Off-Campus Access


SAM cluster Frank is firewalled, so you can not directly access it when you are off-campus (Pitt wireless is considered off-campus for the purposes of this article)1. The cluster is accessible securely from any where in the world via Virtual Private Networking (VPN), a service of CSSD. All SAM users are registered with CSSD, and can use their Pitt credentials to access this service. If you are an external collaborator with no Pitt affiliation, you can apply for a sponsored Pitt account through your Pitt collaborator.

VPN requires certain software to run on your system, and multiple alternatives are available in order to cover almost all systems and configurations. The only supported software for Windows and MacOSX is Junos Pulse, detailed description can be found at the CCSD Website. Details for Linux can be found below.

Linux VPNC (all Linux x86 and x86_64)

This is a commandline VPN application which may be the most convenient for some Linux users, and is the only supported client for Linux x86_64 based installations.

Most distributions provide prebuild binaries, or you can get the source and install your own:

Once installed, download the configuration file from this link (requires login) and copy as sudo cp downloaded-file /etc/vpnc/default.conf.

That completes the installation. Each time you need VPN, run

sudo vpnc
# enter Pitt credentials when prompted

This will have VPN established and running in the background. You can then access all SAM resourced as if you are within campus. To kill,

sudo vpnc-disconnect

See man vpnc for more options.

Other Linux Clients

KVpnc is known to work well. You can create a connection profile by importing the pcf file (download the SAM pcf here (requires login)).

There is also network-manager-vpnc for Ubuntu. We haven't tested this. Please post your experiences below, they are most appreciated.

  1. If you are on campus, and not using Pitt Wireless, you should be able to access our clusters directly and over a fast and high bandwidth network; i.e. you do not need any VPN! If you are at campus but can not access the clusters, then almost certainly you have another problem and we'd be glad to try and help. Please file a support ticket

Configuring built-in Mac VPN Client

The Cisco VPN Client no longer works with the Mac Lion OS without having to boot into 32-bit mode. However, the built-in VPN client will work using the same setup as listed for the Linux VPNC client (login required):

This can be done using the following procedure:

  • Go to System Preferences->Network
  • Click on the '+' symbol to create a new service
  • Choose VPN, Cisco IPSec
  • Click Create
  • For the Server Address use followed by your SAM credentials, if desired.
  • Under Authentication Settings, use Shared Secret with the password given in the link above as IPSec secret.
  • Group name is 'sam_users'
  • Click Connect

Network Manager VPNC

The network-manager-vpnc package works with the Pitt SAM VPN in Ubuntu 10.04. Importing the pcf file during setup also works well.

After the vpnc client is configured, the computer must be restarted before a connection can be established:

Attempting to access external resources (e.g. Google) fails and eventually causes the network manager VPN client to disconnect. Access to Pitt resources, including public-facing Pitt websites and the SAM clusters, is fully functional, however.

Thanks for this feedback!

Thanks for this feedback! Every bit of info is very much appreciated.

Attempting to access external resources (e.g. Google) fails and eventually causes the network manager VPN client to disconnect.

Do you experience the same with other methods, e.g. vpnc?

When connecting with vpnc,

When connecting with vpnc, the internet connectivity is maintained. Apparently, the network-manager-vpnc client sets the default route to the VPN, whereas the command line vpnc client does not modify the default route:

The internet connectivity can be restored by clicking an appropriate box: In Network Manager, edit the VPN connection > IPv4 Settings > Routes > check the box that says "Use this connection only for resources on its network" and apply the settings. This seems to do the trick.