Skip to end of metadata
Go to start of metadata


Description:

This document describes how to set up a VPN-SSL connection (site-to-site) between two LANCOM R&S®Unified Firewalls (referred to in the following as Unified Firewalls).


Requirements:

  • Existing installation on a LANCOM R&S®Unified Firewall with a firmware version until 10.3
  • A configured and functional Internet connection on each Unified Firewall
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox

Please ensure that the address ranges of the local networks being connected via VPN do not overlap with the default networks configured on the Unified Firewall ports (e.g. 192.168.2.0/24, 192.168.3.0/24)!


Szenario:

  1. The Unified Firewall is connected directly to the Internet and has a public IPv4 address:
  • A company wants to use an SSL-VPN connection to connect their Unified Firewall at the headquarters to their Unified Firewall at the branch office.
  • The company headquarters has a Unified Firewall as a gateway. It has an Internet connection with the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 168.23.0/24.
  • The headquarters is configured as a site-to-site server which accepts inbound SSL-VPN connections.
  • The branch office has a Unified Firewall as a gateway. This has an Internet connection with the fixed public IP address 82.82.82.2.
  • The local network at the branch office has the IP address range 168.24.0/24.
  • The branch office is configured as a site-to-site client which initiates outbound SSL-VPN connections.


2. The Unified Firewall is connected to the Internet via an upstream router:
  • A company wants to use an SSL-VPN connection to connect their Unified Firewall at the headquarters to their Unified Firewall at the branch office.
  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 168.23.0/24.
  • The headquarters is configured as a site-to-site server which accepts inbound SSL-VPN connections.


  • The branch office has a Unified Firewall as a gateway. This has an Internet connection with the fixed public IP address 82.82.82.2.
  • The local network at the branch office has the IP address range 168.24.0/24.
  • The branch office is configured as a site-to-site client which initiates outbound SSL-VPN connections.
  • The branch office has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 82.82.82.2.

This scenario also includes the “parallel” solution as described in this article.


Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port forwarding to be set up on the upstream router (see section 3).

1. Configuration steps on the Unified Firewall at the headquarters:

1.1 Connect to the Unified Firewall, switch to the menu Certificate Management → Certificates and click on the "+” icon to create a new certificate.

1.2 Enter the following parameters in order to create a CA:

  • Certificate type: From the drop-down menu, select CA for VPN/web-server certificate.
  • Public key encryption: From the drop-down menu, select RSA.
  • Private key size: Set the value in the drop-down menu to 4096.
  • Common Name (CN): Enter a descriptive common name.
  • Validity: Specify how long the certificate should remain valid. For a CA, the period of validity is usually set to be very high.
  • Private key password: Set a password. This is used to encrypt the private key.


1.3 Create a certificate by clicking on the "+” icon.

  • Certificate type: From the drop-down menu, select VPN certificate.
  • Signing CA: From the drop-down menu, select the CA created in step 1.2.
  • Public key encryption: From the drop-down menu, select RSA.
  • Private key size: Set the value in the drop-down menu to 4096.
  • Common Name (CN): Enter a descriptive common name.
  • Validity: Specify how long the certificate should remain valid.
  • CA password: Enter the private key password set in step 1.2.
  • Private key password: Set a password. This is used to encrypt the private key.

1.4 This certificate has to beexported in *.pem format.

1.5 Create another certificate by clicking on the "+” icon.

  • Certificate type: From the drop-down menu, select VPN certificate.
  • Signing CA: From the drop-down menu, select the CA created in step 1.2.
  • Public key encryption: From the drop-down menu, select RSA.
  • Private key size: Set the value in the drop-down menu to 4096.
  • Common Name (CN): Enter a descriptive common name.
  • Validity: Specify how long the certificate should remain valid.
  • CA password: Enter the private key password set in step 1.2.
  • Private key password: Set a password. This is used to encrypt the private key.

1.6 This certificate has to be exported in PKCS-12 format.

1.7 Switch to the menu VPN → VPN SSL → VPN SSL Settings.

1.8 Enable the VPN SSL service and enter the following parameters:

  • Host certificate: From the drop-down menu, select the VPN certificate created in step 1.3
  • Routes: The networks that the VPN connection communicates with are entered in CIDR notation (Classless Inter-Domain Routing). In this example, the local network at the headquarters has the IP address range 192.168.23.0/24.
  • Encryption algorithm: On the Site-to-Site tab select AES 256 from the drop-down menu.

