Description:
This document describes how to manually set up a VPN site-to-site connectio=
n between two LANCOM routers, i.e. without using the Setup Wizard. The VPN =
connection is to be established in the aggressive mode.
In aggressive mode, the authentication of a connection does not rely upon p=
ublic IP addresses, but instead is based upon identities.
These identities are defined for both sides in advanced. Only one public IP=
address is required as a gateway for setting up the VPN connection.
Another way to configure a site-to-site VPN connection based on just one pu=
blic IP address is to configure a main-mode connecti=
on based on Dynamic VPN.
Requirements:
Scenario:
- A company wishes to interconnect the local networks at their headquarte=
rs and at a branch office by means of a site-to-site VPN connection.
- Both sites have a LANCOM router as their gateway and an Interne=
t connection. The fixed public IP address of the =
headquarters is 80.80.80.80. The =
public IP address of the branch office is assigned dynamically and=
changes daily after the forced re-connect by the provider. Because the dev=
ice at the headquarters has a fixed public IP address, the VPN connection i=
s established from the branch office to the headquarters.
- The local network at the headquarters has the IP addre=
ss range 192.168.1.0/24, and the branch office uses the local IP address range 192.168.2.0/24.
Procedure:
1) Manual configuration of the LANCO=
M router at the headquarters:
1.1) Open the configuration for the LANCOM router at the headquarters and s=
witch to the menu item VPN =E2=86=92 IKE/IPSec.
1.2) Click the IKE proposal lists button.
1.3) Create a new IKE proposal list. Name it =
OFFICE and fill out the proposal list with the IKE proposals that =
should be used. You can enter one or several IKE proposals.
Note:
- From the list of proposals, the first IKE proposal that matches at both=
ends of the VPN connection is used to establish the IKE Phase 1.
1.4) Click the IPSec proposal lists button.
1.5) Create a new IPSec proposal list. Name it OFFICE and fill out the proposal list with the IPSec proposals t=
hat should be used. You can enter one or several IPSec proposals.
Note:
- From the list of proposals, the first IPSec proposal that matches at bo=
th ends of the VPN connection is used to establish the IPSec Phase 2.
1.6) Click the IKE keys and identities button.
1.7) Create a new entry. Enter the identifica=
tion OFFICE and, in the preshared key box, enter =
a sufficiently secure password.
1.8) Set values for the identity and identity type for the options Local & Remote identity type.
In this example, we will set the local and remote identity to =
the domain name of the company, company.com.
1.9) Switch to the menu VPN-> General.
- Enable the VPN feature of the LANCOM router.
- Set the option Establ. of net relationships (SAs) to t=
he value Collectively with KeepAlive.
1.10) Then click the Connection parameters button.
1.11) Add a new entry. Enter the identificati=
on OFFICE and select the entries of the same name for the =
IKE proposals, IKE key and IPSec proposals.
The PFS and IKE groups in this example are each set t=
o the default group 2 (MODP-1024). You can change these va=
lue to suit your needs. However, make sure that both ends of the VP=
N connection are set with the same PFS and IKE groups.
1.12) Click the Connection list button.
1.13) Add a new entry. Set the name to OFFICE=
and select the values for the fields as follows:
- The LANCOM router at the headquarters will be accepting the VPN connect=
ion, so the value for the short-hold time must be set to 0 seconds<=
/strong> here.
- The Dead Peer Detection is used for monitoring the VPN connection. Ente=
r the value of 60 seconds here. For more information about=
the Dead Peer Detection, see this Knowledge Base article.
- No entry is required in the field for the remote Gateway.
- Set the Connection parameters to OFFICE.
- The Rule creation is carried out automatically=
in this example.
Using this method, the LANCOM router sets up the network relationships bet=
ween the IP networks that are set to network type INTRANET=
under IPv4 -> General -> IP networks and the IP net=
works that are to be found under IP router =E2=86=92 Routing =E2=86=
=92 IPv4 routing table behind the corresponding VPN remote=
station.
- The IKE exchange mode needs to be set to the option
Aggressive mode.
1.14) Navigate to the menu IP router =E2=86=92 Routing =E2=86=
=92 IPv4 routing table.
