Sie zeigen eine alte Version dieser Seite an. Zeigen Sie die aktuelle Version an.

Unterschiede anzeigen Seitenhistorie anzeigen

« Vorherige Version anzeigen Version 2 Nächste Version anzeigen »


Description:

This document describes how to set up an IKEv2 connection between the LANCOM Advanced VPN Client and a LANCOM R&S®Unified Firewall (referred to here as the United Firewall).



Requirements:



Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

  • A company wants its sales representatives to have access to the corporate network via an IKEv2 client-to-site connection.
  • The notebooks used by the sales representatives have the LANCOM Advanced VPN Client installed on them.
  • The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
  • The local network at the headquarters has the IP address range 168.3.0/24.

2) The Unified Firewall is connected to the Internet via an upstream router:

  • A company wants its sales representatives to have access to the corporate network via an IKEv2 client-to-site connection.
  • The notebooks used by the sales representatives have the LANCOM Advanced VPN Client installed on them.
  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.81.
  • The local network at the headquarters has the IP address range 168.3.0/24.



Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).

1) Configuration steps on the Unified Firewall:

1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPSec -> IPSec Settings.

1.2) Activate IPSec.

1.3) Switch to VPN -> IPSec Connections and click on the “+” icon to create a new IPSec connection.

1.4) Save the following parameters:

  • Name: Enter a descriptive name.
  • Security Profile: Here you select the ready-made profile LANCOM Advanced VPN Client IKEv2.
  • Connection: Select your configured Internet connection.

If you have created your own template or security profile, you can use these here.

1.5) Change to the Tunnels tab and enter the following parameters:

  • Local Networks: Here you enter the local networks (in CIDR notation) that the VPN client should reach. In this example, the local network at the headquarters has the IP address range 192.168.3.0/24.
  • Virtual IP Pool: Select the option Default virtual IP pool. Virtual IP pools can be used to send IP address configurations to connected VPN clients.

1.6) Change to the Authentication tab and enter the following parameters:

  • Authentication: Select the option PSK (Preshared Key).
  • PSK (Preshared Key): Set a preshared key for this connection.
  • Local Identifier: Set the local identifier.
  • Remote identifier: Set the remote identifier.

Important:
The local and remote identifiers must not match!

1.7) Click the icon to create a new VPN host.

1.8) Save the following parameters:

  • Name: Enter a descriptive name.
  • VPN Connection Type: Select the type IPSec.
  • IPSec Connection: From the drop-down menu under IPSec, select the VPN connection created in steps 1.4 - 1.6.

1.9) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the Advanced VPN Client should access.

1.10) Use the “+” sign to assign the required protocols to the VPN host.

Info:
A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

Info:
Firewall objects can also be accessed via Desktop -> Desktop Connections and clicking on the “edit” icon. 

1.11) Finally, implement the configuration changes by clicking Activate in the firewall.

1.12) Change to the menu VPN → IPsec → Connections and click on the button Export this Connection

1.13) Assign an Archive Password to encrypt the exported Zip archive.

1.14) As Gateway enter the public IP address or DNS name of the Unified Firewall ein (in this case 81.81.81.81).

1.15) Click on Export and save the Zip file to your computer.

1.16) This concludes the configuration steps on the Unified Firewall.


2) Configuring the Advanced VPN Client:

2.1) Open the Advanced VPN Client and navigate to the menu Configuration -> Profiles.

2.2) Click on Add / import to create a new VPN connection.

2.3) Select Link to Corporate Network Using IPSec.

2.4) Enter a descriptive name.

2.5) Select the Communication medium.

Info:
If you use changing communication media (e.g. LAN and WLAN), use the option Communication media automatic.

2.6) Enter the public IP address or the DynDNS name of the Unified Firewall.

2.7) Set the Exchange Mode to IKEv2 and the PFS Group to DH16 (modp4096). Disable the option IPSec-over-HTTPS.

2.8) Save the following parameters:

  • Type: From the drop-down menu, select the identity type Fully Qualified Username (FQUN).
  • ID: Enter the Remote identifier set in step 1.6.
  • Shared Secret: Enter the Preshared key set in step 1.6.

2.9) From the drop-down menu, select the IKE Config Mode so that the VPN client automatically receives the IP address from the Unified Firewall.

2.10) In order to use the function Split Tunneling, enter the target network to be reached via the VPN tunnel.

Important:
If split tunneling is not configured, all traffic is transferred over the VPN tunnel while it is established, including traffic intended for the local network or the Internet. This can lead to problems with the communication!

2.11) This concludes the configuration steps in the Advanced VPN Client.


3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.

Info:
If you are using a router from another manufacturer, ask them about appropriate procedure.

Important:
If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPSec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPSec-over-HTTPS). Otherwise, no IPSec connection will be established.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq. → Port forwarding table.

3.2) Save the following parameters:

  • First port: Specify the Port 500.
  • Last port: Specify the Port 500.
  • Intranet address: Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select UDP.

3.3) Create a further entry and specify the UDP port 4500.

3.4) Write the configuration back to the router.

  • Keine Stichwörter