If necessary, you can change the protocol and the port. The address pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall.

1.9 Change to the menu VPN → VPN SSL → Connections and click on the “+” icon to create a VPN connection.

1.10 Enable the VPN connection and enter the following parameters:

  • Name: Enter a descriptive name.
  • Certificate: From the drop-down menu, select the VPN certificate created in step 1.5
  • Connection type: Choose Site-to-site (server).
  • Remote Networks: Add the local network at the branch office (here 192.168.24.0/24) to the list.

If additional networks should be reachable from the Office via the Headquarter (e.g. via a separate VPN connection), these networks have to be entered as Additional Local Networks. The configuration is pushed from the Headquarter (Server) to the Office (Client), which creates routing entries for the transmitted networks.

1.11 Click the button to create a new VPN host.

1.12 Enter the following parameters:

  • Name: Enter a descriptive name.
  • VPN connection type: Select VPN-SSL.
  • VPN SSL connection: From the drop-down menu, select the VPN connection created in step 1.10.


1.13 In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the site-to-site VPN connection should access.

1.14 Use the “+” sign to assign the required protocols to the VPN host.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

Firewall objects can also be accessed via Desktop→ Desktop connections and clicking on the “pencil” icon for editing.

1.15 Finally, implement the configuration changes by clicking Activate in the Unified Firewall.

1.16 This concludes the configuration steps on the Unified Firewall at the headquarters.


2. Configuration steps on the Unified Firewall at the branch office:

2.1 First import the two certificates exported from the headquarters Unified Firewall in steps 1.4 and 1.6.

You can do this under Certificate Management menu using the button with the import icon. The CA and the two certificates are then displayed in the certificate list.

2.2 Switch to the menu VPN → VPN SSL → VPN SSL Settings.

2.3 Enable the VPN SSL service and enter the following parameters:

  • Host certificate: From the drop-down menu, select the VPN certificate for the branch office.
  • Routes: The networks that the VPN connection communicates with are entered in CIDR notation (Classless Inter-Domain Routing). In this example, the local network at the branch office has the IP address range 192.168.24.0/24.
  • Encryption algorithm: On the Site-to-Site tab select AES 256 from the drop-down menu.

If necessary, you can change the protocol and the port. The address pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall.

2.4 Change to the menu VPN → VPN SSL → VPN SSL Connections and click on the “+” icon to create a new VPN SSL connection.

2.5 Enable the VPN connection and enter the following parameters:

  • Name: Enter a descriptive name.
  • Certificate: From the drop-down menu, select the VPN certificate for the headquarters.
  • Connection type: Choose Site-to-site (client).
  • Remote addresses: Here you enter the public IP address of the headquarters (in this case 81.81.81.1).

2.6 Click the button to create a new VPN host.

2.7 Enter the following parameters:

  • Name: Enter a descriptive name.
  • VPN connection type: Select VPN-SSL.
  • VPN SSL connection: From the drop-down menu, select the VPN SSL connection created in step 2.5.

2.8 CIick the VPN host click on the "connection" icon and open the firewall objects by clicking on the network object that the headquarters should access.

2.9 Use the “+” sign to assign the required protocols to the VPN host.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

2.10  Finally, implement the configuration changes by clicking Activate in the Unified Firewall.
2.11 This concludes the configuration steps on the Unified Firewall at the branch office.


3. Setting up port forwarding on the LANCOM router (scenario 2 only):

Site-to-site VPN SSL uses the TCP port 49152 by default. These must be forwarded to the Unified Firewall.

The port for SSL VPN can be changed in the Unified Firewall. 

If you are using a router from another manufacturer, approach them for information about the appropriate procedure.

3.1 Open the configuration of the router in LANconfig and switch to the menu item IP router -> Masq. -> Port forwarding table.

3.2 Enter the following parameters:

  • First port: Specify the Port 49152.
  • Last port: Specify the Port 49152.
  • Intranet address: Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select TCP.

3.3 Write the configuration back to the router.