1.15) Add a new routing entry.
- As the IP address, enter the address of the lo=
cal network at the branch office. In this example it is 19=
2.168.2.0.
- The netmask needs to be set to the value 255.255.255.0=
as the local network at the branch office is a class C network.
- For the Router field, select the identificatio=
n of the VPN remote station (in this case: OFFICE).
1.16) Write the configuration back to the LANCOM router.
2) Manual configuration of the LANCO=
M router at the branch office:
2.1) Open the configuration for the LANCOM router at the branch office and =
switch to the menu item VPN =E2=86=92 IKE/IPSec.
2.2) Click the IKE proposal lists button.
2.3) Create a new IKE proposal list. Name it =
HEADQUARTERS and fill out the proposal list with the IKE proposals=
that should be used. You can enter one or several IKE proposals.
Note:
- Make sure that the same IKE proposals are entered into this list as tho=
se used by the LANCOM router at the headquarters (see step 1.3=
).
2.4) Click the IPSec proposal lists button.
2.5) Create a new IPSec proposal list. Name it HEADQUARTERS and fill out the proposal list with the IPSec propo=
sals that should be used. You can enter one or several IPSec proposals.
Note:
- Make sure that the same IPSec proposals are entered into this list as t=
hose used by the LANCOM router at the headquarters (see step 1=
.5).
2.6) Click the IKE keys and identities button.
2.7) Create a new entry. Set the identification to HEADQUARTERS and enter the same password into the Pr=
eshared key field as that used by the LANCOM router at the headquarters (see step 1.7).
2.8) For the options of Local & Remote identity type, set values for the identity and identity type.
In this example, we will set the local and remote identity to =
the domain name of the company, company.com.
2.9) Switch to the menu VPN =E2=86=92 General.
- Enable the VPN feature of the LANCOM router.
- Set the option Establ. of net relationships (SAs) to t=
he value Collectively with KeepAlive.
2.10) Then click the Connection parameters button.
2.11) Add a new entry. Enter the identificati=
on HEADQUARTERS and select the entries of the same name for the IKE proposals, IKE key and IPSec proposals.
The PFS and IKE groups in this example are each set t=
o the default group 2 (MODP-1024). You can change these va=
lue to suit your needs. However, make sure that both ends of the VP=
N connection are set with the same PFS and IKE groups.
2.12) Click the Connection list button.
2.13) Add a new entry. Set the name to HEADQU=
ARTERS and select the values for the fields as follows:
- The LANCOM router at the branch office will be actively establishing th=
e VPN connection to the headquarters, so the value for the short-ho=
ld time must be set to 9999 seconds here.
- The Dead Peer Detection is used for monitoring the VPN=
connection. Enter the value of 60 seconds here.
- In the field for the remote Gateway, you need to enter=
the public IP address of the LANCOM router at the headquarters. In this example it is 80.80.80.80.
- Set the Connection parameters to HEADQUARTERS<=
/strong>.
- The Rule creation is carried out automatically=
in this example.
Using this method, the LANCOM router sets up the network relationships bet=
ween the IP networks that are set to network type INTRANET=
under IPv4 -> General -> IP networks and the IP net=
works that are to be found under IP router =E2=86=92 Routing =E2=86=
=92 IPv4 routing table behind the corresponding VPN remote=
station.
- The IKE exchange mode needs to be set to the option
Aggressive mode.
2.14) Navigate to the menu IP router =E2=86=92 Routing =E2=86=
=92 IPv4 routing table.
2.15) Add a new routing entry.
- As the IP address, enter the address of the lo=
cal network at the headquarters. In this example it is 192=
.168.1.0.
- The netmask needs to be set to the value 255.255.255.0=
as the local network at the headquarters is a class C network.
- For the Router field, select the identificatio=
n of the VPN remote station (in this case: HEADQUARTERS).
2.16) Write the configuration back to the LANCOM router.
After the configuration has been written back to the LANCOM router at the b=
ranch office, the VPN connection can be established between the two LANCOM =
routers. You can check this for example by loading the two LANCOM routers i=
nto the LANmonitor.
|