Technical Information about the VPN in the MWN

The VPN service of the Munich Scientific Network (MWN) is based on the IPSec standard, which offers high security thanks to data encryption. In order to be able to use this service, a valid access username (RADIUS username) is required. A special client program has to be used; this is available free of charge for users of the Leibniz Computer Center.

Requirements

A valid access username (RADIUS username) is required in order to be establish a virtual private net (VPN). A special client program is required for technical implementation of the “private network”; for most operating systems, this is available free of charge for LRZ users.

Technical description

Data security

LRZ: Schema der VPN-Technik im MWN

Using the VPN, a second connection (tunnel) is established via an existing IP connection. This connection routes the entire data traffic across a dedicated computer, the VPN server. IPsec and SSLVPN are used and guarantee both the necessary security to prevent unauthorized access and data protection via encryption. Only the recipient can decrypt the encrypted data.

SSLVPN

The SSLVPN server cluster is accessed via the address asa-cluster.lrz.de. The cluster currently consists of the same four ASA5540 that also offer the IPsec services. The VPN-connection may build up to three single connections, one control-channel, one SSL-TCP-data-connection and, if possible, a low-latency DTLS-UDP-data-connection. The server's authenticity ist checked with certificates.

IPsec

The VPN server ipsec.lrz.de (IP address: 129.187.254.28) consists of four devices. The four ASA5540 Cisco devices work with the IPsec protocol, which describes the establishment of secure Internet connections. They encrypt the data in accordance with the standard 3DES (168 bit) in hardware. The group password, a so-called preshared key, which all users have, is used to check access to the VPN server. It is stored in the configuration file in encrypted form. Logon then proceeds in the usual way by entering a RADIUS username

IP addresses, domain names

By default, a global IP address is assigned. This belongs to one of several address pools, depending on the institute of which the user is a member. The username indicates to which institute the user belongs. To protect against attacks from the Internet, it is also possible to request a private IP address (RFC 1918), which is only routed within the MWN. For private addresses, a # (hash) has to be placed in front of the username at authentication. All internal MWN services operate with a private address; a global address is only necessary for special external services, such as ICQ or messaging. If you connect from outside the MWN via VPN, only networks in the MWN are accessed via the VPN tunnel. This can be deactivated by placing a “!” in front of the username.

Student halls of residence

Computers, i.e. clients, that already had a private IP address before establishing the VPN connection are given an official IP address within the VPN. Clients in student halls of residence are the exception to this; these clients always receive private IP addresses.

IPv6 addresses

The AnyConnect VPN-Client hat built in IPv6 capability. For lecacy IPsec-clients: If the isatap service is defined on the client, the computer also receives an IPv6 address. For more information, go to http://www.lrz.de/services/netz/ipv6/isatap1/index.html

Each address is also assigned a hostname in the form of xxx.subdomain.vpn.lrz.de. The addresses and subdomain names are shown in the following table (the IP pools can change):

VPN: IP-Adressen und Subdomains

Institution

Subdomain

IP-Pools

Technical University Munich
(Technische Universität München)

tum

10.152.42.1-254
10.152.43.1-254

10.152.126.1-254
10.152.127.1-254

129.187.16.1-254
129.187.17.1-254
129.187.41.1-254
129.187.47.1-254
129.187.51.1-254
129.187.98.1-254
129.187.100.1-254
129.187.173.1-254

129.187.178.1-254
129.187.205.1-254
129.187.207.1-254
129.187.209.1-254
129.187.210.1-254
129.187.211.1-254
129.187.212.1-254

 

LMU - Munich
(Ludwig-Maximilians-Universität)

lmu

10.153.38.1-254
10.153.39.1-254

10.153.154.1-254
10.153.155.1.254

141.84.12.1-254
141.84.13.1-254
141.84.14.1-254
141.84.15.1-254
141.84.16.1-254
141.84.17.1-254
141.84.18.1-254
141.84.22.1-254

