Skip to end of metadata
Go to start of metadata


Description:

With a site-to-site VPN connection, one site actively establishes the VPN connection (initiator) while the opposite site accepts the connection (responder).

It is also possible for both sites to be able to actively establish a VPN connection. However, this generally leads to problems because connection requests at the same time in both directions will fail.

This document describes how you can prevent both sides of a VPN connection from simultaneously trying to actively establish a connection.


Requirements:


Scenario:

In this example, a site-to-site VPN connection should always be established from the branch office to the headquarters.


Procedure:

1) Make sure that the VPN connection configuration at the responder site page does not include a public IP address or DNS name of the initiator site.

1.1) Open the configuration of the LANCOM router that is the VPN responder (in this example the router at the headquarters).

1.2) Switch to the menu

  • VPN → IKE/IPSec → Connection list (with IKEv1 connections) or
  • VPN → IKEv2/IPsec → Connection list (with IKEv2 connections).

1.3) Open the entry for the VPN connection in the list.

1.4) Make sure that the short hold time is set to “0” and the remote “Gateway” field is left empty.

2) On the router that is the VPN responder (in this example the router at the headquarters), create a firewall rule, which prohibits sending IP packets to the remote VPN site as long as no VPN connection is established.

2.1) Open the configuration of the LANCOM router that responds to the VPN connection.

2.2) Navigate to the menu Firewall/QoS → IPv4 rules → Action objects.

2.3) Add a new action object.

2.4) Give the new object a name and, on the Actions tab,  click Add.

  • Set the conditions so that action is only taken if not connected and for VPN route.
  • The Packet action must be set to Reject.

2.5) Click on OK to save the action object and switch to the menu Firewall/QoS → IPv4 rules → Rules.

2.6) Create a new Firewall rule:

  • Enter a name for the rule.
  • Set the Priority to the value 9999. This ensures that this rule is the first to be processed by the LANCOM router.
  • On the Actions tab, select the action object created in step 2.4.

On the Stations tab, set the Connection source to all stations and the Connection destination as the VPN connection (remote site) to the branch office.

2.7) Save the firewall rule and make sure it is always at the top of the list.

2.8) Write the configuration back to the LANCOM router.