LANCOM Support Knowledgebase Document No. 1904.1814.3100.MMÜL - V1.00

Manual customization of VPN rules (phase 2)


Description:

    VPN rules (phase 2) are used to announce which networks are allowed to intercommunicate through a VPN tunnel.

    In some cases it may be necessary to manually customize rules created by the Setup Wizard: For example, when establishing a VPN connection to a third-party router, or where only a selection of the available local area networks should be allowed to communicate through the VPN tunnel.

    This document describes how to manually customize VPN rules (phase 2).



    Requirements:
    • Previously installed VPN connection



    Procedure:

    1) Create the VPN rules:

    1.1) Open the configuration for the router in LANconfig and switch to the menu item VPN -> General -> Network rules.



    1.2) Go to the menu IPv4 rules.



    Info:
    For reasons of clarity when operating more than four networks, LANCOM Systems recommends you create several IPv4 rules and collect these into an IPv4 rule list. Instead of the IPv4 rule, the IPv4 rule list is stored in the VPN remote site (see step 2).

    1.3) Enter a descriptive name.



    1.4) Under Local networks, select the networks which are available to the router and which the remote site should be able to access.





    Info:
    Instead of selecting the network objects, you can also specify the network address in CIDR notation (e.g. 192.168.1.0/24). Multiple networks are separated by a comma (e.g. 192.168.1.0/24,192.168.2.0/24)

    1.5) For Remote networks, select the VPN remote (either VPN / IKE / IPSec / VPN connections with IKEv1 or VPN / IKEv2 / IPSec / VPN connections with IKEv2).

    Info:
    The VPN remote uses the IPv4 routing table (IP router -> Routing -> IPv4 routing table) to reference which networks it may communicate with at the other end.





    Info:
    Instead of selecting the VPN remotes, you can also specify the remote address in CIDR notation (e.g. 192.168.3.0/24). Multiple networks are separated by a comma (e.g. 192.168.3.0/24,192.168.4.0/24)



    2) Assign the VPN rule to the VPN remote:

    For IKEv1 and IKEv2, the VPN remotes are to be found in different menus.

    2.1) IKEv1:

    2.1.1) Navigate to the menu VPN -> IKE/IPSec -> Connection list.



    2.1.2) Change the following parameters for the VPN remote:
    • Set Rule creation to manual
    • From the drop-down menu IPv4 rules, select the VPN rule created in step 1.



    2.2) IKEv2:

    2.2.1) Navigate to the menu VPN -> IKEv2/IPSec -> Connection list.



    2.2.2) Change the following parameters for the VPN remote:
    • Set Rule creation to manual
    • From the drop-down menu IPv4 rules, select the VPN rule created in step 1.





    3) Exclude duplicate VPN rules:

    Duplicate rules created for the VPN connection (e.g. one rule created by the Setup Wizard and one created manually) can lead to problems. In the worst case, the VPN connection will not be established. This of course must be avoided.

    Go to Firewall/QoS -> IPv4 rules -> Rules and make sure that there are no VPN rules that already apply to the VPN connection being customized (e.g. WIZ-VPN-NETWORKS).

    Important:
    If there is a VPN rule that is valid for several VPN connections and you need to customize the rule creation for one of the VPN connections, then a separate VPN rule has to be created for each of the individual VPN connections.

    Catchwords: VPN-Regeln; VPN; Regel; Regeln; manuell; anpassen; Anpassung
    Please review this document! This document was helpful This document was not helpful