Description:
As a rule, each VPN dial-in access requires the creation of a separate user. In larger-scale scenarios it therefore makes sense to set up an IKEv2 connection with RADIUS forwarding. All you have to do then is create a single VPN dial-up access in the router.
This article describes how to set up an IKEv2 client-to-site VPN connection between a device using the Advanced VPN Client and a LANCOM router. Authentication takes place via the RADIUS server integrated in the LANCOM router.



Requirements:



Scenario:
  • A VPN client dial-in is to be set up at the headquarters for the mobile employees.
  • Authentication is handled by the RADIUS server integrated in the LANCOM router.
  • The headquarters has the IP address range 192.168.0.0/24.



Procedure:
1) Configuration steps on the router at the headquarters:
1.1) Open the configuration for the router in LANconfig and switch to the menu item VPN → General.
1.2) Enter the following parameters:
  • For Virtual Private Network set the drop-down menu to activated.
  • Set a checkmark next to NAT traversal activated.
  • Set a checkmark next to Accept IPSec-over-HTTPS.
1.3) Switch to the menu VPN → IKEv2/IPSec → Extended settings.
1.4) Fill out the field Password with a challenge password. The RADIUS server receives this in the access request attribute as the user password.

Normally, the RADIUS server assigns the challenge password directly to a VPN remote site. However, with IKEv2 it is not the RADIUS server that authorizes the requesting VPN remote site, but the VPN module. After the VPN module has received the access-accept message from the RADIUS server, the VPN module authenticates the VPN remote site.

  • Name: Set a descriptive name.
  • Server address: Enter the loopback address 127.0.0.1.
  • Port: Check that the port is set to 1812.
1.7) Set the Update cycle to the value 60, so that the accounting is updated every 60 seconds.

The update cycle must be set to a value other than 0, since the value 0 deactivates the updates!

1.8) On the panel RADIUS accounting, go to the menu RADIUS server.
1.9) Save the following parameters:
  • Name: Set a descriptive name.
  • Server address: Enter the loopback address 127.0.0.1.
  • Port: Check that the port is set to 1813.
1.10) Switch to the menu VPN → IKEv2/IPSec → Authentication.
1.11) Create a new entry and enter the following parameters:
  • Name: Enter a descriptive name.
  • Local identifier type: Select an identifier type from the drop-down menu, such as Fully Qualified Domain Name (FQDN).
  • Local identifier: Set a local identity that is appropriate for the chosen identity type.
1.12) Switch to the menu VPN → IKEv2/IPSec → IPv4 addresses.
1.13) If not already available, create a new entry for the dial-in address range and save the following parameters:
  • Name: Enter a descriptive name.
  • First address: Set the first IP address to be assigned to the VPN clients.
  • Last address: Set the last IP address to be assigned to the VPN clients.
  • Primary DNS: Set the IP address of a DNS server. This is assigned to the VPN clients as the first DNS server. Usually, the IP address of the router is used.
1.14) Navigate to the menu VPN → IKEv2/IPSec → Connection list.
1.15) Edit the DEFAULT entry and modify the following parameters:
      • Authentication: From the drop-down menu, select the authentication object created in step 1.11.
      • IPv4 rules: From the drop-down menu, select the object RAS-WITH-NETWORK-SELECTION.
      • IKE-CFG: From the drop-down menu, select Server.
      • IPv4 address pool: From the drop-down menu, select the dial-in address object created in step 1.13.
      • RADIUS auth. server: From the drop-down menu, select the RADIUS object created in step 1.6.
      • RADIUS acc. server: From the drop-down menu, select the accounting object created in step 1.9.

Modifying the profile DEFAULT does not affect any existing dial-up VPN connections.

  • Name / MAC address: Enter a descriptive name.
  • Password: Enter the Challenge password set in step 1.4.
  • Tunnel password: Set a password to be used by the dial-in user to authenticate at the VPN module.
  • Expiry type: From the drop-down menu, select Never.
  • Disable the multiple login feature.

Optionally you can assign a fixed IP address to the VPN client by entering the parameter Framed-IP-Address in the field Attribute values. It has to be entered in the syntax Framed-IP-Address=<IP address> (e.g. Framed-IP-Address=192.168.0.33). The IP address must be within the dial-in address range created in step 1.13. By assigning a fixed IP address, it is possible to assign individual rights to a user via the firewall.

1.20) Write the configuration back to the router. This concludes the configuration of the router.


2) Configuring the Advanced VPN Client:
2.1) Open the Advanced VPN Client and navigate to the menu Configuration → Profiles.
2.2) Click on Add / import to create a new VPN connection.
2.3) Select Link to corporate network using IPSec.
2.4) Enter a descriptive name.
2.5) Select the Communication medium.

If you are using changing communication media (e.g. LAN and WLAN), use the option Communication media automatic.

2.6) Enter the public IP address or the DynDNS name of the headquarters.
2.7) Set the Exchange mode to IKEv2 and the PFS group to DH14 (modp2048).
2.8) Save the following parameters:
  • Type: From the drop-down menu, select the Identity Type Fully Qualified Username (FQUN).
  • ID: Enter the Name / MAC address set in step 1.20.
  • Shared Secret: Enter the tunnel password set in step 1.20.
2.9) From the drop-down menu, select the IKE Config Mode so that the VPN client automatically receives the IP address from the router.
2.10) In order to use the function Split Tunneling, enter the target network to be reached via the VPN tunnel.

If split tunneling is not configured, all traffic is transferred over the VPN tunnel while it is established, including traffic intended for the local network or the Internet. This can lead to problems with the communication!

2.11) This concludes the configuration steps in the Advanced VPN Client.


3) View information for the connected clients in the router (optional):
Additional information (e.g. assigned IP address and connection time) for the connected VPN clients can be viewed via the following CLI command:
ls Status/TCP-IP/RADIUS-Server/Accounting/Completed-Accounting-Sessions/

The following parameters are useful for further analysis:

  • User-Name: User name
  • Start-Time: Login time
  • Stop-Time: Logout time
  • Session-Time: Connection time in seconds
  • IP-Address: Assigned IP address

The table is limited to 128 entries. After reaching the limit, the oldest entry is overwritten. The table is not bootpersistent and will therefore be deleted by a cold boot.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH