...
- A company wants to use an IKEv2 site-to-site connection to connect its branch office, where a LANCOM router operates as an Internet gateway, to its company headquarters.
- The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
- The LANCOM router at the branch office should establish the VPN connection to the headquarters.
- The local network at the headquarters has the IP address range 192.168.66.0/24.
- The local network at the branch office has the IP address range 192.168.50.0/23.
2) The Unified Firewall is connected to the Internet via an upstream router:
- A company wants to use an IKEv2 site-to-site connection to connect its branch office, where a LANCOM router operates as an Internet gateway, to its company headquarters.
- The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.81.
- The LANCOM router at the branch office should establish the VPN connection to the headquarters.
- The local network at the headquarters has the IP address range 192.168.66.0/24.
- The local network at the branch office has the IP address range 192.168.50.0/23.
Procedure:
The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).
...
1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> → IPSec -> → IPSec Settings.
1.2) Activate IPSec.
1.3) Switch to VPN -> → IPSec -> → Connections and click on the “+” icon to create a new IPSec connection.
...
- Local Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the headquarters has the IP address range 192.168.66.0/24.
- Remote Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the branch office has the IP address range 192.168.50.0/23.
- Activate the option IKEv2 Compatbility Mode.
| Hinweis |
|---|
The activation of the option IKEv2 Compatbility Mode is mandatory when more than one network is to be used on one or both sides for VPN communication. Otherwise the VPN connection won't work! Therefore LANCOM Systems recommends to generally activate the IKEv2 Compatibilty Mode for VPN connections between a LANCOM Router and a Unified Firewall. |
1.6) Change to the Authentication tab and enter the following parameters:
- Authentication Type: Select the option PSK (Preshared Key).
- PSK (Preshared Key): Set a preshared key for this connection.
- Local Identifier: Set the local identifier.
- Remote identifier: Set the remote identifier.
...
| Hinweis |
|---|
The local and remote identifiers must not match! |
1.7) Click the icon to create a new VPN host.
...
1.10) Use the “+” sign to assign the required protocols to the VPN host.
...
| Info |
|---|
A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication. |
...
Firewall objects can also be accessed via Desktop -> Desktop Connections and clicking on the “edit” icon. |
1.11) Finally, implement the configuration changes by clicking Activate in the firewall.
...
Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.
...
| Info |
|---|
If you are using a router from another manufacturer, ask them about appropriate procedure. |
...
| Hinweis |
|---|
If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPSec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPSec-over-HTTPS). Otherwise, no IPSec connection will be established. |
3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router
...
→ Masq.
...
→ Port forwarding table.
3.2) Save the following parameters:
...