LANCOM Support Knowledgebase Document No. 1603.1116.1104.RHOO - V3.30

Manually set up an IKEv2 site-to-site VPN connection (IPv4) and authentication by FreeRADIUS server


Description:

This document describes how you set up a network connection using an IKEv2 site-to-site VPN connection between two LANCOM routers. A FreeRADIUS server is used for authentication.


Requirements:



Scenario:
  • A company wishes to interconnect the local networks at their headquarters and at a branch office by means of an IKEv2 site-to-site VPN connection.
  • The authentication relies on a FreeRADIUS server already installed at the headquarters. The LANCOM's own internal RADIUS server cannot be used for this scenario.
  • Both sites have a LANCOM router as their gateway and an Internet connection with a fixed public IP address. The public IP address of the Headquarters is 81.81.81.81, and the branch office is 80.80.80.80.
  • The VPN connection is established from the branch office to the headquarters.
  • The local network at the headquarters has the IP address range 192.168.1.0/24, and the branch office uses the local IP address range 192.168.2.0/24.




Procedure:

1) Configuration steps on the FreeRADIUS server:

1.1) The file below contains the VSAs (Vendor Specific Attributes) for LANCOM Systems (also see notes link). Copy this to the directory /usr/share/freeradius/.

dictionary.lancom

1.2) Open the clients configuration file and add the local network at the headquarters as an approved RADIUS client network. For this example we enter 192.168.1.0/24.

1.3) Enter a password as the shared secret. You will need this password for the RADIUS configuration of the LANCOM router located at the headquarters (see step 2.5).





1.4) Open the file users and create a new user entry for the LANCOM router at the branch office:



office.company.com Cleartext-Password:=lancom [local identity of the branch office along with a challenge password, which is required in step 2.6]
Service-Type=Outbound-User,
Tunnel-Password="12345678", [the local password of the branch office, see step 3.5]
LCS-VPN-IPv4-Rule="192.168.1.0/24 * 192.168.2.0/24" [the VPN network relationships (SAs) that must be established]


1.5) Restart the FreeRADIUS server so that the changes take effect.



2) Manual configuration of the LANCOM router at the headquarters:

2.1) Open the configuration for the LANCOM router at the headquarters and switch to the menu item VPN -> General.

2.2) Enable the function Virtual Private Network. Set the parameter for the Establishment of net relationships (SAs) to All collectively.

As of LCOS version 10.20, the Network Relationships (SAs) parameter is fixed to the value All collectively, and therefore is no longer displayed in the configuration dialog.



2.3) Open the menu item VPN -> IKEv2/IPSec and click the button Extended settings.



2.4) On the RADIUS authentication pane, click the RADIUS server button and add a new entry.



2.5) Set a Name of your choice for this entry.
  • In the field Server address, enter the local IP address of the FreeRADIUS server. In this example it is 192.168.1.100.
  • The default port is 1812.
  • In the Secret field, enter the shared secret password used by the FreeRADIUS server (see step 1.3).

2.6) Close the dialog with OK and in the Password field, specify a challenge password that the RADIUS server receives in the access-request attribute as the user password.

The RADIUS server usually associates this password directly with a VPN peer for network access authorization. With IKEv2 however, the requesting VPN peer is authorized not by the RADIUS server, but instead by the LANCOM gateway after this receives the corresponding authorization in the access-accept message from
the RADIUS server.

Accordingly, you enter a challenge password at this point. The challenge password in this example is lancom (also see step 1.4).



2.7) Open the menu item VPN -> IKEv2/IPSec and click the button Authentication.



2.8) Click on the Add... button to create a new entry.

2.9) Enter the information for the authentication of the VPN connection into the configuration window.

    Name:
    Enter the name for the authentication here. This entry is used later in the VPN connection list (see step 2.11).

    Local authentication:
    Select the authentication type used on the router at the headquarters. This example uses authentication by pre-shared key (PSK).

    Local identifier type:
    Select the identifier type used on the router at the headquarters. In this example, the identity type was set to Domain name (FQDN).

    Local identifier:
    Set the local identifier. In this example, the LANCOM router at the headquarters uses the local identity headquarter.company.com.

    Remote authentication:
    Select the identifier type used on the router at the branch office. This example uses authentication by pre-shared key (PSK).

    Remote identifier type:
    The remote identifier type is set to No identity.

