Description:
This document describes how to set up a LANCOM router to establish a IKEv1 VPN connection to Windows Azure.

In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.

The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.

In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.




Requirements:


Procedure:
1) Configuring the IPSec & IKE proposals:
In the LANCOM router configuration, create new IPSec & IKE proposals and use the parameters suggested by Microsoft.
1.1) Open the menu VPN → IKE/IPSec → IPSec proposals and create a new IPSec proposal for the VPN connection to Windows Azure.
1.2) Switch to the menu VPN → IKE/IPSec → IKE proposals and create a new IKE proposal for the VPN connection to Windows Azure.
The IKE proposal must use the same encryption algorithm as the IPSec proposal.



2) Configuring the PFS/IKE group:
2.1) Open the menu VPN → IKE/IPSec → Connection parameters and create a new entry for the VPN connection to Windows Azure.
  • Make sure that the PFS group is set to No PFS.
  • The IKE group is set to 2.
2.2) The entries for IKE and IPSec must also be selected in this dialog.



3) Creating a routing entry:
3.1) Open the menu IP router → Routing → IPv4 routing table and create a new entry for the VPN connection to Windows Azure.
  • Bear in mind that Microsoft provides its customers local networks with a B mask (255.255.0.0).
  • Select the VPN connection that you created for the router here.
  • Switch IP masquerading off.