Description:
This document describes the manual configuration steps involved in setting up a VPN cluster.


Requirements:


Scenario:
  • A company requires redundancy for the VPN connection between their headquarters and a branch office, and this is to be achieved by means of a VPN cluster.
  • If the first gateway at the headquarters (shown as Gateway 1 in the illustration) or its WAN link should fail, the VPN connection to the branch office should be established via a second gateway, which operates a separate WAN connection.
  • If one of the two gateways in the cluster should fail, the other gateway should assume the DHCP and DNS functions for the local network at the headquarters.
  • The VPN connections are configured on the first gateway. If VPN connections are added to the first gateway, or changes are made to the configurations of the connections, these changes should be automatically transferred to the second gateway in the cluster.
  • In this example configuration, the two gateways are both fully integrated into the local network at the headquarters.
    • The first gateway is the DHCP server for the local network (192.168.100.0/24) and has the local IP address 192.168.100.1.
    • The VPN connection to the LANCOM router at the branch office is already set up and working on the first gateway, and this connection is established from the branch office to the headquarters.
    • The second gateway has a basic configuration and has the local IP address 192.168.100.2.
    • Both gateways have the LANCOM High Availability Clustering option enabled.



Procedures:
1) Configuration steps on the first gateway:
1.1) In LANconfig, open the configuration dialog for the gateway and switch to the menu item IPv4 → DHCPv4 → DHCP networks.
1.2) Make sure that the DHCP configuration for the local network has the DHCP cluster option enabled.
1.3) Switch to the menu Certificates → Cert. authority (CA).
1.4) Enable the option Certificate authority (CA) active and set Gateway 1 as the root certificate authority (root CA).
1.5) Navigate to the Certificate handling menu and set a general challenge password.

If the field is left empty the CA generates a random password.

1.6) Navigate to the SCEP client menu and enable the SCEP client usage.
1.7) Then click the CA table button.
1.8) Add a new entry with the following parameters:
  • Name: The name can be freely selected and used to identify this device.
  • URL: The URL is constructed as follows: http://<IP-address>/cgi-bin/pkiclient.exe.

    Replace the <IP address> with the IPv4 address where the CA is accessible.

    Since the CA in this example is located on this gateway (Gateway 1), the URL is entered as http://127.0.0.1/cgi-bin/pkiclient.exe.

  • Set the Distinguished name as the name of the CA. In this example, this is the default name
    /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE
  • Enable the option Registration authority (RA auto-approve).

1.9) Then click the Certificate table button.
1.10) Add a new entry with the following parameters:
  • Name: The name can be freely selected and used to identify this device.
  • CA distinguished name: Set the Distinguished name as the name of the CA. In this example, this is the default name /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE
  • Subject: As the subject, enter each device's own IP address (e.g. /CN=<IPADR>/O=LANCOM/C=DE), replacing <IPADR> with the IP address of the device configured as SCEP-CA, which in this case is 192.168.100.1.

    Note:
    In order for the configuration synchronization to function, it is absolutely necessary for the IP address of this device to be included in the certificate's subject.

  • Challenge password: In this example, we use the general challenge password. Here you enter the password that was set in step 1.5.
  • Key length: Select a key length. This must be at least 2048 bits.
  • Usage type: The certificate container is set to Configuration sync here.

1.11) Enable the Configuration synchronization under Management > Synchronization with the option Configuration synchronization active.
In the field Cluster name you set a user-specified name for the cluster that appears in the LANconfig device list. In this example we use the name VPN-CLUSTER.
1.12) Click the button Cluster devices and add the local IP addresses of all of the devices in the cluster.
In this example, these are the local IP addresses of Gateway 1 and Gateway 2, i.e. 192.168.100.1 and 192.168.100.2 respectively.
1.13) Click the Menu nodes button and set the consoles paths which are to be synchronized between the devices in the cluster.
The following paths are defined for a VPN cluster:
      • /Setup/VPN (VPN configuration path)
      • /Setup/IP-Router/IP-Routing-Table (routing table entries for the VPN connections)
      • /Setup/WAN/PPP (PPP list entries for the VPN connections)
      • /Setup/IP-Router/Firewall (required for VPN client connections)

1.14) Click the Ignored rows button and specify that the the default route set in the IP routing table is not to be changed by the synchronization.
To do this, select the Row index field and enter the syntax 255.255.255.255 0.0.0.0 0 and set the Console path /Setup/IP-Router/IP-Routing-Table.

