LANCOM Support Knowledgebase
Dokument-Nr. 1605.3112.0744.RHOO - V3.00
Manually set up an IPv6 IKEv2 site-to-site VPN connection using an IPv4 internet connection
Description:
This document describes how you set up a
network connection using an IKEv2 site-to-site VPN connection between two LANCOM routers
.
Requirements:
LCOS as of version 9.20 (
download latest version
)
LANtools as of version 9.20 (
download latest version
)
Functional
IPv4 Internet connection at both ends
.
Scenario:
A company wishes to interconnect the local
IPv6 networks at their headquarters and at a branch office by means of an IKEv2 site-to-site VPN connection
.
Both sites have a LANCOM router as their gateway and an
Internet connection with a public IPv4 address
. The
public IPv4 address
of the
Headquarters
is
80.80.80.80
, and the branch office is
81.81.81.81
.
The VPN connection is established
from the branch office to the headquarters
.
The
local IPv6 network at the headquarters
has the IP address range
2001:db8:a::/64
, and the
branch office
uses the
local IPv6 address range 2001:db8:b::/64
.
Procedure:
1) Manual configuration of the LANCOM router at the headquarters:
1.1) Open the configuration for the LANCOM router at the headquarters and switch to the menu item
VPN -> General
.
1.2)
Enable
the function
Virtual Private Network
.
1.3) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Authentication
.
1.4) Click on the
Add...
button to create a new entry.
1.5) Enter the
information for the authentication of the VPN connection
into the configuration window.
Name:
Enter the
name for the authentication
here. This entry is used later in the VPN connection list (see step 1.8).
Local authentication:
Select the
authentication type used on the router at the headquarters
. This example uses authentication by
pre-shared key (PSK)
.
Local identifier type:
Select the
identifier type
used on the router at the headquarters. In this example, the identity type was set to
E-mail address (FQUN)
.
Local identifier:
Set the local identifier. In this example, the
LANCOM router at the headquarters
uses the
local identity headquarter@company.com
.
Local password:
Set the
pre-shared key
to be used to authenticate at the router at the headquarters.
Remote authentication:
Select the
authentication type used by the LANCOM router at the branch office
. This example uses authentication by
pre-shared key (PSK)
.
Remote identifier type:
Select the
identifier type
used on the router at the branch office. In this example, the identity type was set to
E-mail address (FQUN)
.
Remote identifier:
Set the remote identifier. In this example, the
LANCOM router at the branch office
uses the
remote identity office@company.com
.
Remote password:
Set the
pre-shared key
to be used to authenticate at the router at the branch office.
1.6) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Connection list
.
1.7) Click on the
Add...
button to create a new entry.
1.8) Enter the following information into the configuration dialog:
Connection name:
Enter a name for the VPN connection. This name is used later in the routing table (see step 1.10).
Short hold time:
Specify the short-hold time in seconds for the VPN connection. In this example, a
0
is entered into the LANCOM router at the headquarters. This means that this router will not actively establish the VPN connection.
Gateway:
Specify the
public IPv4 address
of the
LANCOM router at the branch office
. In this example, this is the IPv6 address
81.81.81.81
.
Authentication:
Select the authentication. The entry here corresponds to the name of the authentication that you set in step 1.5.
Rule creation:
In this example,
rule creation is performed automatically
.
1.9) Navigate to the menu
IP router -> Routing -> IPv6 routing table
.
1.10) Add a
new routing entry
.
As the
IPv6 address
, enter the
address of the local IPv6 network at the branch office
. In this example it is
2001:db8:b::/64
.
For the
Router
field, select the
identification of the VPN remote station (in this case: OFFICE)
.
1.11) Switch to the menu
IPv6 -> General -> WAN interfaces
.
1.12) Add a new entry. Set the
Interface
as the
VPN connection OFFICE
. The option
Firewall for this interface must be disabled.
1.13) Open the menu
Firewall/QoS -> IPv6 rules -> IPv6 inbound rules
and
add a new firewall rule
.
Note:
This firewall rule is required in order for data transmission via the VPN connection from the remote station (in this case OFFICE) to be allowed.
1.14) In the Name field, enter a descriptive name.
Set the
Priority
to the value
1
.
