LANCOM Support Knowledgebase Document No. 1908.0814.2452.RHOO - V3.50

Setting up an IKEv2 VPN connection (site-to-site) between two LANCOM R&SŪ Unified Firewalls


Description:
This document describes how to set up an IKEv2 connection (site-to-site) between two LANCOM R&SŪ Unified Firewalls.



Requirements:
  • A configured and functional Internet connection on each Unified Firewall
  • Any web browser for access to the web interface of the Unified Firewall



Scenario:

The Unified Firewalls are connected directly to the Internet and have a public IPv4 address:
  • A company wants to connect its branch office, which operates a LANCOM R&SŪ Unified Firewall, via an IKEv2 site-to-site connection to the company headquarters, which also operates a LANCOM R&SŪ Unified Firewall.
  • The branch office has an Internet connection with the fixed public IP address 81.81.81.81.
  • The Unified Firewall at the headquarters should establish the VPN connection to the branch office.
  • The local network at the headquarters has the IP address range 192.168.50.0/23.
  • The local network at the branch office has the IP address range 192.168.66.0/24.
    Info:
    If the Unified Firewall uses an upstream (LANCOM) router to connect to the Internet, then the upstream device has to be set to forward its inbound ports 4500 and 500 to the LAN IP address of the Unified Firewall.




Procedure:

1) Configuration steps on the Unified Firewall at the headquarters:

1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPSec settings.



1.2) Activate IPSec.



1.3) Switch to VPN -> IPSec Connections and click on the “+” icon to create a new IPSec connection.



1.4) Save the following parameters:
  • Name: Enter a descriptive name.
  • Connection type: Choose Site-to-site.
  • Network connection: From the drop-down menu, select the Network connection used for the Internet connection.
  • Local network: Enter the local network in CIDR notation (Classless Inter-Domain Routing).
  • Remote network: Enter the remote network in CIDR notation (Classless Inter-Domain Routing).
  • Destination: Enter the public IP address or public DNS address of the branch office.
  • In this example configuration the Unified Firewall at the headquarters should establish the VPN connection, so you select the option Initiate connection.



1.5) Change to the Authentication tab and enter the following parameters:
  • Authentication type: Set PSK only (preshared key).
  • Preshared Key: Enter a preshared key.
  • Local identifier: Set the local identifier.
  • Remote identifier: Set the remote identifier.
    Important:
    The local and remote identifiers must not match!


1.6) Change to the tab ISAKMP (IKE) and, under IKE version, select the type IKEv2.

Leave the remaining parameters at their default values.



1.7) Click the icon to create a new VPN host.



1.8) Save the following parameters:
  • Name: Enter a descriptive name.
  • VPN connection type: Select the type IPSec.
  • IPSec connection: From the drop-down menu under IPSec, select the VPN connection created in steps 1.4 - 1.6.



1.9) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the object (the site-to-site connection) should access. Repeat this step for every network that the branch should be able to access.



1.10) Use the “+” sign to assign the required protocols to the VPN host.
    Info:
    A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.


    Info:
    Firewall objects can also be accessed via Desktop -> Desktop connections and clicking on the “edit” icon.

1.11) Finally, implement the configuration changes by clicking Activate in the firewall.



1.12) This concludes the configuration steps on the Unified Firewall at the headquarters.




2) Configuration steps on the Unified Firewall at the branch office:

2.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPSec settings.



2.2) Activate IPSec.



2.3) Switch to VPN -> IPSec Connections and click on the “+” icon to create a new IPSec connection.



2.4) Save the following parameters:
  • Name: Enter a descriptive name.
  • Connection type: Choose Site-to-site.
  • Network connection: From the drop-down menu, select the Network connection used for the Internet connection.
  • Local network: Enter the local network in CIDR notation (Classless Inter-Domain Routing).
  • Remote network: Enter the remote network in CIDR notation (Classless Inter-Domain Routing).
  • Destination: Select the option Dynamic destination here.
  • In this example configuration the Unified Firewall at the branch office should accept the VPN connection, so you select the option Wait for connection.



2.5) Change to the Authentication tab and enter the following parameters:
  • Authentication type: Set PSK only (preshared key).
  • Preshared Key: Enter a preshared key.
  • Local identifier: Set the local identifier.
  • Remote identifier: Set the remote identifier.
    Important:
    The local and remote identifiers must not match!


2.6) Change to the tab ISAKMP (IKE) and, under IKE version, select the type IKEv2.

Leave the remaining parameters at their default values.



2.7) Click the icon to create a new VPN host.



2.8) Save the following parameters:
  • Name: Enter a descriptive name.
  • VPN connection type: Select the type IPSec.
  • IPSec connection: From the drop-down menu under IPSec, select the VPN connection created in steps 2.4 - 2.6.



2.9) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the object (the site-to-site connection) should access. Repeat this step for every network that the branch should be able to access.



2.10) Use the “+” sign to assign the required protocols to the VPN host.
    Info:
    A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

    Info:
    Firewall objects can also be accessed via Desktop -> Desktop connections and clicking on the “edit” icon.
2.11) Finally, implement the configuration changes by clicking Activate in the firewall.



2.12) This concludes the configuration steps on the Unified Firewall at the branch office.

The VPN connection to the headquarters is established now.

Catchwords: rohde; schwarz; ikev2; unified firewall ; site-to-site; lan-lan; kopplung
Please review this document! This document was helpful This document was not helpful