After a firmware update to version 10.40 or higher an additional 0 has to be added to the Row Index as the Administrative Distance has been added as a new feature. Therefore the entry has to be changed to 255.255.255.255 0.0.0.0 0 0.

1.15) Write the configuration back to Gateway 1. This concludes the configuration steps on this device.


2) Configuration steps on Gateway 2:
2.1) In LANconfig, open the configuration dialog for the second gateway and switch to the menu item IPv4 → DHCPv4 → DHCP networks.
2.2) Make sure that the DHCP configuration for the local network has the DHCP server enabled and that the DHCP cluster option is enabled.
2.3) Switch to the menu Certificates → Cert. authority (CA).
2.4) In this case, the Certificate authority (CA) does not need to be configured for this device.
2.5) Navigate to the SCEP client menu and enable the SCEP client usage.
2.6) Then click the CA table button.
2.7) Add a new entry with the following parameters:
  • Name: The name can be freely selected and used to identify this device.
  • URL: The URL is constructed as follows: http://<IP-address>/cgi-bin/pkiclient.exe.

    Replace the <IP address> with the IPv4 address where the CA is accessible in the local network.

    Since the CA in this example is located on the first gateway (Gateway 1), the URL is entered as http://192.168.100.1/cgi-bin/pkiclient.exe.

  • Set the Distinguished name as the name of the CA. In this example, this is the default name /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE
  • Enable the option Registration authority (RA auto-approve).
2.8) Then click the Certificate table button.
2.9) Add a new entry with the following parameters:
  • Name: The name can be freely selected and used to identify this device.
  • CA distinguished name: Set the Distinguished name as the name of the CA. In this example, this is the default name /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE
  • Subject: As the subject, enter each device's own IP address (e.g. /CN=<IPADR>/O=LANCOM/C=DE), replacing <IPADR> with the IP address of the device configured as SCEP-CA, which in this case is 192.168.100.2.

In order for the configuration synchronization to function, it is absolutely necessary for the IP address of this device to be included in the certificate's subject.

  • Challenge password: In this example, we use the general challenge password. Here you enter the same password as that set in step 1.5.
  • Key length: Select a key length. This must be at least 2048 bits.
  • Usage type: The certificate container is set to Configuration sync here.
2.10) Enable the Configuration synchronization under Management → Synchronization with the option Configuration synchronization active.
In the Cluster name field, enter the same name as that set for the VPN cluster in step 1.11. In this example we use the name VPN-CLUSTER.
2.11) Click the button Cluster devices and add the local IP addresses of all of the devices in the cluster.
In this example, these are the local IP addresses of Gateway 1 and Gateway 2, i.e. 192.168.100.1 and 192.168.100.2 respectively

2.12) Click the Menu nodes button and set the consoles paths which are to be synchronized between the devices in the cluster.

The following paths are defined for a VPN cluster:

    • /Setup/VPN (VPN configuration path)
    • /Setup/IP-Router/IP-Routing-Table (routing table entries for the VPN connections)
    • /Setup/WAN/PPP (PPP list entries for the VPN connections)
    • /Setup/IP-Router/Firewall/Rules (required for VPN client connections)

2.13) Click the Ignored rows button and specify that the the default route set in the IP routing table is not to be changed by the synchronization.
To do this, select the Row index field and enter the syntax 255.255.255.255 0.0.0.0 0 and set the Console path /Setup/IP-Router/IP-Routing-Table.

After a firmware update to version 10.40 or higher an additional 0 has to be added to the Row Index as the Administrative Distance has been added as a new feature. Therefore the entry has to be changed to 255.255.255.255 0.0.0.0 0 0.

2.14) Write the configuration back to Gateway 2. This concludes the configuration steps on this device.


3) Activating the VPN cluster:
3.1) Now start the cluster on the device that should initially distribute its configuration to the other cluster members. In this example, it is Gateway 1.
Do this by selecting the device context menu option Activate configuration synchronization settings.
3.2) The VPN cluster is now in operation.


4) Adjustments to the VPN configuration of the LANCOM router at the branch office:
In the event of a failure of one of the two WAN connections (or gateways), the VPN connection to the headquarters should connect via the other WAN connection or gateway. To enable this, the public IP address of the second WAN connection is specified as a further remote gateway on the LANCOM router at the branch office.
4.1) To do this, open the configuration for the LANCOM router at the branch office and switch to the menu item VPN → Further remote gateways.
4.2) Enter the public IP address of the second WAN connection at the headquarters into the configuration.