1 / 14

Neue VPN Gateways bei der GWDG

Neue VPN Gateways bei der GWDG. Andreas Ißleiber ( aisslei@gwdg.de ) http://www.gwdg.de/~aisslei. VPN Gateway, Hardware, Daten 2 x CISCO ASA 5520, 1 x ASA 5510. VPN Gateway, Software Clients. The Cisco VPN Client supports :

netis
Download Presentation

Neue VPN Gateways bei der GWDG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Neue VPN Gateways bei der GWDG Andreas Ißleiber(aisslei@gwdg.de) http://www.gwdg.de/~aisslei

  2. VPN Gateway, Hardware, Daten2 x CISCO ASA 5520, 1 x ASA 5510

  3. VPN Gateway, Software Clients • The Cisco VPN Client supports: • Windows : XP, Vista (x86/32-bit only), and Windows 7 (x86/32-bit only); • Windows x64 (64-bit) supportrequiresCisco AnyConnect VPN Client • Linux (Intel) • Mac OS X 10.x & 10.x • SolarisUltraSparc (32 and 64-bit) • iPhone/iPod • Web-VPN (SSL) • ShrewSoft VPN-Client für 64-Bit Systeme • AnyConnect Client (JAVA basierend)

  4. Internet VPN-Gateway, VPN-Session Institutsnetz(GÖNET) unverschlüsselt Integrierte Firewall GÖNET-Firewall (FW) Benutzer verschlüsselt verschlüsselt VPN-Gateway IP-Adresse des Benutzers: 98.120.55.67 (beliebiger Provider) Zugewiesene IP-Adresse des VPN-Tunnels: 134.76.2.1 IP-Pool: 134.76.2.0-253 Benutzer verschlüsselt 134.76.2.1

  5. VPN Gateway, Realms (username@realm) Realms und IP-Pools:

  6. VPN Gateway, Besonderheiten, lokale Einstellungen LocalLan Access/Split Tunneling & Firewalleinstellungen: Firewalleinstellungen: Prot. 50/51 (o. IPSec PathThrough) UDP Port 500 UDP Port 10000 TCP Port 4500 TCP Port 10000 !rückwärts! Institutsnetz(GÖNET) Internet/Provider DSL-Routerdes Benutzers Verschlüsselter IPSec Tunnel IP: 192.168.1.3 VPN Gateway Lokaler RechnerIP: 192.168.1.2 Benutzer IP Client: 192.168.1.1 IP-VPN Client: 134.76.2.1

  7. VPN Gateway, Anbindung, Redundanz GÖNET(Internet) ip route 134.76.208.0 255.255.255.128 134.76.22.1 gr-gwdg1(Gi 4/14) Schrank L5 Port24 S0775-L5-01 (10.111.10.50) Port1 Port5 Port7 Port9 Port2 Port6 Port8 Port10 Management (management0/0) 10.111.10.51 Management (management0/0) 10.111.10.52 Extern(GE 0/0) 134.76.22.1 goemobile (GE 0/1)10.100.0.1 goemobile (GE 0/1) extern (GE 0/0) vpn1.gwdg.de (10.111.10.51) CISCO-ASA-5520 vpn2.gwdg.de (10.111.10.52) CISCO-ASA-5520 failover (GE 0/3) failover (GE 0/3) Failover Verbindung

  8. VPN Gateway Struktur (Routing, MBPC) 10.208.x.x (diverse Abteilungen) Internet 10.208.66.130 (DNS Server) MBPC Firewall ip route default 134.76.223.254 GÖNET(Internet) 134.76.223.253 (outside) 134.76.223.254 134.76.249.205 (vlan 249) ip route 134.76.208.0 255.255.255.128 134.76.22.1 ip route 10.208.0.0 255.255.0.0 134.76.223.253 gr-mbpc1 (MBPC Router) gr-gwdg1, GWDG Router 134.76.22.254 (vlan 23) interface Vlan208 (MBPC) description VLAN Biophysikalische Chemie ipaddress 134.76.214.254 255.255.255.0 secondary ipaddress 134.76.213.254 255.255.255.0 secondary ipaddress 134.76.212.254 255.255.255.0 secondary ipaddress 134.76.211.254 255.255.255.0 secondary ipaddress 134.76.210.254 255.255.255.0 secondary ipaddress 134.76.209.254 255.255.255.0 secondary ipaddress 10.76.209.254 255.255.255.0 secondary ipaddress 10.76.208.254 255.255.255.0 secondary ipaddress 10.76.210.254 255.255.255.0 secondary ipaddress 10.76.211.254 255.255.255.0 secondary ipaddress 10.76.212.254 255.255.255.0 secondary ipaddress 10.76.213.254 255.255.255.0 secondary ipaddress 10.76.214.254 255.255.255.0 secondary ipaddress 10.76.215.254 255.255.255.0 secondary ipaddress 134.76.208.254 255.255.255.128 secondary ipaddress 134.76.215.254 255.255.255.0 PC mit VPN Client (MBPC) IP Pool: 134.76.208.1 - 125 134.76.22.1 (vpn.gwdg.de) DNS: 10.208.66.130 10.208.66.131 Port24 Local LAN Access für: 192.168.0.0/255.255.0.0 172.16.0.0/255..240.0.0 Management (management0/0) 10.111.10.51 Extern(GE 0/0) 134.76.22.1 goemobile (GE 0/1)10.100.0.1 vpn1.gwdg.de (10.111.10.51) CISCO-ASA-5520 ip route default 134.76.22.254

  9. AnyConnect Client: • Java basierter Client • Kann den CISCO VPN Client ersetzen • SSL (nicht IPSec) • Geringerer Durchsatz • Sehr einfache Installation (nahezu alle OS …auch 64Bit)

  10. WebVPN (SSL):- Gruppenabhängiges Layout … & Rechtevergabe- Vordefinition von URLs- Zugang zu „digital libraries“- Portalfunktionalität- Zugang via RDP, VNC, SSH, Telnet, NFS, CIFS

  11. WebVPN (SSL): Laufwerksverbindung (CIFS)

  12. VPN Gateway, Einwahl, Statistiken • http://nm4.gwdg.de • Spitzenwert bislang: 276 User via IPSec (parallel) • 47 User via SSL VPN (parallel) • Anteil Studierende > 75 % • Größte Nutzergruppe: GoeMobile

  13. Details zu IPSec und weiteren Verschlüsselungsverfahren • http://www.gwdg.de/~aisslei •  Vorträge  Security Workshop GWDG VPN 2003 WeiterePlanungen: • Inbetriebnahme einer weiteren ASA 5510 als WebVPN (SSL) • Konfiguration einer passiven Redundanz mit dem zweiten VPN Gateway (ASA 5520)

  14. ? Vielen Dank! S C S I O C Y S T E M S S C S I C O Y S T E M S … Fragen CISCO S YSTEMS LOWER UPPER NORMAL POWER POWER und Diskussionen!

More Related