Transferring an IKEv2 connection for the Advanced VPN Client from a LANCOM router to a LANCOM R&S®Unified Firewall

Description:

When switching from a LANCOM router to a LANCOM R&S®Unified Firewall, it makes sense to transfer the configuration of the Advanced VPN Client connections from the router to the LANCOM R&S®Unified Firewall so that the profiles of the Advanced VPN Client connections do not have to be rolled out to the end devices again.

This article describes how to transfer an IKEv2 connection for the Advanced VPN Client from a LANCOM router to a LANCOM R&S®Unified Firewall.

Requirements:

• LANCOM R&S® Unified Firewall with LCOS FX as of version 10.4
• LANCOM Advanced VPN Client as of version 4.1
• LCOS as of version 9.20 (download latest version)
• LANtools from version 9.20 (download latest version)
• A configured and functional Internet connection on the Unified Firewall
• Web browser for configuring the Unified Firewall.
  
  The following browsers are supported:
  • Google Chrome
  • Chromium
  • Mozilla Firefox

Procedure:

1) Reading out the authentication parameters of the Advanced VPN Client connection from the LANCOM router:

1.1) Open the configuration of the LANCOM router in LANconfig and navigate to VPN → IKEv2/IPsec → Authentication.

1.2) Open the entry for the VPN connection to be transferred to the Unified Firewall and note the following parameters:

• Name
• Local identifier and Remote identifier
• Local passwordand Remote password 

2) Configuring the Advanced VPN Client connection in the Unified Firewall:

2.1) Connect to the Unified Firewall and navigate to the menu VPN → IPsec → IPsec Settings.

2.2) Check that IPsec is enabled.

2.3) Go to the menu VPN → IPsec → Connections and click the “+” icon to create a VPN connection.

2.4) Change the following parameters:

• Name: Enter the name of the VPN connection on the router noted in step 1.2 (in this example IKEV2C_0001). 
• Security Profile: Use the drop-down menu to select the ready-made security profile LANCOM Advanced VPN Client IKEv2.
• Connection: Use the drop-down menu to select the Internet connection of the Unified Firewall.

2.5) Go to the Tunnels tab and modify the following parameters:

• Local networks: Using CIDR notation (Classless Inter Domain Routing), enter those local networks in which communication via the Advanced VPN Client is allowed (in this example the 192.168.3.0/24).
• Virtual IP Pool: From the drop-down menu, select the option Default virtual IP pool so that the Advanced VPN Client is assigned an IP address from this pool.

2.6) Go to the Authentication tab, adjust the following parameters and click Create:

• Authentication Type: Use the drop-down menu to select the option PSK (Preshared Key).
• PSK (Preshared Key): Enter the Local password / Remote password noted in step 1.2 (in this example presharedkey).
• Local Identifier: Enter the Local identifier / Remote identifier noted in step 1.2 (in this example IKEV2C_0001@internal). 
• Extended Authentication: Leave the setting at No Extended Authentication.
• Remote Identifier: Enter the Local identifier / Remote identifier noted in step 1.2 (in this example IKEV2C_0001@internal).

2.7) Click the icon to create a VPN host.

2.8) Modify the following parameters and then click Create:

• Name: Enter a descriptive name (in this example IKEV2C_0001).
• VPN Connection Type: Select the option IPsec.
• IPsec Connection : From the drop-down menu, select the VPN connection created in steps 2.3 - 2.6 .

9) Click the VPN host on the desktop, select the “connection tool” and click the network with which communication via the Advanced VPN Client should be allowed. 

10) Assign the necessary protocols to the VPN host using the “+” icons.

11) Finally, implement the changes by clicking Activate.