Description:
This document describes how to manually set up a VPN site-to-site connectio=
n between two LANCOM routers, i.e. without using the Setup Wizard. The VPN =
connection is to be established in the main mode.
To use main mode connections, both ends of the connection require a public =
IPv6 address for authentication. A DynDNS entry is considered to be fixed p=
ublic IPv6 address.
Requirements:
Scenario:
- A company wishes to interconnect the local IPv6 networks at the=
ir headquarters and at a branch office by means of an IKEv1 site-to-site VP=
N connection.
- Both sites have a LANCOM router as their gateway and an Interne=
t connection with a public IPv6 address. The public IPv6 a=
ddress of the Headquarters is fd00::a, and the branch office is fd00::b.
- The VPN connection is established from the branch office to the=
headquarters.
- The local IPv6 network at the headquarters has the IP =
address range 2001:db8:a::/64, and the branch offi=
ce uses the local IPv6 address range 2001:db8:b::/64.
Procedure:
1) Manual configuration of the LANCO=
M router at the headquarters:
1.1) Open the configuration for the LANCOM router at the branch office and =
switch to the menu item VPN =E2=86=92 IKE/IPSec.
1.2) Click the IKE proposal lists button.
1.3) Create a new IKE proposal list. Name it OFFIC=
E and fill out the proposal list with the IKE proposals that shoul=
d be used. You can enter one or several IKE proposals.
1.4) Click the IPSec proposal lists button.
1.5) Create a new IPSec proposal list. Name it OFF=
ICE and fill out the proposal list with the IPSec proposals that s=
hould be used. You can enter one or several IPSec proposals.
1.6) Click the IKE keys and identities button.
1.7) Create a new entry. Enter the identification =
OFFICE and, in the preshared key box, enter a sufficiently secure password.
- Name: Enter the name here.
- Local identifier type: Select the identifier type used on the router at the headquarters. In this example, the =
identity type was set to E-=
Mail address (FQUN).=
- Local identifier: Set the local identifier. In this ex=
ample, the LANCOM router at the headquarters uses the local identity headquarter@test.de.
- Remote identifier type: Select the identifier =
type used on the router at the branch office. In this example, the=
identity type was set to E-mail address (FQUN).
- Remote identifier: Set the remote identifier. In this =
example, the LANCOM router at the branch office uses the
remote identity office@test.de.
1.8) Switch to the menu VPN =E2=86=92 General.
- Enable the VPN feature of the LANCOM router.
- Set the option Establ. of net relationships (SAs) to t=
he value Collectively with KeepAlive.
1.9) Then click the Connection parameters button.
1.10) Add a new entry. Enter the identification OF=
FICE and select the entries of the same name for the IKE p=
roposals, IKE key and IPSec proposals.
The PFS and IKE groups in this example are each set to the=
default group 2 (MODP-1024). You can change these value t=
o suit your needs. However, make sure that both ends of the VPN con=
nection are set with the same PFS and IKE groups.
1.11) Click the Connection list button.
1.12) Add a new entry. Set the name to OFFICE and select the values for the fields as follows:
- The LANCOM router at the headquarters will be accepting the VPN connect=
ion, so the value for the short-hold time must be set to 0 seconds<=
/strong> here.
- The Dead Peer Detection is used for monitoring the VPN connection. Ente=
r the value of 60 seconds here. For more information about=
the Dead Peer Detection, see the following KnowledgeBase article=
.
- In the field for the remote Gateway, you need to enter=
the public IPv6 address of the LANCOM router at the branch office<=
/strong>. In this example it is fd00::b.
- Set the Connection parameters to OFFICE.
- The Rule creation is carried out automatically=
in this example.
- The IKE exchange mode needs to be set to the option
Main mode .
1.13) Navigate to the menu IP router =E2=86=92 Routing =E2=86=92 IP=
v6 routing table.
1.14) Add a new routing entry.
- As the IPv6 address, enter the address of the =
local IPv6 network at the branch office. In this example it is 2001:db8:b::/64.
- For the Router field, select the identificatio=
n of the VPN remote station (in this case: OFFICE).
1.15) Switch to the menu IPv6 =E2=86=92 General =E2=86=92 WAN inter=
faces.
1.16) Add a new entry. Set the Interface as the VP=
N connection OFFICE. The option Firewall for this interfac=
e must be disabled.
1.17) Open the menu Firewall/QoS =E2=86=92 IPv6 rules =E2=86=92 IPv=
6 inbound rules and add a new firewall rule.
