Description: This document describes how certificates created by LANCOM Smart Certificate are used for a certificate-based IKEv2-VPN connection between two LANCOM routers. Authentication is by digital signature.
Requirements: - LANCOM central-site gateway, WLAN controller, or LANCOM router with an activated VPN 25 Option (when using the Smart Certificate feature)
- Certificates for the participating LANCOM routers. How to create certificates with LANCOM Smart Certificate is described in the following Knowledge Base article
.
Procedure: 1) Enable the CA function in the LANCOM router at the headquarters: In this example configuration, the LANCOM router at the headquarters acts as the CA for creating the certificates (Smart Certificate feature). If you wish to use certificates from another CA, you do not have to use the CA in the LANCOM router and you can skip this step of the configuration. 1.1) In LANconfig, open the configuration dialog for the LANCOM router at the headquarters and switch to the menu item
Certificates -> Cert. authority (CA).
1.2) Set a check mark for the option
Certificate authority (CA) active. The LANCOM router functions as the
root certificate authority (root CA).
Note: - For this configuration example we leave all of the other parameters with their preset values.
2) Uploading certificates to the LANCOM routers: 2.1)
Right-click on each of the LANCOM routers in LANconfig and select the option
Configuration management -> Upload certificate or file.
2.2) In the following dialog select the
certificate file intended for each LANCOM router.
2.3) In the
certificate type field, select a
VPN container.
2.4) In the
Cert. password box enter the
password for the certificate file. Click on
Open to start the upload.
3) Configure the certificate-based VPN connection on the LANCOM router at the headquarters: 3.1) Start the Setup Wizard in LANconfig and select the option
Connect two local area networks (VPN).
3.2) Now create an
IKEv2-VPN connection.
3.3) In this example, we
do not use IPSec-over-HTTPS.
3.4) Enter a
name for the LANCOM router at the remote site.
3.5)
Enter any values into the following two dialogs, as they will later be
manually replaced in the configuration of the LANCOM router by the certificate authentication parameters (see step 3.9ff).
3.6) The LANCOM router at the
headquarters should receive the VPN connection.
3.7) Since the LANCOM router at the headquarters receives the VPN connection,
no gateway address is required.
Specify the
local network to be accessed at the remote site.
3.8) Click on
Finish to exit the setup wizard and
write the configuration back to the LANCOM router.
3.9) Open the the LANCOM router configuration in
LANconfig and navigate to
VPN -> IKEv2/IPSec -> Authentication. 3.10) Select the
available entry for the certificate-based VPN client connection (in this case: OFFICE).
- Set the parameters for local and remote authentication for each entry to the values Digital signature and ASN.1 Distinguished Name.
- The digital signature profile at both ends has to be set to DEFAULT-RSA-PKCS.
- As the local identity, enter the name of the certificate in the LANCOM router at the headquarters.
- As the remote identity, enter the name of the certificate in the LANCOM router at the branch office.
- As Local certificate choose the VPN container you used in step 2.3).
3.11)
Write the configuration back to the LANCOM router at the headquarters.
4) Configure the certificate-based VPN connection on the LANCOM router at the branch office: 4.1) Start the Setup Wizard in LANconfig and select the option
Connect two local area networks (VPN).
4.2) Now create an
IKEv2 VPN connection.
4.3) In this example, we
do not use IPSec-over-HTTPS.
4.4) Enter a
name for the LANCOM router at the remote site.
4.5)
Enter any values into the following two dialogs, as they will later be
manually replaced in the configuration of the LANCOM router by the certificate authentication parameters (see step 4.9ff).
4.6) The LANCOM router at the
branch office should establish the VPN connection.
4.7) Since the LANCOM router at the branch office establishes the VPN connection,
enter the gateway address of the headquarters.
Specify the
local network to be accessed at the remote site.
4.8) Click on
Finish to exit the setup wizard and
write the configuration back to the LANCOM router.
4.9) Open the the LANCOM router configuration in
LANconfig and navigate to
VPN -> IKEv2/IPSec -> Authentication. 4.10) Select the
available entry for the certificate-based VPN connection (in this case: HEADQUARTERS).
- Set the parameters for local and remote authentication for each entry to the values Digital signature and ASN.1 Distinguished Name.
- The digital signature profile at both ends has to be set to DEFAULT-RSA-PKCS.
- As the local identity, enter the name of the certificate in the LANCOM router at the branch office.
- As the remote identity, enter the name of the certificate in the LANCOM router at the headquarters.
- As Local certificate choose the VPN container you used in step 2.3).
4.15)
Write the configuration back to the LANCOM router at the branch office.
The certificate-based IKEv2 VPN connection to the headquarters will now be established. 
