Seitenhistorie

Seiteneigenschaften

Description:

This document describes how certificates created by LANCOM Smart Certificate are used for a certificate-based VPN client connection from an Android device.

Hinweis

In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.

The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.

In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.

Requirements:

LCOS as of version 9.10

or later

(download latest version)
LANtools as of version 9.10

or later

(download latest version)
Mobile device (smartphone, tablet PC, etc.) with the Android operating system version as of 4.x
LANCOM central-site gateway, WLAN controller, or LANCOM router with an activated VPN 25 Option
Certificates for the LANCOM router and Android device. How to create certificates with LANCOM Smart Certificate is described in

the following

this Knowledge Base article

Image Removed

.

Procedure:

1) Enable the CA function in the LANCOM router

1.1) In LANconfig, open the configuration dialog for the LANCOM router and switch to the menu item Certificates

->

→ Cert. authority (CA).

1.2) Set a check mark for the option Certificate authority (CA) active. The LANCOM router functions as the root certificate authority (root CA).

Note:

Info
For this configuration example we leave all of the other parameters with their preset values.

Image Removed

Image Added

2) Upload the router certificate to the LANCOM router

2.1) Right-click on the LANCOM router in LANconfig and select the option Configuration management

->

→ Upload certificate or file.

Image Removed

Image Added

2.2) In the following dialog select the certificate file intended for the LANCOM router.

2.3) In the certificate type field, select a VPN container.

2.4) In the Cert. password box enter the password for the certificate file. Click on Open to start the upload.

Image Removed

Image Added

3) Configure the certificate-based VPN client connection on the LANCOM router

3.1) Start the Setup Wizard in LANconfig and select the option Provide remote access (RAS, VPN).

Image Removed

Image Added

3.2) Select the option VPN connection over the Internet.

Image Removed

Image Added

3.3) Disable the option ... 1-Click VPN.

Image Removed

Image Added

3.4) In this example, we do not use IPSec-over-HTTPS.

Image Removed

Image Added

3.5) Enter a name for the new VPN connection.

Image Removed

Image Added

3.6) In the next dialog, specify the public IP address or DNS name of the LANCOM router.

Image Removed

Image Added

3.7) For this connection, select the option Certificates (RSA signature) and main mode for VPN connection authentication.

Image Removed

Image Added

3.8) In the next dialog box you enter the identities of the certificates.

As the local identity, enter the name of the certificate in the LANCOM router.
As the remote identity, enter the name of the certificate in the VPN client.

Image Removed

Image Added

3.9) Enter a local IP address for the LANCOM Advanced VPN Client.

Image Removed

Image Added

3.10) In this example. all of the local IP addresses should be available to the VPN client.

Image Removed

Image Added

3.11) NetBIOS is not used in this example.

Image Removed

Image Added

3.12) In the dialog box that follows, do not select any of the options, because we have to manually configure the VPN connection on the Android device (see step 6).

Image Removed

Image Added

3.13) Click on Finish to conclude the Setup Wizard. The configuration is written back to the LANCOM router.

Image Removed

Image Added

3.14) Open the configuration for the LANCOM router and switch to the menu item VPN

->

→ General

->

→ Connection list.

Image Removed

Image Added

3.15) Open the entry for the new VPN client connection.

3.16) For the XAUTH option, select the setting Server. Save the change with the OK button.

Image Removed

Image Added

3.17) Switch to the menu VPN

->

→ General

->

→ Connection parameters.

Image Removed

Image Added

3.18) Open the entry for the new VPN client connection.

3.19) Set the PFS group parameter to the value No PFS.

Image Removed

Image Added

3.20) Change to the menu Configuration

->

→ Communication

->

→ Protocols

->

→ PPP list.

Image Removed

Image Added

3.21) Add a new entry.

As the Remote site, select the new VPN client connection.
Set a password in the Password field.
Enable the option Activate IP routing.

Note:

Info
You will need the name of the remote site and the password again later in step 6.2 to establish the VPN connection.

Image Removed

Image Added

3.22) Save the configuration by clicking the OK button and then write the changes back to the LANCOM router.

This concludes the configuration of the LANCOM router.

4) Importing a client certificate into the Android device

4.1) Upload the client certificate to the storage in the Android device.

4.2) Navigate to the menu Settings

->

→ Security menu and, under Credential storage select the option Install from device storage.

4.3) Select the uploaded certificate file and give it a certificate name of your choice in the following dialog.

Set the Credential use to the default (VPN and apps).

4.4) Click on OK to conclude.

Image Removed

Image Added

5) Configuring the VPN connection on the Android device

5.1) Navigate to the menu Settings

->

→ More settings

->

→ VPN

5.2) Tap on Add VPN network to create a new entry.

5.3) In the next dialog box, enter the following settings:

In the Name box, enter a name for the new VPN profile. Use any name you like.
Set the selection field Type to IPSec Xauth RSA.
In the Server address field, enter the public IP address or public DNS address of the LANCOM router.
Set each of the selection fields IPSec user certificate and IPSec-CA certificate to the client certificate.
In the IPSec server certificate selection box, set the option Received from server.

Image Removed

Image Added

5.4) Tap Save to store the configured VPN profile.

6) Function check:

6.1) To start the VPN connection, just tap the newly created VPN profile.

6.2) In the fields Username and Password you now enter the values that you set when configuring the LANCOM router in step 4.21.

As the Username , enter the name you set for the VPN connection configured in the LANCOM (in this case: VPN_CERT).
The Password is the one you entered in the PPP list entry.