enter details every time you use the VPN
6. Under Options select Request an inner IP address
7. Under Algorithms select Enable custom algorithm proposals and specify the following:
• IKE: aes256gcm16-prfsha256-modp2048
• ESP: aes256gcm16-prfsha256

Additionally, see the section on split tunnelling at the end of this document.

Fedora

1. Install the necessary packages:

dnf install NetworkManager-strongswan-gnome

1. Download the LetsEncrypt root certificate in .pem format from this page, or use this direct link.
2. Place the downloaded certificate in:

/etc/strongswan/ipsec.d/cacerts/

1. Go to Settings -> Network -> Add VPN -> IPSec/IKEv2 (strongswan)
2. Under the Identity tab:
1. Name: your preferred name for the connection.
2. Address: crago.dcs.gla.ac.uk
3. Authentication: EAP (Username/Password)
4. Username: Your SoCS Windows username, without the “DCS\” prefix
5. Password: Your SoCS Windows password, or leave blank to enter details every time you use the VPN
6. Under Options select Request an inner IP address
7. Under Algorithms select Enable custom algorithm proposals and specify the following:
• IKE: aes256gcm16-prfsha256-modp2048
• ESP: aes256gcm16-prfsha256

Split tunnelling

Although split tunneling (using the VPN for School traffic only) is generally recommended, it is not configurable through the NetworkManager GUI. For pointers on how to enable it if required, please contact Support.