Description:

This document describes how you set up a network connection using an IKEv2 client-to-site VPN connection between a smartphone or tablet PC equipped with the Android operating system and a LANCOM router.


Requirements:
  • LCOS as of version 9.20 (download latest version)
  • LANtools as of version 9.20 (download latest version)
  • Mobile device (smartphone, tablet PC, etc.) with the Android operating system version 5.x

    Note:
    Whether or not IKEv2 is available with your Android version depends on the manufacturer of your mobile device. For example, the manufacturer Samsung offers IKEv2 on many of their Android devices, while others do not.

    If your Android distribution does not feature IKEv2, you can optionally use an app (e.g. the chargeable NCP VPN Client for Android or StrongSwan).


Scenario:
  • A company wants its sales representatives to have access to the corporate network via IKEv2 client-to-site connection.
  • Employees should be able to use their mobile Android devices (smartphone, tablet PC, etc.) to connect via VPN.
  • The company headquarters has a LANCOM router as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
  • The local network at the headquarters has the IP address range 192.168.1.0/24.




Procedure:

1) Manual configuration of the LANCOM router at the headquarters:

1.1) Open the configuration for the LANCOM router at the branch office and switch to the menu item VPN -> General.

1.2) Enable the function Virtual Private Network.



1.3) Open the menu item VPN -> IKEv2/IPSec and click the button Authentication.



1.4) Click on the Add... button to create a new entry.

1.5) Enter the information for the authentication of the VPN connection into the configuration window.
Name:
      Enter the
name for the authentication
      here. This entry is used later in the VPN connection list (see step 1.8).


Local authentication:
      Select the
authentication type used on the router at the headquarters
      . This example uses authentication by
pre-shared key (PSK)
      .


Local identifier type:
      Set the
identifier type
      for the router at the headquarters to the parameter
Key ID (group name)
      .


Local identifier:
      Set the local identifier. In this example, the
LANCOM router at the headquarters
      uses the
local identity "headquarter"
      .


Local password:
      Set the
pre-shared key
      to be used to authenticate at the router at the headquarters.
Since in the later configuration of Android (see step 2.4) only one pre-shared key can be specified, the local password and the remote password must be the same.

Remote authentication:
      Select the
authentication type
      used by the remote Android device. This example uses authentication by
pre-shared key (PSK)
      .


Remote identifier type:
      Set the
identifier type
      of the Android device to the parameter
Key ID (group name)
      .


Remote identifier:
      Set the remote identifier. In this example, the Android device uses the
remote identifier "office"
      .


Remote password:
      Set the
pre-shared key
      to be used to authenticate at the Android device.
Since in the later configuration of Android (see step 2.4) only one pre-shared key can be specified, the local password and the remote password must be the same.

Remote cert. ID check:
      As this function is not required, set this to
no
      .



1.6) Open the menu item VPN -> IKEv2/IPSec and click the button Connection list.

1.7) Click on the Add... button to create a new entry.



1.8) Enter the following information into the configuration dialog:
Connection name:
      Enter a name for the VPN connection.


Short hold time:
      Specify the short-hold time in seconds for the VPN connection. In this example, a 0 is entered into the LANCOM router at the headquarters. This means that this router will not actively establish the VPN connection.


Authentication:
      Select the authentication. The entry here corresponds to the name of the authentication that you set in step 1.5.


IKE-CFG:
      This parameter is set to
Server
      .


IPv4 address pool:
      Here you set a
local IP addresses range, from which each dial-in VPN client is assigned an IP address
      . If you have not specified an address pool yet, click on the
Select
      button and, in the dialog that follows, click the link
Manage source...
Info:
In IKEv2 connections an IPv4 address pool must be a configured in this dialog.
        The use of address pools in the dialogues
Communication -> Remote sites -> WAN tag table
        or
IPv4 -> addresses
        has no effect on IKEv2 connections, they are only used for IKEv1 connections.

      Create an IPv4 address pool in the following dialog.


Rule creation:
Rule creation
      must be
performed manually
      .


IPv4 rules:
      Here you set the parameter
RAS-WITH-CONFIG-PAYLOAD
      .



1.9) Write the configuration back to the LANCOM router at the headquarters.


2) Manual setup of the VPN connection on your smartphone or tablet PC:

2.1) Open the Settings menu and, under Connections, select the menu item More networks.



2.2) Select the option VPN.



2.3) Tap on Add VPN network to create a new entry.



2.4) In the next dialog box, enter the following settings:
  • In the Name box, enter a name for the new VPN profile. Use any name you like.
  • Set the selection field Type to IPSec IKEv2 PSK.
  • In the Server address field, enter the public IP address or public DNS address of the LANCOM router.
  • In the IPSec identifier box, enter the name of the remote identity which you set when configuring the LANCOM router in step 1.5. In this example the name is employee.
  • In the IPSec pre-shared key field enter the pre-shared key that you set when configuring the LANCOM router in step 1.5.



2.5) Tap Save to store the configured VPN profile.

2.6) To start the VPN connection, just tap the newly created VPN profile.