Decription:

This document uses an example to describe how to set up a VPN IKEv1 connection between a LANCOM R&S®Unified Firewall and a FRITZ!Box to set up a bridge between the two local networks.

In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.

The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.

In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.




Requirements:
  • LANCOM R&S®Unified Firewall as of LCOS FX 10.4
  • AVM FRITZ!Box with firmware as of version 7.12
  • A configured and functional Internet connection on the Unified Firewall and the FRITZ!Box.
  • A web browser for access to the web interface of the Unified Firewall and the FRITZ!Box.


Seenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

  • A company wants to use an IKEv1 site-to-site connection to connect its branch office, where a AVM FRITZ!Box operates as an Internet gateway, to its company headquarters.
  • The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
  • The FRITZ!Box at the branch office should establish the VPN connection to the headquarters. The router has the fixed public IP address 82.82.82.82.
  • The local network at the headquarters has the IP address range 192.168.66.0/24.
  • The local network at the branch office has the IP address range 192.168.178.0/24.


2) The Unified Firewall is connected to the Internet via an upstream router:

  • A company wants to use an IKEv1 site-to-site connection to connect its branch office, where a AVM FRITZ!Box operates as an Internet gateway, to its company headquarters.
  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.81.
  • The FRITZ!Box at the branch office should establish the VPN connection to the headquarters. The router has the fixed public IP address 82.82.82.82.
  • The local network at the headquarters has the IP address range 192.168.66.0/24.
  • The local network at the branch office has the IP address range 192.168.178.0/24.



Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).

1) Configuration steps on the Unified Firewall:

1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN → IPSec → IPSec Settings.

1.2) Activate IPSec.

1.3) Open the menu VPN → Security Profiles and create a copy of the existing profile "IKEv1 VPN-B" by clicking on the copy icon.

1.4 ) Enter a descriptive name and set the following parameters:

  • IKE-Version: IKEv1 must be selected here because the FRITZ! Box does not support IKEv2 VPN connections.
  • Encryption Algorithms: Select the algorithms AES-CBC 128 bit (aes128) and AES-CBC 192 bit (aes192).
  • Authentication Algorithms: Select the algorithm SHA1 HMAC 96 bit (sha1).
  • DH-Groups: Select the groups DH Group 02 (modp1024) and DH Group 14 (modp2048). The DH group 2 is outdated and should not be used, the Fritz!Box requires this, however, to establish a connection.
  • SA Lifetime: Set the value to 3600 seconds.

1.5) Add the option SHA1 HMAC 96 bit (sha1) as Authentication Algorithm in the IPsec (ESP) tab. Configure the SA lifetime to 7200 seconds.

In Fritz!OS 7.28 support for AES XCBC 96 bit was removed. Adding the algorithm SHA1 HMAC 96 bit (sha1) ensures that a VPN connection can still be established when using Fritz!OS as of version 7.28.

1.6) Save the configuration.

1.7) Switch to VPN → IPSec → Connections and click on the “+” icon to create a new IPSec connection.

1.8) Save the following parameters:

  • Name: Enter a descriptive name.
  • Security Profile: Select the profile you configured in step 1.4.
  • Connection: From the drop-down menu, select the Network connection used for the Internet connection.
  • Remote Gateway: Enter the public IP or DNS address of the FRITZ!Box.

1.9) Change to the Tunnels tab and enter the following parameters:

  • Local Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the headquarters has the IP address range 192.168.66.0/24.
  • Remote Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the branch office has the IP address range 192.168.178.0/24.

1.10) Change to the Authentication tab and enter the following parameters:

  • Authentication Type: Select the option PSK (Preshared Key).
  • PSK (Preshared Key): Set a preshared key for this connection.
  • Local Identifier: Set the local identifier.
  • Remote identifier: Set the remote identifier.

The local and remote identifiers must not match!


1.11) Save the settings.

1.12 ) Click the icon to create a new VPN host.

1.13) Save the following parameters:

  • Name: Enter a descriptive name.
  • VPN Connection Type: Select the type IPSec.
  • IPSec Connection: From the drop-down menu under IPSec, select the VPN connection created in steps 1.8 - 1.11.
1.14) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the object (the site-to-site connection) should access. Repeat this step for every network that the branch should be able to access.

1.15) Use the “+” sign to assign the required protocols to the VPN host.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

Firewall objects can also be accessed via Desktop → Desktop Connections and clicking on the “edit” icon.

1.16) Finally, implement the configuration changes by clicking Activate in the firewall.

1.17) This concludes the configuration steps on the Unified Firewall.



2) Configuring the VPN connection on the FRITZ!Box:
2.1) Use the configuration file attached below and use a text editor to adjust the following items:
  • name: Enter a name for the VPN connection.
  • always_renew: Enter yes here, so that the FRITZ!Box can actively establish the VPN connection after a disconnect.
  • remoteip: Enter the public IP address of the LANCOM router. In this example, this is the IP address 82.82.82.82.
  • localid: Enter the Remote Identifier (see step 1.10).
  • remoteid: Enter the Local Identifier (see step 1.10).
  • key: Here you enter the preshared key that you set in step 1.10.
  • phase2localid: Here you enter the address range of the local network at the FRITZ!Box and the corresponding net mask. In this example, the address range is 192.168.178.0 and the net mask is 255.255.255.0.
  • phase2remoteid: Here you enter the address range of the local network at the LANCOM router and the corresponding net mask. In this example, the address range is 192.168.66.0 and the net mask is 255.255.255.0.
  • accesslist: Since all of the devices of the network at the remote are to be reached, the parameter here must be set to permit ip any 192.168.66.0 255.255.255.0.

2.2) Open the configuration interface for the FRITZ!Box and navigate to the menu item Internet → VPN.
2.3) Add a new VPN connection.
2.4) Select the option Import a VPN configuration from an existing VPN setup file. Click on Next.
2.5) Upload the newly created configuration file to the FRITZ!Box.
2.6) After uploading the configuration file, the FRITZ!Box establishes the VPN connection to the Unified Firewall.


3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.

If you are using a router from another manufacturer, ask them about appropriate procedure.

If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPSec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPSec-over-HTTPS). Otherwise, no IPSec connection will be established.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq . → Port forwarding table .

3.2) Save the following parameters:

  • First port : Specify the Port 500.
  • Last port : Specify the Port 500.
  • Intranet address : Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select UDP.

3.3) Create a further entry and specify the UDP port 4500.

3.4) Write the configuration back to the router.