Skip to end of metadata
Go to start of metadata


Description:

This article describes how to set up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls.


Rquirements:

  • Two LANCOM R&S® Unified Firewalls with LCOS FX as of version 10.4
  • A configured and functional Internet connection on the two Unified Firewalls
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox


Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

  • A certificate-based IKEv2 VPN connection should be set up between two Unified Firewalls (headquarters and branch office).
  • The Unified Firewall at the headquarters has the local network 192.168.1.0/24.
  • The Unified Firewall at the branch office has the local network 192.168.2.0/24.
  • The Unified Firewall at the headquarters has the fixed public IP address 81.81.81.81.
  • The Unified Firewall at the branch office has the fixed public IP address 80.80.80.80.


2) The Unified Firewall is connected to the Internet via an upstream router:

  • A certificate-based IKEv2 VPN connection should be set up between two Unified Firewalls (headquarters and branch office).
  • The Unified Firewall at the headquarters has the local network 192.168.1.0/24.
  • The Unified Firewall at the branch office has the local network 192.168.2.0/24.
  • The Unified Firewall at the headquarters is connected to a router, which establishes the Internet connection. It has the fixed public IP address 81.81.81.81.
  • The Unified firewall at the branch office is connected to a router, which establishes the Internet connection. It has the fixed public IP address 80.80.80.80.



Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).


1) Configuration steps on the Unified Firewall at the headquarters:

1.1) Creating and exporting the certificates:

1.1.1) Use a browser to connect to the Unified Firewall, switch to the menu Certificate Management → Certificates and click on the “+” icon to create a new certificate. 

1.1.2) First, create a CA (Certificate Authority). Modify the following parameters for it and then click Create:

  • Type: From the drop-down menu, select the option CA for VPN/web-server certificate.
  • Private Key Encryption: Make sure that the option RSA is selected.
  • Private Key Size: From the drop-down menu, select the option 4096 bit.
  • Common Name (CN): Set a descriptive common name for the CA (in this example IKEv2_CA).
  • Validity: Select a validity period for this CA. A CA usually requires a long period of validity, which is why it is set to 5 years in this example.
  • Private key password: Set a password for the private key. This is used to encrypt the private key.

1.1.3) Next, create a VPN certificate for the headquarters. Modify the following parameters for it and then click Create:

  • Type: From the drop-down menu, select the option VPN certificate.
  • Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
  • Private Key Encryption: Make sure that the option RSA is selected.
  • Private Key Size: From the drop-down menu, select the option 4096 bit.
  • Common Name (CN): Set a descriptive common name for certificate at the headquarters (in this example IKEv2_Headquarter).
  • Validity: Select a validity period for this certificate. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
  • CA password: Enter the private key password set in step 1.1.2.
  • Private key password: Set a password for the private key. This is used to encrypt the private key of the VPN certificate.

1.1.4) Next, create a VPN certificate for the branch office. Modify the following parameters for it and then click Create:

  • Type: From the drop-down menu, select the option VPN certificate.
  • Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
  • Private Key Encryption: Make sure that the option RSA is selected.
  • Private Key Size: From the drop-down menu, select the option 4096 bit.
  • Common Name (CN): Set a descriptive common name for certificate at the branch office (in this example IKEv2_Office).
  • Validity: Select a validity period for this CA. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
  • CA password: Enter the private key password set in step 1.1.2.
  • Private key password: Set a password for the private key. This is used to encrypt the private key of the VPN certificate.

1.1.5) Under Certificate management, go to the certificate of the branch office and click the export button.

1.1.6) As the format, select the option PKCS #12 , enter the passwords and click on Export:

  • Private key password: Enter the private key password that you set in step 1.1.4.
  • Transport Password: Enter a password. This is required when importing the certificate into the Unified Firewall at the branch office (see step 2.1.2).

1.1.7) Under Certificate management, go to the certificate of the headquarters and click the export button.

1.1.8) As the format, select the option PEM and click on Export.


1.2) Setting up the VPN connection:

1.2.1) Go to the menu VPN → IPsec → IPsec settings.

1.2.2) Use the slider to enable the IPsec functionality and click on Save.

