LANCOM Support Knowledgebase
Document No. 1603.1116.1104.RHOO - V3.40
Manually set up an IKEv2 site-to-site VPN connection (IPv4) and authentication by FreeRADIUS server
Description:
This document describes how you set up a
network connection using an IKEv2 site-to-site VPN connection between two LANCOM routers
. A
FreeRADIUS server
is used for authentication.
Requirements:
LCOS as of version 9.20 (
download latest version
)
LANtools as of version 9.20 (
download latest version
)
A
configured FreeRADIUS server (
download
)
Functional
Internet connection at both ends
.
Scenario:
A company wishes to interconnect the local
networks at their headquarters and at a branch office by means of an IKEv2 site-to-site VPN connection
.
The
authentication
relies on a
FreeRADIUS server
already installed at the headquarters. The LANCOM's own internal RADIUS server cannot be used for this scenario.
Both sites have a LANCOM router as their gateway and an
Internet connection with a fixed public IP address
. The
public IP address
of the
Headquarters
is
81.81.81.81
, and the branch office is
80.80.80.80
.
The VPN connection is established
from the branch office to the headquarters
.
The
local network at the headquarters
has the IP address range
192.168.1.0/24
, and the
branch office
uses the
local IP address range 192.168.2.0/24
.
Procedure:
1) Configuration steps on the FreeRADIUS server:
1.1) The file below
contains the VSAs (Vendor Specific Attributes) for LANCOM Systems
(also see
notes link
). Copy this to the directory
/usr/share/freeradius/
.
dictionary.lancom
1.2) Open the
clients
configuration file and add the local
network at the headquarters as an approved RADIUS client network
. For this example we enter
192.168.1.0/24
.
1.3) Enter
a password as the shared secret
. You will need this password for the RADIUS configuration of the LANCOM router located at the headquarters (see step 2.5).
1.4) Open the file
users
and create a new user entry for the LANCOM router at the branch office:
office.company.com Cleartext-Password:=lancom
[local identity of the branch office along with a challenge password, which is required in step 2.6]
Service-Type=Outbound-User,
Tunnel-Password="12345678",
[the local password of the branch office, see step 3.5]
LCS-VPN-IPv4-Rule="192.168.1.0/24 * 192.168.2.0/24"
[the VPN network relationships (SAs) that must be established]
1.5) Restart the FreeRADIUS server so that the changes take effect.
2) Manual configuration of the LANCOM router at the headquarters:
2.1) Open the configuration for the LANCOM router at the headquarters and switch to the menu item
VPN -> General
.
2.2)
Enable
the function
Virtual Private Network
. Set the parameter for the
Establishment of net relationships (SAs)
to
All collectively
.
As of LCOS version 10.20
, the Network Relationships (SAs) parameter is fixed to the value
All collectively
, and therefore is no longer displayed in the configuration dialog.
2.3) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Extended settings
.
2.4) On the
RADIUS authentication
pane, click the
RADIUS server
button and add a
new entry
.
2.5) Set a Name of your choice for this entry.
In the field
Server address
, enter the
local IP address of the FreeRADIUS server
. In this example it is
192.168.1.100
.
The
default port is 1812
.
In the
Secret
field, enter the
shared secret password
used by the
FreeRADIUS server
(see step 1.3).
2.6) Close the dialog with
OK
and in the
Password
field, specify a
challenge password
that the RADIUS server receives in the access-request attribute as the user password.
The RADIUS server usually associates this password directly with a VPN peer for network access authorization. With IKEv2 however, the requesting VPN peer is authorized not by the RADIUS server, but instead by the LANCOM gateway after this receives the corresponding authorization in the access-accept message from
the RADIUS server.
Accordingly, you enter a challenge password at this point. The challenge password in this example is
lancom
(also see step 1.4).
2.7) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Authentication
.
2.8) Click on the
Add...
button to create a new entry.
2.9) Enter the
information for the authentication of the VPN connection
into the configuration window.
Name:
Enter the
name for the authentication
here. This entry is used later in the VPN connection list (see step 2.11).
Local authentication:
Select the
authentication type used on the router at the headquarters
. This example uses authentication by
pre-shared key (PSK)
.
Local identifier type:
Select the
identifier type
used on the router at the headquarters. In this example, the identity type was set to
Domain name (FQDN)
.
Local identifier:
Set the local identifier. In this example, the
LANCOM router at the headquarters
uses the
local identity headquarter.company.com
.