1.18) In the Name field, enter a descriptive name.
- Set the Priority to the value 1.
- Set the Action to ACCEPT.
- In the field Server services, set the object to ANY.
- In the field Source stations, enter the name o=
f the VPN connection to the office.
1.19) Write the configuration back to the LANCOM router at the headquarters=
.
2) Manual configuration of the LANCO=
M router at the branch office:
2.1) Open the configuration for the LANCOM router at the branch office and =
switch to the menu item VPN =E2=86=92 IKE/IPSec.
2.2) Click the IKE proposal lists button.
2.3) Create a new IKE proposal list. Name it HEADQ=
UARTERS and fill out the proposal list with the IKE proposals that=
should be used. You can enter one or several IKE proposals.
2.4) Click the IPSec proposal lists button.
2.5) Create a new IPSec proposal list. Name it HEA=
DQUARTERS and fill out the proposal list with the IPSec proposals =
that should be used. You can enter one or several IPSec proposals.
2.6) Click the IKE keys and identities button.
2.7) Create a new entry. Set the identification to HEADQUARTERS and enter the same password into the Preshar=
ed key field as that used by the LANCOM router at the headquarters (see step 1.7).
- Name: Enter the name here.
- Local identifier type: Select the identifier t=
ype used on the router at the headquarters. In this example, the i=
dentity type was set to E-mail address (FQUN).
- Local identifier: Set the local identifier. In this ex=
ample, the LANCOM router at the branch office uses the local identity office@test.de.
- Remote identifier type: Select the identifier =
type used on the router at the branch office. In this example, the=
identity type was set to E-mail address (FQUN).
- Remote identifier: Set the remote identifier. In this =
example, the LANCOM router at the headquarter uses the remote identity headquarter@test.de.
2.8) Switch to the menu VPN =E2=86=92 General.
- Enable the VPN feature of the LANCOM router.
- Set the option Establ. of net relationships (SAs) to t=
he value Collectively with KeepAlive.
2.9) Then click the Connection parameters button.
2.10) Add a new entry. Enter the identification HE=
ADQUARTERS and select the entries of the same name for the IKE proposals, IKE key and IPSec proposals.
The PFS and IKE groups in this example are each set to the=
default group 2 (MODP-1024). You can change these value t=
o suit your needs. However, make sure that both ends of the VPN con=
nection are set with the same PFS and IKE groups.
2.11) Click the Connection list button.
2.12) Add a new entry. Set the name to HEADQUARTER=
S and select the values for the fields as follows:
- The LANCOM router at the branch office will be actively establishing th=
e VPN connection to the headquarters, so the value for the short-ho=
ld time must be set to 9,999 seconds here.
- The Dead Peer Detection is used for monitoring the VPN=
connection. Enter the value of 60 seconds here.
- In the field for the remote Gateway, you need to enter=
the public IP address of the LANCOM router at the HEADQUARTERS. In this example it is fd00::a.
- Set the Connection parameters to HEADQUARTER=
strong>.
- The Rule creation is carried out automatically=
in this example.
- The IKE exchange mode needs to be set to the option
Main mode.
2.13) Navigate to the menu IP router =E2=86=92 Routing =E2=86=92 IP=
v6 routing table.
2.14) Add a new routing entry.
- As the IPv6 address, enter the address of the =
local IPv6 network at the headquarters. In this example it is 2001:db8:a::/64.
- For the Router field, select the identificatio=
n of the VPN remote station (in this case: HEADQUARTERS).
2.15) Switch to the menu IPv6 =E2=86=92 General =E2=86=92 WAN inter=
faces.
2.16) Add a new entry. Set the Interface as the VP=
N connection HEADQUARTERS. The option Firewall for this in=
terface must be disabled.
2.17) Open the menu Firewall/QoS =E2=86=92 IPv6 rules =E2=86=92 IPv=
6 inbound rules and add a new firewall rule.
2.18) In the Name field, enter a descriptive name.
- Set the Priority to the value 1.
- Set the Action to ACCEPT.
- In the field Server services, set the object to ANY.
- In the field Source stations, enter the name o=
f the VPN connection to the headquarters.
2.19) Write the configuration back to the LANCOM router at the branch offic=
e.
After the configuration has been written back to the LANCOM router at the b=
ranch office, the VPN connection can be established between the two LANCOM =
routers. You can check this for example by loading the two LANCOM routers i=
nto the LANmonitor.
|