...
Procedure:
The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 5).
1) Creating the CA and VPN certificates on the Unified Firewall:
1.1) Click on the "+" icon to create a new routing entry.
...
1.8) The newly created VPN certificates are listed below the newly created VPN certification authority (see following figure).
2) Creating the VPN connection on the Unified Firewall:
2.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPsec settings.
...
2.10) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the object (the site-to-site connection) should access. Repeat this step for every network that the branch should be able to access.
2.11) Use the "+" sign to assign the required protocols to the VPN host.
Info: A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.
Info: Firewall objects can also be accessed via Desktop -> Desktop connections and clicking on the "edit" icon.
2.12) Finally, implement the configuration changes by clicking Activate in the firewall.
...
2.13) This concludes the configuration steps on the Unified Firewall.
3) Export the VPN certificate for the LANCOM router at the branch office:
3.1) Change to the menu Certificate Management → Certificates and, for the VPN certificate for the LANCOM router, click the Export button.
...
3.3) Click Export and save the certificate file on your PC.
4) Configuration steps on the LANCOM router:
4.1) Upload the router certificate to the LANCOM router:
4.1.1) Right-click on the LANCOM router in LANconfig and select the option Configuration management→ Upload certificate or file.
4.1.2) In the following dialog select the VPN certificate file exported in step 3.3) intended for the LANCOM router.
4.1.3) In the certificate type field, select a VPN container. This example uses the container "VPN1".
4.1.4) In the Cert. password box enter the password for the certificate file (see step 3.2).
4.1.5) Click on Open to start the upload.
4.2) Configure the certificate-based VPN connection on the LANCOM router:
4.2.1) Start the Setup Wizard in LANconfig and select the option Connect two local area networks (VPN).
...
The certificate-based VPN connection to the Unified Firewall at the headquarters will now be established.
5) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):
IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.
Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.
Info:
If you are using a router from another manufacturer, ask them about appropriate procedure.
Important:
If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPSec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPSec-over-HTTPS). Otherwise, no IPSec connection will be established.
5.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router -> Masq. -> Port forwarding table.
5.2) Save the following parameters:
- First port: Specify the Port 500.
- Last port: Specify the Port 500.
- Intranet address: Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
- Protocol: From the drop-down menu, select UDP.
5.3) Create a further entry and specify the UDP port 4500.
5.4) Write the configuration back to the router.
...