LANCOM Support Knowledgebase Document No. 1907.1713.2958.RHOO - V2.70

Setting up an IKEv2 VPN connection (site-to-site) between a LANCOM router and a LANCOM R&SŪ Unified Firewall


Description:
This document describes how to set up an IKEv2 connection (site-to-site) between a LANCOM router and a LANCOM R&SŪ Unified Firewall.



Requirements:
  • LANCOM VPN router
  • LANtools version 10.20 or later (download)
  • A configured and functional Internet connection on the Unified Firewall
  • Any web browser for access to the web interface of the Unified Firewall



Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:
  • A company wants to use an IKEv2 site-to-site connection to connect its branch office, where a LANCOM router operates as an Internet gateway, to its company headquarters.
  • The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
  • The LANCOM router at the branch office should establish the VPN connection to the headquarters.
  • The local network at the headquarters has the IP address range 192.168.66.0/24.
  • The local network at the branch office has the IP address range 192.168.50.0/23.



    2) The Unified Firewall is connected to the Internet via an upstream router:
    • A company wants to use an IKEv2 site-to-site connection to connect its company headquarters to a branch office, where a LANCOM router operates as an Internet gateway.
    • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.81.
    • The LANCOM router at the branch office should establish the VPN connection to the headquarters.
    • The local network at the headquarters has the IP address range 192.168.66.0/24.
    • The local network at the branch office has the IP address range 192.168.50.0/23.

    Info:
    This scenario also includes the “parallel” solution as described in the following article: Document Link Icon





Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).

1) Configuration steps on the Unified Firewall:

1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPSec settings.



1.2) Activate IPSec.



1.3) Switch to VPN -> IPSec Connections and click on the “+” icon to create a new IPSec connection.



1.4) Save the following parameters:
  • Name: Enter a descriptive name.
  • Connection type: Choose Site-to-site.
  • Network connection: From the drop-down menu, select the Network connection used for the Internet connection.
  • Local network: Enter the local network in CIDR notation (Classless Inter-Domain Routing).
  • Remote network: Enter the remote network in CIDR notation (Classless Inter-Domain Routing).
  • Enable the option Dynamic destination.
  • In this example configuration the Unified Firewall should accept the VPN connection, so you select the option Wait for connection.



1.5) Change to the Authentication tab and enter the following parameters:
    • Authentication type: Set PSK only (preshared key).
    • Preshared Key: Enter a preshared key.
    • Local identifier: Set the local identifier.
    • Remote identifier: Set the remote identifier.
      Important:
      Make sure that the local and remote identifiers do not match!



1.6) Change to the tab ISAKMP (IKE) and, under IKE version, select the type IKEv2.

Leave the remaining parameters at their default values.



1.7) Click the icon to create a new VPN host.



1.8) Save the following parameters:
  • Name: Enter a descriptive name.
  • VPN connection type: Select the type IPSec.
  • IPSec connection: From the drop-down menu under IPSec, select the VPN connection created in steps 1.4 - 1.6.



1.9) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the Advanced VPN Client should access. Repeat this step for every network that the branch should be able to access.



1.10) Use the “+” sign to assign the required protocols to the VPN host.

    Info:
    A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.


    Info:
    Firewall objects can also be accessed via Desktop -> Desktop connections and clicking on the “edit” icon.

1.11) Finally, implement the configuration changes by clicking Activate in the firewall.



1.12) This concludes the configuration steps on the Unified Firewall.



2) Configuration steps on the LANCOM router:

2.1) Start the Setup Wizard and select the option Connect two local area networks (VPN).

2.2) Select the option IKEv2.



2.3) IPSec over HTTPS must be disabled.



2.4) Enter a name for the new VPN remote.



2.5) Set the local identity to the same value as you configured for the remote identifier in step 1.5.

The remote password must be set as the preshared key entered in step 1.5.



2.6) Set the remote identity to the same value as you configured for the local identifier set in step 1.5.

The remote password must be set as the preshared key entered in step 1.5.



2.7) In this example, the branch office establishes the VPN connection to the headquarters.



2.8) Enter the public IP address of the Unified Firewall (or the upstream router) into the Gateway field.

In the fields Address and Netmask, enter the LAN address range at the headquarters (192.168.66.0) along with the associated netmask.



2.9) Click on Finish to write the configuration back to the LANCOM router.



3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.
    Info:
    If you are using a router from another manufacturer, ask them about appropriate procedure.

    Important:
    If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPSec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPSec-over-HTTPS). Otherwise, no IPSec connection will be established.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router -> Masq. -> Port forwarding table.



3.2) Save the following parameters:
  • First port: Specify the Port 500.
  • Last port: Specify the Port 500.
  • Intranet address: Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select UDP.



3.3) Create a further entry and specify the UDP port 4500.



3.4) Write the configuration back to the router.

Catchwords: rohde; schwarz; ikev2; unified firewall ; site-to-site; lan-lan; link
Please review this document! This document was helpful This document was not helpful