Description:
This document describes how you set up a network connection using an IKEv2 site-to-site VPN connection between two LANCOM routers.


Requirements:


Scenario:
  • A company wishes to interconnect the local IPv6 networks at their headquarter and at a branch office by means of an IKEv2 site-to-site VPN connection.
  • Both sites have a LANCOM router as their gateway and an Internet connection with a public IPv6 address. The public IPv6 address of the Headquarters is 2001:db8:a::1234, and the branch office is 2001:db8:b::1234.
  • The VPN connection is established from the branch office to the headquarters.
  • The local IPv6 network at the headquarters has the IP address range 2001:db8:a:1::/64, and the branch office uses the local IPv6 address range 2001:db8:b:1::/64 .



Procedure:
1) Manual configuration of the LANCOM router at the headquarter:
1.1) Open the configuration for the LANCOM router at the headquarter in LANconfig and switch to the menu item VPN → General and activate the function Virtual Private Network.
1.2) Navigate to the menu item VPN → IKEv2/IPSec Authentication.
1.3) Click on the Add button to create a new entry.
1.4) Enter the information for the authentication of the VPN connection into the configuration window.
  • Name: Enter the name for the authentication here (in this example OFFICE). This entry is used later in the VPN connection list (see step 1.7).
  • Local authentication: Select the authentication type used on the router at the headquarters. This example uses authentication by pre-shared key (PSK).
  • Local identifier type: Select the identifier type used on the router at the headquarters. In this example, the identity type was set to Email address (FQUN).
  • Local identifier: Set the local identifier. In this example, the LANCOM router at the headquarters uses the local identity headquarter@lancom.com.
  • Local password: Set the pre-shared key to be used to authenticate at the router at the headquarters.
  • Remote authentication: Select the authentication type used by the LANCOM router at the branch office. This example uses authentication by pre-shared key (PSK).
  • Remote identifier type: Select the identifier type used on the router at the branch office. In this example, the identity type was set to Email address (FQUN).
  • Remote identifier: Set the remote identifier. In this example, the LANCOM router at the branch office uses the remote identity office@lancom.com.
  • Remote password: Set the pre-shared key to be used to authenticate at the router at the branch office.

1.5) Navigate to the menu item VPN → IKEv2/IPSec Connection list.
1.6) Click on the Add button to create a new entry.
1.7) Enter the following information into the configuration dialog:
  • Connection name: Enter a descriptive name for the VPN connection. This name is used later in the routing table (see step 1.9).
  • Short hold time: Specify the short-hold time in seconds for the VPN connection. In this example, a 0 is entered into the LANCOM router at the headquarters. This means that this router will not actively establish the VPN connection.
  • Gateway: Specify the public IPv6 address of the LANCOM router at the branch office. In this example, this is the IPv6 address 2001:db8:b::1234.
  • Authentication: Select the authentication. The entry here corresponds to the name of the authentication that you set in step 1.4.
  • Rule creation: In the dropdown menu select the option Manual so that a user defined IPv6 rule can be selected.
  • IPv6 rules: In the dropdown menu select the preconfigured rule RAS-WITH-NETWORK-SELECTION. It allows communication between any networks.
  • IPv6 profile: In the dropdown menu select the IPv6 profile of the Internet connection (in this example INTERNET).

1.8) Navigate to the menu IP Router → Routing → IPv6 routing table.
1.9) Add a new routing entry.
  • As the Prefix, enter the address of the local IPv6 network at the branch office. In this example it is 2001:db8:b:1::/64.
  • For the Router field, select the name of the VPN remote site created in step 1.7) (in this example the VPN remote site OFFICE).
1.10) Open the menu Firewall/QoS → IPv6 Rules → IPv6 inbound rules
1.11) Make sure, that the preconfigured rule ALLOW-IPSEC is present and active. It allows an IPSec connection to be established to this router.
1.12) Go to the menu Firewall/QoS → IPv6 Rules → IPv6 forwarding rules
1.13) Make sure, that the preconfigured rule ALLOW-VPN is present and active. It allows communication via the configured VPN connections.
1.14 This concludes the configuration of the VPN connection at the headquarter. Write the configuration back to the LANCOM router.