Set the
Action
to
ACCEPT
.
In the field
Server services
, set the object to
ANY
.
In the field
Source stations
, enter the
name of the VPN connection to the office
.
1.15 Write the configuration back to the LANCOM router at the headquarters.
2) Manual configuration of the LANCOM router at the branch office:
2.1) Open the configuration for the LANCOM router at the branch office and switch to the menu item
VPN -> General
.
2.2)
Enable
the function
Virtual Private Network
and set the option
Establishment of net relationships (SAs)
to the option
Collectively with KeepAlive
so that net relations are established correctly and according to the same schema.
2.3) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Authentication
.
2.4) Click on the
Add...
button to create a new entry.
2.5) Enter the
information for the authentication of the VPN connection
into the configuration window.
Name:
Enter the name for the authentication here. This entry is used later in the VPN connection list (see step 2.8).
Local authentication:
Select the
authentication type used on the router at the branch office
. This example uses authentication by
pre-shared key (PSK)
.
Local identifier type:
Select the
identifier type
used on the router at the branch office. In this example, the identity type was set to
E-mail address (FQUN)
.
Local identifier:
Set the local identifier. In this example, the
LANCOM router at the branch office
uses the
local identity office@company.com
.
Local password:
Set the
pre-shared key
to be used to authenticate at the router at the branch office.
This password must match the one configured in step 1.5.
Remote authentication:
Select the
authentication type used by the LANCOM router at the headquarters
. This example uses authentication by
pre-shared key (PSK)
.
Remote identifier type:
Select the
identifier type
used on the router at the headquarters. In this example, the identity type was set to
E-mail address (FQUN)
.
Remote identifier:
Set the remote identifier. In this example, the
LANCOM router at the headquarters
uses the
remote identity headquarter@company.com
.
Remote password:
Set the
pre-shared key
to be used to authenticate at the router at the headquarters.
This password must match the one configured in step 1.5.
2.6) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Connection list
.
2.7) Click on the
Add...
button to create a new entry.
2.8) Enter the following information into the configuration dialog:
Connection name:
Enter a name for the VPN connection. This name is used later in the routing table (see step 2.10).
Short hold time:
Specify the
short-hold time
in seconds for the VPN connection. In this example, a value of
9999 seconds
is entered into the LANCOM router at the branch office. This means that this router actively establishes the VPN connection.
Gateway:
Specify the
public IPv4 address
of the
LANCOM router at the headquarters
. In this example, this is the IPv4 address
80.80.80.80
.
Authentication:
Select the authentication. The entry here corresponds to the name of the authentication that you set in step 2.5.
Rule creation:
In this example,
rule creation is performed automatically
(default setting).
2.9) Navigate to the menu
IP router -> Routing -> IPv6 routing table
.
2.10) Add a
new routing entry
.
As the
IPv6 address
, enter the
address of the local IPv6 network at the headquarters
. In this example it is
2001:db8:a::/64
For the
Router
field, select the
identification of the VPN remote station (in this case: HEADQUARTER)
.
2.11) Switch to the menu
IPv6 -> General -> WAN interfaces
.
2.12) Add a new entry. Set the
Interface
as the
VPN connection HEADQUARTERS
. The option
Firewall for this interface must be disabled.
2.13) Open the menu
Firewall/QoS -> IPv6 rules -> IPv6 inbound rules
and
add a new firewall rule
.
Note:
This firewall rule is required in order for data transmission via the VPN connection from the remote station (in this case HEADQUARTERS) to be allowed.
2.14) In the Name field, enter a descriptive name.
Set the
Priority
to the value
1
.
Set the
Action
to
ACCEPT
.
In the field
Server services
, set the object to
ANY
.
In the field
Source stations
, enter the
name of the VPN connection to the headquarters
.
2.15 Write the configuration back to the LANCOM router at the branch office.
After the configuration has been written back to the LANCOM router at the branch office, the VPN connection can be established between the two LANCOM routers. You can check this for example by loading the two LANCOM routers into the LANmonitor.
Note:
If problems occur during connection establishment, or if the established VPN connection does not work properly, a VPN Status Trace can help with the diagnosis. Information is available in the following KnowledgeBase article
.
© LANCOM Systems GmbH