Remote authentication:
Select the
identifier type
used on the router at the branch office. This example uses authentication by
pre-shared key (PSK)
.
Remote identifier type:
The remote identifier type is set to
No identity
.
Remote cert. ID check:
As this function is not required, set this to
no
.
2.10) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Connection list
.
2.11)
Open the existing default entry
and
modify the following parameters
.
Authentication:
Select the authentication. The entry here corresponds to the name of the authentication that you set in step 2.9.
RADIUS auth. server:
Specify the RADIUS server entry created as of step 2.4.
2.12) Write the configuration back to the LANCOM router at the headquarters.
Note:
When the connection is established, the IP route is automatically created on the LANCOM router at the headquarters. There is no need to make a manual routing entry.
3) Manual configuration of the LANCOM router at the branch office:
3.1) Open the configuration for the LANCOM router at the branch office and switch to the menu item
VPN -> General
.
3.2)
Enable
the function
Virtual Private Network
. Set the parameter for the
Establishment of net relationships (SAs)
to
All collectively
.
As of LCOS version 10.20
, the Network Relationships (SAs) parameter is fixed to the value
All collectively
, and therefore is no longer displayed in the configuration dialog.
3.3) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Authentication
.
3.4) Click on the
Add...
button to create a new entry.
3.5) Enter the
information for the authentication of the VPN connection
into the configuration window.
Name:
Enter the name for the authentication here. This entry is used later in the VPN connection list (see step 3.8).
Local authentication:
Select the
authentication type used on the router at the branch office
. This example uses authentication by
pre-shared key (PSK)
.
Local identifier type:
Select the
identifier type
used on the router at the branch office. In this example, the identity type was set to
Domain name (FQDN)
.
Local identifier:
Set the local identifier. In this example, the
LANCOM router at the branch office
uses the
local identity office.company.com
(also see step 1.4).
Local password:
Set the
pre-shared key
to be used to authenticate at the router at the branch office.
Remote authentication:
Select the
authentication type used by the LANCOM router at the headquarters
. This example uses authentication by
pre-shared key (PSK)
.
Remote identifier type:
Select the
identifier type
used on the router at the headquarters. In this example, the identity type was set to
Domain name (FQDN)
.
Remote identifier:
Set the remote identifier. In this example, the
LANCOM router at the headquarters
uses the
remote identity headquarter.company.com
.
Remote password:
Set the
pre-shared key
to be used to authenticate at the router at the headquarters.
Remote cert. ID check:
As this function is not required, set this to
no
.
3.6) Open the menu item
VPN -> IKEv2/IPSec
and click the button
Connection list
.
3.7) Click on the
Add...
button to create a new entry.
3.8) Enter the following information into the configuration dialog:
Connection name:
Enter a name for the VPN connection. This name is used later in the routing table (see step 3.10).
Short hold time:
Specify the
short-hold time
in seconds for the VPN connection. In this example, a value of
9999 seconds
is entered into the LANCOM router at the branch office. This means that this router actively establishes the VPN connection.
Gateway:
Specify the
public IP address
of the
LANCOM router at the headquarters
. In this example, this is the IP address
81.81.81.81
.
Authentication:
Select the authentication. The entry here corresponds to the name of the authentication that you set in step 3.5.
IKE-CFG:
The
IKE config mode
is not required, and therefore must be switched
off
.
Rule creation:
The
rule creation is performed automatically
.
3.9) Navigate to the menu
IP router -> Routing -> IPv4 routing table
.
3.10) Add a
new routing entry
.
As the
IP address
, enter the
address of the local network at the headquarters
. In this example it is
192.168.1.0
.
The netmask needs to be set to the value
255.255.255.0
as the
local network at the headquarters is a class C network
.
For the
Router
field, select the
identification of the VPN remote station (in this case: HEADQUARTERS)
.
IP masquerading
is
switched off
for this entry.
3.11) Write the configuration back to the LANCOM router at the branch office.
After the configuration has been written back to the LANCOM router at the branch office, the VPN connection can be established between the two LANCOM routers. You can check this for example by loading the two LANCOM routers into the LANmonitor.
Note:
If problems occur during connection establishment, or if the established VPN connection does not work properly, a VPN Status Trace can help with the diagnosis. Information is available in the following KnowledgeBase article
.
Catchwords: ikev2. radius; freeradius; vpn
Please review this document!
This document was helpful
This document was
not helpful