2) Manual configuration of the LANCOM router at the branch office:
2.1) Open the configuration for the LANCOM router at the branch office in LANconfig, switch to the menu item VPN → General and activate the function Virtual Private Network.
2.2) Go to the menu item VPN → IKEv2/IPSec Authentication.
2.3) Click on the Add button to create a new entry.
2.4) Enter the information for the authentication of the VPN connection into the configuration window.
  • Name: Enter the name for the authentication here. This entry is used later in the VPN connection list (see step 2.7).
  • Local authentication: Select the authentication type used on the router at the branch office. This example uses authentication by pre-shared key (PSK).
  • Local identifier type: Select the identifier type used on the router at the branch office. In this example, the identity type was set to E-mail address (FQUN).
  • Local identifier: Set the local identifier. In this example, the LANCOM router at the branch office uses the local identity office@lancom.com.
  • Local password: Set the pre-shared key to be used to authenticate at the router at the branch office. This password must match the one configured in step 1.4.
  • Remote authentication: Select the authentication type used by the LANCOM router at the headquarters. This example uses authentication by pre-shared key (PSK).
  • Remote identifier type: Select the identifier type used on the router at the headquarters. In this example, the identity type was set to E-mail address (FQUN).
  • Remote identifier: Set the remote identifier. In this example, the LANCOM router at the headquarters uses the remote identity headquarter@lancom.com.
  • Remote password: Set the pre-shared key to be used to authenticate at the router at the headquarters. This password must match the one configured in step 1.4.

2.5) Go to the menu item VPN → IKEv2/IPSec Connection list.
2.6) Click on the Add button to create a new entry.
2.7) Enter the following information into the configuration dialog:
  • Connection name: Enter a descriptive name for the VPN connection. This name is used later in the routing table (see step 2.9).
  • Short hold time: Specify the short-hold time in seconds for the VPN connection. In this example, a value of 9999 seconds is entered into the LANCOM router at the branch office. This means that this router actively establishes the VPN connection.
  • Gateway: Specify the public IPv6 address of the LANCOM router at the headquarters. In this example, this is the IPv6 address 2001:db8:a::1234.
  • Authentication: Select the authentication. The entry here corresponds to the name of the authentication that you set in step 2.4.
  • Rule creation: In the dropdown menu select the option Manual so that a user defined IPv6 rule can be selected.
  • IPv6 rules: In the dropdown menu select the preconfigured rule RAS-WITH-NETWORK-SELECTION. It allows communication between any networks.
  • IPv6 profile: In the dropdown menu select the IPv6 profile of the Internet connection (in this example INTERNET).

2.8) Navigate to the menu IP router → Routing → IPv6 routing table.
2.9) Add a new routing entry.
  • As the Prefix, enter the address of the local IPv6 network at the headquarters. In this example it is 2001:db8:a:1::/64
  • For the Router field, select the name of the VPN remote site created in step 2.7) (in this example the VPN remote site HEADQUARTER).
2.10) Open the menu Firewall/QoS → IPv6 Rules → IPv6 inbound rules .
2.11) Make sure, that the preconfigured rule ALLOW-IPSEC is present and active. It allows an IPSec connection to be established to this router.
2.12) Go to the menu Firewall/QoS → IPv6 Rules → IPv6 forwarding rules .
2.13) Make sure, that the preconfigured rule ALLOW-VPN is present and active. It allows communication via the configured VPN connections.
2.14 This concludes the configuration of the VPN connection at the headquarter. Write the configuration back to the LANCOM router at the branch office.
After the configuration has been written back to the LANCOM router at the branch office, the VPN connection can be established between the two LANCOM routers. You can check this for example in LANmonitor.

If problems occur during connection establishment, or if the established VPN connection does not work properly, a VPN Status Trace can help with the diagnosis. Information is available in this KnowledgeBase article .




All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH