LANCOM Support Knowledgebase Document No. 1907.1811.3408.RHOO - V2.80

Setting up an IKEv1 VPN connection with an Android mobile device to a LANCOM R&S Unified Firewall


Description:
This article describes how to set up an IKEv1 connection to a LANCOM R&S Unified Firewall with an Android mobile device (Smartphone or Tablet).



Requirements:
  • A configured and functional Internet connection on the Unified Firewall
  • Any web browser for access to the web interface of the Unified Firewall
  • Android mobile device with firmware as of Android 5.x.



Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:
  • A company wants its sales representatives to have access to the corporate network via an IKEv1 client-to-site connection.
  • The sales representatives can use an Andoid mobile device.
  • The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
  • The local network at the headquarters has the IP address range 192.168.66.0/24.




2) The Unified Firewall is connected to the Internet via an upstream router:
  • A company wants its sales representatives to have access to the corporate network via an IKEv1 client-to-site connection.
  • The sales representatives can use an Andoid mobile device.
  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.81.
  • The local network at the headquarters has the IP address range 192.168.66.0/24.
    Info:
    This scenario also includes the “parallel” solution as described in the following article: Document Link Icon




Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).

1) Configuration steps on the Unified Firewall:

1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPSec Settings.



1.2) Activate IPSec.



1.3) Switch to VPN -> IPSec Connections and click on the “+” icon to create a new IPSec connection.



1.4) Save the following parameters:
  • Name: Enter a descriptive name.
  • Connection type: Choose Client-to-Site.
  • Network Connection: From the drop-down menu, select the WAN object used for the Internet connection.
  • Local Network: Enter the local network in CIDR notation (Classless Inter-Domain Routing) with which the VPN client should communicate.
  • Client IP: Assign an IP address from the local network to the VPN client. This IP address is assigned to the VPN client each time it dials in using the IKE config mode.
    Important:
    The name may only contain letters, numbers and underscores.



1.5) Change to the Authentication tab and enter the following parameters:
  • Authentication type: Set PSK only (preshared key).
  • Preshared Key: Enter a preshared key.
  • Local identifier: Set the local identifier.
  • Remote identifier: Set the remote identifier.
    Important:
    The local and remote identifiers must not match!


1.6) Change to the tab ISAKMP (IKE) and, under IKE version, select the type IKEv1.

Leave the remaining parameters at their default values.



1.7) Click the icon to create a new VPN host.



1.8) Save the following parameters:
  • Name: Enter a descriptive name.
  • VPN Connection Type: Select the type IPSec.
  • IPSec Connection: From the drop-down menu under IPSec, select the VPN connection created in steps 1.4 - 1.6.



1.9) In the VPN host, click on the "connection" icon and then click on the network object, which the VPN Client should be able to access to open the firewall objects.

Repeat this step for every other internal network which the VPN Client should have access to.



1.10) Use the “+” sign to assign the required protocols to the VPN host.
    Info:
    A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.


    Info:
    Firewall objects can also be accessed via Desktop -> Desktop Connections and clicking on the “edit” icon.

1.11) Finally, implement the configuration changes by clicking Activate in the firewall.



1.12) This concludes the configuration steps on the Unified Firewall.


2) Configuration of the Apple iPhone or iPad:


2.1) Under the VPN setting, select the item VPN and click VPN configuration.

  • Give the connection a unique description.
  • As Server enter the WAN IP address or the domain of the Unified Firewall. The device must be accessible from the WAN at this address.

The next step is to enter the Fully Qualified Username, which was entered earlier as remote identity.

2.3) The final item in the configuration is to enter the Shared secret, which was specified as the preshared key.

2.4) Save the configuration with Done.



3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.
    Info:
    If you are using a router from another manufacturer, ask them about appropriate procedure.

    Important:
    If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPSec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPSec-over-HTTPS). Otherwise, no IPSec connection will be established.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router -> Masq. -> Port forwarding table.



3.2) Save the following parameters:
  • First port: Specify the Port 500.
  • Last port: Specify the Port 500.
  • Intranet address: Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select UDP.



3.3) Create a further entry and specify the UDP port 4500.



3.4) Write the configuration back to the router.

Catchwords: rohde; schwarz; ikev1; unified firewall ; android; smartphone; tablet
Please review this document! This document was helpful This document was not helpful