skip to primary navigationskip to content

Ubuntu 16.04 Desktop

Configuring the UIS VPN or Ubuntu 16.04 LTS Desktop

Caution! Due to the wide variations in Linux these instructions are likely to be incompatible, or require adaptation to work, with other versions of Ubuntu.

Generic instructions for configuring the VPN service are provided, which may be helpful when setting up alternative systems.

Important note: The following are best-efforts instructions provided by a user and will allow the VPN service be used from Ubuntu 16.04 (and, possibly, other releases).  Unfortunately, due to bugs in Ubuntu 16.04, the setup and control of the VPN must be performed using the command line (Terminal); if you are unsure about this process, please seek assistance from someone familiar with Linux.

You'll need root access to your machine.  All the steps below assume you are using a root shell (or know how to use "sudo" to execute commands as root) and have a reasonable familiarity with Linux (utilities, filesystem, editors, etc.)

For general information on configuration, see our generic instructions and information on our managed VPN service.

Periodically, the certificate used by the VPN server will need to be updated.  When this happens, you will need to download and install the new server certificate, and restart the ipsec service to reconnect.  In this case, follow the instructions from the certificate section onwards.

Install the StrongSwan packages

Various packages are required to support the VPN, from the strongswan family.  They should be installed using "apt-get":

sudo apt-get install strongswan strongswan-libcharon libstrongswan-extra-plugins libcharon-extra-plugins

VPN configuration file — ipsec.conf

This is the main configuration file of strongswan, in /etc/ipsec.conf. It should read as follows, substituting "username" with your CRSid (e.g. "xyz789"), leaving the "" on the end.

conn %default

# The primary University VPN service.
conn CAM

# The Managed VPN Service for your Institution
# This section should only be included if you are using a managed VPN.
# Changed "BOTOLPHS" to the name of your institution.
# This section can be duplicated, if you use multiple managed VPNs, but a
# different name must be used for each, to distinguish them when
# connecting.
#  left=%any
#  leftid=""
#  leftauth=eap
#  leftsourceip=%config
#  leftfirewall=yes
# #
# # 1. Replace "" with the hostname of the particular service.
# # 2. Replace "botolphs-vpn.crt" with the filename of the downloaded certificate (the
# # filename needs to match the one used in the "Certificate" section, below).
# #
#  right=""
#  rightid=""
#  rightcert=/etc/ipsec.d/certs/botolphs-vpn.crt
#  rightsubnet=
# #
#  auto=add

VPN password file — ipsec.secrets

This contains the "password" (which is actually your network token, see It should read as follows, substituting "username" with your own CRSid and "token" with your token:

# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# ipsec.secrets - strongSwan IPsec secrets file : EAP "token"


A copy of the server's certificate is required so that the client can authenticate the identity of the server, before supplying your username and password (token).

Download links for the certificates for the UIS VPN and the managed VPNs are available on the generic instructions page and the managed VPN page, respectively.  You MUST put your certificates in /etc/ipsec.d/certs – this is the only place that charon (part of the strongswan VPN software) can read.

You can download the certificate using a browser and move it into place, or use a utility such as wget:

sudo wget -O /etc/ipsec.d/certs/vpn-server-cert.crt

If you're using a managed VPN, connection, you will need to adapt the above line as required (changing the download filename to match the one you entered into the configuration above, plus using the appropriate download link for the certificate).

Note that this will need to done in the event of the server certificate changing.  The client changeover must be done in coordination with the certificate changing on the server: it cannot be done in advance, nor later — if the certificates mismatch, the VPN will not connect.

The certificate last changed on 27 November 2017.

DNS servers

When connecting to the VPN, new DNS server addresses will be provided to the client.  These should replace the ones normally used by it (which will be those of the local router or site from where it's connecting) so it can resolve names private to the University (typically those in  If using a Managed VPN, these may be local to the institution, allowing the clients to resolve names private to the institution (perhaps internal Active Directory DNS names).

By default, Ubuntu Desktop will not use these due to to the way Network Manager works.  This can be corrected by disabling its DNS handling, following the steps below.

In a terminal, enter the following command to edit the Network Manager configuration:

sudo nano /etc/NetworkManager/NetworkManager.conf

This should bring up the GNU nano text editor and display the specified file.  Edit the line beginning "dns=dnsmasq" to add a hash symbol at the start of the line but do not change any of the adjacent lines, commenting out that line.  The resulting file should look similar to below:


Press Ctrl+X to exit and save; confirm that you wish to write the changes with the Y key; then press RETURN to confirm the same filename, thus overwriting the existing file.

After making this change, you will need to restart your computer.

Connecting and Disconnecting

To connect and disconnect from the VPN, you must use a command line (in a Terminal window).

You only need to do a 'restart' after changing configuration files (e.g. during the setup above, or updating the certificate).  You then use the 'up' or 'down' commands to start or stop the VPN connection itself, as required.  For example:

sudo ipsec restart
sudo ipsec up CAM
sudo ipsec down CAM

Replace "CAM" with "BOTOLPHS" (or other) to use an institutional Managed VPN.


  • Check /var/log/syslog for messages.
  • Put charondebug="all" in the ipsec.conf configuration file.

Last updated: 9th April 2018


If you have any enquiries regarding UIS network services, or other University network topics, please send an email to:

UIS Service Desk

  Phone padded  01223 332999

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts

RSS Feed Latest news

Windows 7 end-of-life countdown: 3 months to go

Sep 25, 2019

There are only 3 months left until Windows 7 reaches end of life, after which Microsoft will no longer supply security updates and bug fixes for the operating system.

Beware scam emails offering fake jobs

Sep 19, 2019

Please beware emails that offer you easy jobs that you can do part-time while you study. They are scams that aim to trick you into providing personal information, such as your bank or passport details, driver's licence or student number.

View all news