141.84.23.1-254
141.84.28.1-254
141.84.29.1-254
141.84.30.1-254
141.84.31.1-254
141.84.32.1-254
141.84.33.1-254
141.84.34.1-254

Munich University of Applied Sciences
(Hochschule München)

hm
(ehem. fhm)

10.159.2.1-254
10.159.3.1-254

10.159.4.1-254
10.159.5.1-254

129.187.34.1-254
129.187.52.1-254

129.187.110.1-254
129.187.118.1-254

Weihenstephan - Triesdorf  University of Applied Sciences
(Hochschule Weihenstephan – Triesdorf)

hswt
(ehem fhw)

10.154.10.1-254
10.154.13.1-254

10.154.14.1-254

141.40.24.1-254
141.40.115.1-254

141.40.116.1-254

Other (external)

ext

10.155.24.1-254
10.155.25.1-254

129.187.50.1-254
badw 10.155.56.1-254 10.155.57.1-254
VPN: Server addresses
virtual cluster IP asa-cluster.lrz.de 129.187.254.28
asa01.lrz.de, ipsec01.lrz.de 129.187.254.40
asa03.lrz.de, ipsec03.lrz.de 129.187.254.163
asa04.lrz.de, ipsec04.lrz.de 129.187.254.164
asa05.lrz.de, ipsec05.lrz.de 129.187.254.165

Routing (data transfer)

  1. VPN users in the Munich Scientific Network: for users within the MWN, whether using a wireless LAN or public data connection, the entire data traffic is always routed via the VPN server.

  2. From home or via the Internet: in the case of users logging in from home or from elsewhere on the Internet using a third-party provider, so-called split-tunneling is used. This means that the data from and to addresses in the rest of the Internet are routed directly. This prevents the unnecessary rerouting of data via the VPN server. Only data from and to destinations in the MWN are encrypted and sent via the VPN tunnel. On the user/client side, no special configurations are required, routing is automatically set accordingly. Private networks with 10.x.x.x, 172.16.x.x and 192.168.x.x addresses are also routed directly, unless the optionAllow Local LAN Access is activated in the client. This enables access to local networks from a user’s home using a VPN connection.

  3. Special applications: with other applications, such as access to databases, use of terminal server clients or IP telephony applications (voice over IP, VoIP), it may be necessary to switch off split tunneling and send all data via the tunnel. This is done by placing an exclamation mark “!” in front of the username at authentication.

  4. Proxy server: please note that, when using a proxy server in the MWN, all WWW data traffic is always transferred via the VPN server.

  5. Restrictions: the same restrictions apply for VPN connections with regard to bandwidth and excessive traffic as for the NAT gateway Secomat.

    Further information about the VPN

Frequent Problems

  1. Software faults: the IP address changes when establishing and terminating a VPN connection. Some applications do not allow a change in address whilst they are running, whereas others do. However, in any case, we recommend restarting network-dependent application programs, particularly web browsers, after establishing and terminating a VPN connection.
  2. Incorrect entry: a frequent problem is entering the username incorrectly. You can check whether or not your username is suitable in the Overview of RADIUS zones. When entering your username, the part after the “@”character also has to be entered (unless using LRZ usernames). Please pay special attention to upper and lower case characters – also when entering your password!
    Examples of usernames:
    u1234ab
    gabi.muster@campus.lmu.de
    stefan.muster@tum.de
    h.muster@wzw.tum
  3. VPN connection via a different provider: VPN connections cannot be made via an existing IPsec-VPN connection. This means that DSL customers of suppliers who establish the connection via VPN can not (yet) use our VPN.
  4. Firewalls: if any unspecified problems occur, you should try switching off any (personal) firewalls that might be running and also switch off Internet connection sharing under Windows XP.

Fragen oder Probleme?

You will find more tips about VPN connections in our Frequently Asked Questions (FAQ).
If you have any questions or comments, please contact the Servicedesk.