...
This document describes how to set up a certificate-based IKEv2 (site-to-site) connection between a LANCOM router and a LANCOM R&S®Unified firewall.
| Info |
|---|
The certificate module was updated in LCOS FX 10.7, therefore the corresponding menus differ compared to older LCOS FX versions. The configuration of a certificate-based IKEv2 connection between a LANCOM router and a Unified Firewall is described in the following article: |
Requirements:
- LANCOM R&S Unified Firewallas of LCOS FX 10.4 and up to and including LCOS FX 10.6
- LANCOM VPN router
- LCOS as of version 10.20 (download)
- LANtools from version 10.20 (download)
- A configured and functional Internet connection on the Unified Firewall
- Web browser for configuring the Unified Firewall.
The following browsers are supported:
- Google Chrome
- Chromium
- Mozilla Firefox
Scenario:
1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:
...
Procedure:
The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 5).
1) Creating the CA and VPN certificates on the Unified Firewall:
1.1) Click Connect to the configuration interface of the Unified Firewall, go to the menu Certificate Management → Certificates and click on the "+" icon to create a new routing entry.
...
1.7) Then click the Create button.
2) Creating the VPN connection on the Unified Firewall:
2.1) Connect Navigate to the configuration interface of the Unified Firewall and navigate to VPN -> menu VPN → IPsec settings.
2.2) Activate IPsec.
2.3) Switch to VPN -> → IPsec Connections and click on the "+" icon to create a new IPsec connection.
...
2.11) Use the "+" sign to assign the required protocols to the VPN host.
...
| Info |
|---|
A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication. |
Info: Firewall objects can also be accessed via Desktop -> Desktop connections and clicking on the "edit" icon.
2.12) Finally, implement the configuration changes by clicking Activate in the firewall.
...
2.13) This concludes the configuration steps on the Unified Firewall.
3) Export the VPN certificate for the LANCOM router at the branch office:
...
4.1.1) Right-click on the LANCOM router in LANconfig and select the option Configuration management→ management → Upload certificate or file.
...
4.1.5) Click on Open to start the upload.
4.2) Configure the certificate-based VPN connection on the LANCOM router:
...
4.2.10) Open the configuration of the LANCOM router in LANconfig and navigate to VPN→ VPN → IKEv2/IPsec → Authentication.
...
The certificate-based VPN connection to the Unified Firewall at the headquarters will now be established.
5) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):
IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.
Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.
...
| Info |
|---|
If you are using a router from another manufacturer, ask them about appropriate procedure. |
...
| Hinweis |
|---|
If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPSec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPSec-over-HTTPS). Otherwise, no IPSec connection will be established. |
5.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router -> → Masq. -> → Port forwarding table.
5.2) Save the following parameters:
...