Versionen im Vergleich

Alte Version 2

changes.mady.by.user LANCOM Redaktion

Gespeichert am

verglichen mit

Neue Version 3

changes.mady.by.user LANCOM Redaktion

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

...

  • A company wants to connect its branch office, which operates a LANCOM R&S®Unified Firewall, via an IKEv2 site-to-site connection to the company headquarters, which also operates a LANCOM R&S®Unified
  • The branch office has an Internet connection with the fixed public IP address 81.81.81.81.
  • The headquarters has an Internet connection with the fixed public IP address 82.82.82.82.
  • The Unified Firewall at the headquarters should establish the VPN connection to the branch office.
  • The local network at the headquarters has the IP address range 168.50.0/23.
  • The local network at the branch office has the IP address range 168.66.0/24.

...

Info

If the Unified Firewall uses an upstream (LANCOM) router to connect to the Internet, then the upstream device has to be set to forward its inbound ports 4500 and 500 to the LAN IP address of the Unified Firewall.


Procedure:

1) Configuration steps on the Unified Firewall at the headquarters:

1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPSec -> IPSec Settings.

1.2) Activate IPSec.

1.3) Switch to VPN -> IPSec -> Connections and click on the “+” icon to create a new IPSec connection.

...

  • Name: Enter a descriptive name.
  • Security Profile: Select the security profile, e.g. IKEv2 Suite-B-GCM-256 LANCOM LCOS Default IKEv2.
  • Connection: From the drop-down menu, select the Network connection used for the Internet connection.
  • Remote Gateway: Enter the public IP address or public DNS address of the branch office.
  • In this example the Unified Firewall at the headquarters should establish the VPN connection, so you select the option Initiate connection.
Info

If you have created your own template or security profile, you can use these here.

Hinweis

The preconfigured security profile IKEv2 Suite-B-GCM-256 (RFC 6379) should not be used, as both the IKE as well as the IPSec lifetime (SA Lifetime) have the value 0. This can cause connection problems.

Image Added.Image Removed

1.5) Change to the Tunnels tab and enter the following parameters:

  • Local Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the headquarters has the IP address range 192.168.50.0/23.
  • Remote Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the branch office has the IP address range 192.168.66.0/24.

Image RemovedImage Added

1.6) Change to the Authentication tab and enter the following parameters:

  • Authentication Type: Select the option PSK (Preshared Key).
  • PSK (Preshared Key): Set a preshared key for this connection.
  • Local Identifier: Set the local identifier.
  • Remote identifier: Set the remote identifier.

...

Hinweis

The local and remote identifiers must not match!

Image RemovedImage Added

1.7) Click the icon to create a new VPN host.

...

1.10) Use the “+” sign to assign the required protocols to the VPN host.

...

Info

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

...

...

1.11) Finally, implement the configuration changes by clicking Activate in the firewall.

...

1.12) This concludes the configuration steps on the Unified Firewall at the headquarters.



2) Configuration steps on the Unified Firewall at the branch office:

2.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPSec -> IPSec Settings.

2.2) Activate IPSec.

2.3) Switch to VPN -> IPSec -> Connections and click on the “+” icon to create a new IPSec connection.

...

  • Name: Enter a descriptive name.
  • Security Profile: Select the security profile, e.g. IKEv2 Suite-B-GCM-256 LANCOM LCOS Default IKEv2.
  • Connection: From the drop-down menu, select the Network connection used for the Internet connection.
  • Remote Gateway: Enter the public IP address or public DNS address of the headquarters.
Info

If you have created your own template or security profile, you can use these here.

Hinweis

The preconfigured security profile IKEv2 Suite-B-GCM-256 (RFC 6379) should not be used, as both the IKE as well as the IPSec lifetime (SA Lifetime) have the value 0. This can cause connection problems.

Image AddedImage Removed

2.5) Change to the Tunnels tab and enter the following parameters:

  • Local Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the branch office has the IP address range 192.168.66.0/24.
  • Remote Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the headquarters has the IP address range 192.168.50.0/23.

Image RemovedImage Added

1.6) Change to the Authentication tab and enter the following parameters:

  • Authentication Type: Select the option PSK (Preshared Key).
  • PSK (Preshared Key): Set the same preshared key for this connection as for the headquarters (see step 1.6)
  • Local Identifier: Set the local identifier.
  • Remote identifier: Set the remote identifier.

...

Hinweis

The local and remote identifiers must not match!

Image RemovedImage Added

2.7) Click the icon to create a new VPN host.

...

2.10) Use the “+” sign to assign the required protocols to the VPN host.

...

Info

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication

...

.

2.11) Finally, implement the configuration changes by clicking Activate in the firewall.

...