    Remote cert. ID check:
    As this function is not required, set this to no.


2.10) Open the menu item VPN -> IKEv2/IPSec and click the button Connection list.



2.11) Open the existing default entry and modify the following parameters.


    Authentication:
    Select the authentication. The entry here corresponds to the name of the authentication that you set in step 2.9.

    RADIUS auth. server:
    Specify the RADIUS server entry created as of step 2.4.


2.12) Write the configuration back to the LANCOM router at the headquarters.
    Note:
    When the connection is established, the IP route is automatically created on the LANCOM router at the headquarters. There is no need to make a manual routing entry.



3) Manual configuration of the LANCOM router at the branch office:

3.1) Open the configuration for the LANCOM router at the branch office and switch to the menu item VPN -> General.

3.2) Enable the function Virtual Private Network. Set the parameter for the Establishment of net relationships (SAs) to All collectively.

As of LCOS version 10.20, the Network Relationships (SAs) parameter is fixed to the value All collectively, and therefore is no longer displayed in the configuration dialog.



3.3) Open the menu item VPN -> IKEv2/IPSec and click the button Authentication.



3.4) Click on the Add... button to create a new entry.

3.5) Enter the information for the authentication of the VPN connection into the configuration window.

    Name:
    Enter the name for the authentication here. This entry is used later in the VPN connection list (see step 3.8).

    Local authentication:
    Select the authentication type used on the router at the branch office. This example uses authentication by pre-shared key (PSK).

    Local identifier type:
    Select the identifier type used on the router at the branch office. In this example, the identity type was set to Domain name (FQDN).

    Local identifier:
    Set the local identifier. In this example, the LANCOM router at the branch office uses the local identity office.company.com (also see step 1.4).

    Local password:
    Set the pre-shared key to be used to authenticate at the router at the branch office.

    Remote authentication:
    Select the authentication type used by the LANCOM router at the headquarters. This example uses authentication by pre-shared key (PSK).

    Remote identifier type:
    Select the identifier type used on the router at the headquarters. In this example, the identity type was set to Domain name (FQDN).

    Remote identifier:
    Set the remote identifier. In this example, the LANCOM router at the headquarters uses the remote identity headquarter.company.com.

    Remote password:
    Set the pre-shared key to be used to authenticate at the router at the headquarters.

    Remote cert. ID check:
    As this function is not required, set this to no.


3.6) Open the menu item VPN -> IKEv2/IPSec and click the button Connection list.

3.7) Click on the Add... button to create a new entry.



3.8) Enter the following information into the configuration dialog:

    Connection name:
    Enter a name for the VPN connection. This name is used later in the routing table (see step 3.10).

    Short hold time:
    Specify the short-hold time in seconds for the VPN connection. In this example, a value of 9999 seconds is entered into the LANCOM router at the branch office. This means that this router actively establishes the VPN connection.

    Gateway:
    Specify the public IP address of the LANCOM router at the headquarters. In this example, this is the IP address 81.81.81.81.

    Authentication:
    Select the authentication. The entry here corresponds to the name of the authentication that you set in step 3.5.

    IKE-CFG:
    The IKE config mode is not required, and therefore must be switched off.

    Rule creation:
    The rule creation is performed automatically.


3.9) Navigate to the menu IP router -> Routing -> IPv4 routing table.



3.10) Add a new routing entry.
  • As the IP address, enter the address of the local network at the headquarters. In this example it is 192.168.1.0.
  • The netmask needs to be set to the value 255.255.255.0 as the local network at the headquarters is a class C network.
  • For the Router field, select the identification of the VPN remote station (in this case: HEADQUARTERS).
  • IP masquerading is switched off for this entry.

3.11) Write the configuration back to the LANCOM router at the branch office.

After the configuration has been written back to the LANCOM router at the branch office, the VPN connection can be established between the two LANCOM routers. You can check this for example by loading the two LANCOM routers into the LANmonitor.

    Note:
    If problems occur during connection establishment, or if the established VPN connection does not work properly, a VPN Status Trace can help with the diagnosis. Information is available in the following KnowledgeBase article Database 'SP Knowledgebase', View '03. Edit Documents\by Responsible, Status', Document 'Traces - VPN status trace explained'.
Catchwords: ikev2. radius; freeradius; vpn
Please review this document! This document was helpful This document was not helpful