Description:
This document describes how to configure an IKEv2 VPN connection between two LANCOM routers (site-to-site) using the Setup Wizard in LANconfig.


Requirements:


Scenario:
  • A company wishes to interconnect the local networks at their headquarters and at a branch office by means of an IKEv2 site-to-site VPN connection.
  • Both sites have a LANCOM router as their gateway and an Internet connection with a fixed public IP address. The public IP address of the Headquarters is 81.81.81.81, and the branch office is 80.80.80.80.
  • The VPN connection is established from the headquarters to the branch office.
  • The local network at the headquarters has the IP address range 192.168.1.0/24, and the branch office uses the local IP address range 192.168.2.0/24.

Procedure:
1) Configuration steps on the LANCOM router at the headquarters:
1.1) Open the Setup Wizard on the LANCOM router at the headquarters and select Connect two local area networks (VPN).
1.2) In the next dialog, select the exchange mode IKEv2.
1.3) In this example, we do not use IPSec-over-HTTPS.
1.4) In the next dialog, enter the name of the LANCOM router at the remote site. In this example it is OFFICE.
1.5) To establish an encrypted VPN connection, we need an identity that is known to both sites.
In this example, as identity is the e-mail address headquarter@lancom.de.
1.6) Create passwords for the local and for the remote identity.
1.7) Since the LANCOM router at the headquarters should establish the VPN connection, you need to choose the upper option.
1.8) The gateway needs to be set to the public IP address (or the DNS name) of the LANCOM router at the branch office.
Because the local network in the branch office has the address range 192.168.2.0/24, this needs to be entered into the fields Address and Netmask.
1.9) Click on Finish to close the Wizard and write the configuration back to the LANCOM router.


2) Configuration steps on the LANCOM router at the branch office:
2.1) Open the Setup Wizard on the LANCOM router at the branch office and select Connect two local area networks (VPN).
2.2) In the next dialog, select the exchange mode IKEv2.
2.3) In this example, we do not use IPSec-over-HTTPS.
2.4) In the next dialog, enter the name of the LANCOM router at the remote site. In this example it is HEADQUARTER.
2.5) To establish an encrypted VPN connection, we need an identity that is known to both sites.
In this example, the identity is set to the e-mail address headquarter@lancom.de (this identity must match the one specified in step 1.5).
2.6) Create passwords for the local and for the remote identity. These must match the passwords set in step 1.6).
2.7) Since the LANCOM router at the branch office should receive the VPN connection, you need to choose the lower option.
2.8) The gateway needs to be set to the public IP address (or the DNS name) of the LANCOM router at the headquarters.
Because the local network in the headquarters has the address range 192.168.1.0/24, this need to be entered into the fields Address and Netmask.
2.9) Click on Finish to close the Wizard and write the configuration back to the LANCOM router.
After the configuration has been written back to the LANCOM router at the branch office, the VPN connection can be established between the two LANCOM routers. You can check this for example by loading the two LANCOM routers into the LANmonitor.

If problems occur during connection establishment, or if the established VPN connection does not work properly, a VPN Status Trace can help with the diagnosis. Information is available in this Knowledge Base article.