This document describes how you set up a network connection using an IKEv2 client-to-site VPN connection between a smartphone or tablet PC equipped with the Android operating system
and a LANCOM router.Requirements:
- LCOS as of version 9.20 (download latest version)
- LANtools as of version 9.20 (download latest version)
- Mobile device (smartphone, tablet PC, etc.) with the Android operating system version 5.x
Whether or not IKEv2 is available with your Android version depends on the manufacturer of your mobile device. For example, the manufacturer Samsung offers IKEv2 on many of their Android devices, while others do not.
If your Android distribution does not feature IKEv2, you can optionally use an app (e.g. the chargeable NCP VPN Client for Android or StrongSwan).
- A company wants its sales representatives to have access to the corporate network via IKEv2 client-to-site connection.
- Employees should be able to use their mobile Android devices (smartphone, tablet PC, etc.) to connect via VPN.
Procedure:1) Manual configuration of the LANCOM router at the headquarters:
- The company headquarters has a LANCOM router as a gateway with an Internet connection with the fixed public IP address 126.96.36.199.
- The local network at the headquarters has the IP address range 192.168.1.0/24.
1.1) Open the configuration for the LANCOM router at the branch office and switch to the menu item VPN -> General
the function Virtual Private Network
1.3) Open the menu item VPN -> IKEv2/IPSec
and click the button Authentication
1.4) Click on the Add...
button to create a new entry.
1.5) Enter the information for the authentication of the VPN connection
into the configuration window.Name:name for the authentication
Local authentication:authentication type used on the router at the headquarters
here. This entry is used later in the VPN connection list (see step 1.8).
pre-shared key (PSK)Local identifier type:identifier type
. This example uses authentication by
Key ID (group name)Local identifier:
for the router at the headquarters to the parameter
LANCOM router at the headquarters local identity "headquarter"Local password:pre-shared key
Set the local identifier. In this example, the
Since in the later configuration of Android (see step 2.4) only one pre-shared key can be specified, the local password and the remote password must be the same.Remote authentication:authentication type
to be used to authenticate at the router at the headquarters.
pre-shared key (PSK)Remote identifier type:identifier type
used by the remote Android device. This example uses authentication by
Key ID (group name)Remote identifier:
of the Android device to the parameter
remote identifier "office"Remote password:pre-shared key
Set the remote identifier. In this example, the Android device uses the
Since in the later configuration of Android (see step 2.4) only one pre-shared key can be specified, the local password and the remote password must be the same.Remote cert. ID check:
to be used to authenticate at the Android device.
As this function is not required, set this to
1.6) Open the menu item VPN -> IKEv2/IPSec
and click the button Connection list
1.7) Click on the Add...
button to create a new entry.
1.8) Enter the following information into the configuration dialog:Connection name:
Short hold time:
Enter a name for the VPN connection.
Specify the short-hold time in seconds for the VPN connection. In this example, a 0 is entered into the LANCOM router at the headquarters. This means that this router will not actively establish the VPN connection.
IKE-CFG:ServerIPv4 address pool:local IP addresses range, from which each dial-in VPN client is assigned an IP address
Select the authentication. The entry here corresponds to the name of the authentication that you set in step 1.5.
. If you have not specified an address pool yet, click on the
Manage source...Info:In IKEv2 connections an IPv4 address pool must be a configured in this dialog.
button and, in the dialog that follows, click the link
Communication -> Remote sites -> WAN tag tableIPv4 -> addresses
The use of address pools in the dialogues
has no effect on IKEv2 connections, they are only used for IKEv1 connections.
Rule creation:Rule creation performed manuallyIPv4 rules:
Create an IPv4 address pool in the following dialog.
Here you set the parameter
1.9) Write the configuration back to the LANCOM router at the headquarters.2) Manual setup of the VPN connection on your smartphone or tablet PC:
2.1) Open the Settings
menu and, under Connections
, select the menu item More networks
2.2) Select the option VPN
2.3) Tap on Add VPN network
to create a new entry
2.4) In the next dialog box, enter the following settings:
- In the Name box, enter a name for the new VPN profile. Use any name you like.
- Set the selection field Type to IPSec IKEv2 PSK.
- In the Server address field, enter the public IP address or public DNS address of the LANCOM router.
- In the IPSec identifier box, enter the name of the remote identity which you set when configuring the LANCOM router in step 1.5. In this example the name is employee.
- In the IPSec pre-shared key field enter the pre-shared key that you set when configuring the LANCOM router in step 1.5.
2.5) Tap Save
to store the configured VPN profile.
2.6) To start the VPN connection, just tap the newly created VPN profile.