Description:

This article describes how to set up an IKEv2 connection using a Mac/MacBook with the VPN client integrated in macOS to a LANCOM R&S®Unified Firewall.


Requirements:

  • LANCOM R&S®Unified Firewall with LCOS FX as of version 10.4
  • A configured and functional Internet connection on the Unified Firewall
  • Apple MacBook or Mac with macOS as of version 11 Big Sur (also with the Apple M1 processor)
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox


Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

  • A company wants its sales representatives to have access to the corporate network via an IKEv2 client-to-site connection.
  • The employees use MacBooks.
  • The company headquarters has a Unified Firewall as a gateway. It has an Internet connection with the fixed public IP address 81.81.81.81.
  • The local network at the headquarters has the IP address range 192.168.1.0/24.


2) The Unified Firewall is connected to the Internet via an upstream router:

  • A company wants its sales representatives to have access to the corporate network via an IKEv2 client-to-site connection.
  • The employees use MacBooks.
  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.81.
  • The local network at the headquarters has the IP address range 192.168.1.0/24.



Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).


1) Configuration steps on the Unified Firewall:

1.1) Connect to the configuration interface of the Unified Firewall and navigate to the menu VPN → IPsec → IPsec Settings.

1.2) Activate IPsec and the option Proxy ARP and then click on Save.

With proxy ARP active, the Unified Firewall responds to ARP requests from local networks by sending its own MAC address to the virtual IP address used by the VPN client. This allows VPN clients to be integrated as if they were in the local network.

1.3) Switch to the menu VPN → IPsec → Connections and click on the “+” icon to create a new IPsec connection.

1.4) Change the following parameters:

  • Name: Enter a descriptive name.
  • Security Profile: Here you select the ready-made profile Apple iOS 12+.
  • Connection: Select your configured Internet connection.

If you have created your own template or security profile, you can use these here.

1.5) Change to the Tunnels tab and modify the following parameters:

  • Local networks: Using CIDR notation, specify the local networks to be accessed by the VPN client (in this example the local network at the headquarters with the address range 192.168.1.0/24).
  • Virtual IP Pool: Select the option Default virtual IP pool. Virtual IP pools can be used to send IP address configurations to connected VPN clients.

If an IP address from a local network should be assigned to the VPN client instead of an address from the Virtual IP Pool (via the field Virtual IP), Route-based IPSec has to be activated and a routing entry for the VPN interface has to be created in the Routing Table 254 which refers to the virtual IP address in the local network.

1.6) Switch to the tab Authentication, adjust the following parameters and click Create:

  • Authentication Type: Select the option PSK (Preshared Key).
  • PSK (Preshared Key): Set a preshared key for this connection.
  • Local Identifier: Set the local identity as FQUN (in this example headquarter@lancom.de).
  • Remote Identifier: Set the Remote Identifier as a FQUN (in this example macbook@lancom.de).

The local and remote identifiers must not match!

1.7) Click the icon to create a new VPN host.

1.8) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name.
  • VPN Connection Type: Select the type IPsec.
  • IPsec Connection: From the drop-down menu, select the VPN connection created in steps 1.4 - 1.6.

1.9) On the Desktop, click on the VPN host, select the “connection tool” icon and then select the network object that the Mac/MacBook should access. This opens the firewall object.

1.10) Use the “+” sign to assign the required protocols to the VPN host and then click Create.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

1.11) Finally, implement the configuration changes by clicking Activate in the firewall.

1.12) This concludes the configuration steps on the Unified Firewall.



2) Manual setup of the VPN connection on the Mac/MacBook:

2.1) Click the System Preferences icon in the Dock of your Mac/MacBook and then switch to the menu Network.

2.2) Click on the “+” icon to create a new network connection.

2.3) Modify the following parameters and then click Create:

  • Interface: From the drop-down menu, select the option VPN.
  • VPN Type: From the drop-down menu, select the option IKEv2.
  • Service Name: Give the VPN connection a descriptive name.

2.4) Change the following parameters:

  • Server address: Specify the public IPv4 address or the DNS name where the Unified Firewall can be reached.
  • Remote ID: Enter the remote ID as a FQUN (also see the local identifier in step 1.6). This example uses the address headquarter@lancom.de.
  • Local ID : Enter the local ID as a FQUN (also see the remote identifier  in step 1.6 ). This example uses the address macbook@lancom.de .

2.5) Go to the menu Authentication Settings.

2.6) Select the option None and, under Shared secret, enter the pre-shared key that you set as the PSK (Preshared Key) in step 1.6.

2.7) This concludes the configuration of the VPN connection on the Mac/MacBook.



3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPsec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.

If you are using a router from another manufacturer, approach them for information about the appropriate procedure.

If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPsec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPsec-over-HTTPS). Otherwise, no IPsec connection will be established.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP router → Masq. → Port forwarding table.

3.2) Enter the following parameters:

  • First port: Specify the port 500.
  • Last port: Specify the port 500.
  • Intranet address: Specify the IP address of the Unified Firewall in the intermediate network between the Unified Firewall and the LANCOM router.
  • Protocol : From the drop-down menu, select UDP .

3.3) Create a further entry and specify the UDP port 4500.

3.4) Write the configuration back to the router.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH