Description: As a rule, each VPN dial-in access requires the creation of a separate user. In larger-scale scenarios it therefore makes sense to set up an IKEv2 connection with RADIUS forwarding. All you have to do then is create a single VPN dial-up access in the router. This article describes how to set up an IKEv2 client-to-site VPN connection between a device using the Advanced VPN Client and a LANCOM router. Authentication takes place via the RADIUS server integrated in the LANCOM router. Requirements:Scenario:- A VPN client dial-in is to be set up at the headquarters for the mobile employees.
- Authentication is handled by the RADIUS server integrated in the LANCOM router.
- The headquarters has the IP address range 192.168.0.0/24.
Procedure: 1) Configuration steps on the router at the headquarters: 1.1) Open the configuration for the router in LANconfig and switch to the menu item VPN → General. 1.2) Enter the following parameters: - For Virtual Private Network set the drop-down menu to activated.
- Set a checkmark next to NAT traversal activated.
- Set a checkmark next to Accept IPSec-over-HTTPS.
1.3) Switch to the menu VPN → IKEv2/IPSec → Extended settings. 1.4) Fill out the field Password with a challenge password. The RADIUS server receives this in the access request attribute as the user password. - Name: Set a descriptive name.
- Server address: Enter the loopback address 127.0.0.1.
- Port: Check that the port is set to 1812.
1.7) Set the Update cycle to the value 60, so that the accounting is updated every 60 seconds. 1.8) On the panel RADIUS accounting, go to the menu RADIUS server. 1.9) Save the following parameters: - Name: Set a descriptive name.
- Server address: Enter the loopback address 127.0.0.1.
- Port: Check that the port is set to 1813.
1.10) Switch to the menu VPN → IKEv2/IPSec → Authentication. 1.11) Create a new entry and enter the following parameters: - Name: Enter a descriptive name.
- Local identifier type: Select an identifier type from the drop-down menu, such as Fully Qualified Domain Name (FQDN).
- Local identifier: Set a local identity that is appropriate for the chosen identity type.
1.12) Switch to the menu VPN → IKEv2/IPSec → IPv4 addresses. 1.13) If not already available, create a new entry for the dial-in address range and save the following parameters: - Name: Enter a descriptive name.
- First address: Set the first IP address to be assigned to the VPN clients.
- Last address: Set the last IP address to be assigned to the VPN clients.
- Primary DNS: Set the IP address of a DNS server. This is assigned to the VPN clients as the first DNS server. Usually, the IP address of the router is used.
1.14) Navigate to the menu VPN → IKEv2/IPSec → Connection list. 1.15) Edit the DEFAULT entry and modify the following parameters: - Authentication: From the drop-down menu, select the authentication object created in step 1.11.
- IPv4 rules: From the drop-down menu, select the object RAS-WITH-NETWORK-SELECTION.
- IKE-CFG: From the drop-down menu, select Server.
- IPv4 address pool: From the drop-down menu, select the dial-in address object created in step 1.13.
- RADIUS auth. server: From the drop-down menu, select the RADIUS object created in step 1.6.
- RADIUS acc. server: From the drop-down menu, select the accounting object created in step 1.9.
- Name / MAC address: Enter a descriptive name.
- Password: Enter the Challenge password set in step 1.4.
- Tunnel password: Set a password to be used by the dial-in user to authenticate at the VPN module.
- Expiry type: From the drop-down menu, select Never.
- Disable the multiple login feature.
1.20) Write the configuration back to the router. This concludes the configuration of the router.
2) Configuring the Advanced VPN Client: 2.1) Open the Advanced VPN Client and navigate to the menu Configuration → Profiles. 2.2) Click on Add / import to create a new VPN connection. 2.3) Select Link to corporate network using IPSec. 2.4) Enter a descriptive name. 2.5) Select the Communication medium. 2.6) Enter the public IP address or the DynDNS name of the headquarters. 2.7) Set the Exchange mode to IKEv2 and the PFS group to DH14 (modp2048). 2.8) Save the following parameters: - Type: From the drop-down menu, select the Identity Type Fully Qualified Username (FQUN).
- ID: Enter the Name / MAC address set in step 1.20.
- Shared Secret: Enter the tunnel password set in step 1.20.
2.9) From the drop-down menu, select the IKE Config Mode so that the VPN client automatically receives the IP address from the router. 2.10) In order to use the function Split Tunneling, enter the target network to be reached via the VPN tunnel. 2.11) This concludes the configuration steps in the Advanced VPN Client.
3) View information for the connected clients in the router (optional): Additional information (e.g. assigned IP address and connection time) for the connected VPN clients can be viewed via the following CLI command: ls Status/TCP-IP/RADIUS-Server/Accounting/Completed-Accounting-Sessions/ |