1.2.3) Switch to the menu VPN → IPsec → Connections and click on the “+” icon to create a new VPN connection.

1.2.4) Modify the following parameters:

  • Name: Set a descriptive name for the VPN connection (in this example IKEv2_Office).
  • Security Profile: From the drop-down menu, select the security profile LANCOM LCOS Default IKEv2. If necessary, you can at both ends use a different profile.
  • Connection: Use the drop-down menu to select the Internet connection (in this example Internet)
  • Remote Gateway: Enter the IP address or the DNS name of the Unified Firewall at the branch office (in this example the IP address 80.80.80.80).

1.2.5) Go to the Tunnels tab and modify the following parameters:

  • Local networks: Use the “+” icon to store the network address of the local network at the headquarters in CIDR notation (in this example 192.168.1.0/24).
  • Remote Networks: Use the “+” icon to store the network address of the local network of the branch office in CIDR notation (in this example 192.168.2.0/24). 

1.2.6) Go to the Authentication tab, adjust the following parameters and click Create:

  • Authentication Type: Make sure that the drop-down menu is set to the option Certificate.
  • Local certificate: From the drop-down menu, select the certificate for the headquarters created in step 1.1.3.
  • Extended Authentication: Make sure that the option No Extended Authentication is selected.
  • Remote Certificate: From the drop-down menu, select the certificate for the branch office created in step 1.1.4.

1.2.7) Click the button to create a VPN network.

1.2.8) Modify the following parameters and click Create:

  • Name: Set a descriptive name for the VPN connection (in this example IKEv2_Office).
  • Connection type: Select the option IPsec.
  • IPsec Connection: From the drop-down menu, select the VPN connection created in steps 1.2.4 – 1.2.6.


1.3) Enable communication via the VPN connection in the firewall:

1.3.1) On the desktop, click the VPN network created in step 1.2.8, select the connection tool, and click the network object for which communications should be enabled.

1.3.2) Select the required protocols on the right-hand side and add them using the “+” icon.

 

1.3.3) Click Create to create the firewall rule.

1.3.4) This concludes the configuration of the Unified Firewall at the headquarters. Finally, implement the changes on the Desktop by clicking Activate.



2) Configuration steps on the Unified Firewall at the branch office:

2.1) Importing the certificates:

2.1.1) Use a browser to connect to the branch-office Unified Firewall, switch to the menu Certificate Management → Certificates and click on the icon for importing a certificate.

2.1.2) Under Certificate file, select the branch-office certificate, enter the passwords and click on Import:

  • Password: Enter the transport password set in step 1.1.6.
  • New Password: Enter a new password. This is used to encrypt the private key after the import.

2.1.3) Import a further certificate. Under Certificate file, select the certificate for the headquarters and click on Import:

There is no need to enter passwords here, because exporting the headquarters certificate does not require passwords to be set.

2.1.4) After importing the certificates, the Certificate management should look like this.



2.2) Setting up the VPN connection:

2.2.1) Go to the menu VPN → IPsec → IPsec settings.

2.2.2) Use the slider to enable the IPsec functionality and click on Save.

2.2.3) Switch to the menu VPN → IPsec → Connections and click on the “+” icon to create a new VPN connection.

2.2.4) Modify the following parameters:

  • Name: Set a descriptive name for the VPN connection (in this example IKEv2_Headquarter).
  • Security Profile: From the drop-down menu, select the security profile LANCOM LCOS Default IKEv2. If necessary, you can use a different profile at both ends.
  • Connection: Use the drop-down menu to select the Internet connection (in this example Internet)
  • Remote Gateway: Enter the IP address or the DNS name of the Unified Firewall at the headquarters (in this example the IP address 81.81.81.81).
  • Set the checkmark next to Initiate Connection, so that the Unified Firewall at the branch office establishes the VPN connection.

2.2.5) Go to the Tunnels tab and modify the following parameters:

  • Local networks: Use the “+” icon to store the network address of the local network at the headquarters in CIDR notation (in this example 192.168.2.0/24).
  • Remote Networks: Use the “+” icon to store the network address of the local network of the branch office in CIDR notation (in this example 192.168.1.0/24). 

2.2.6) Go to the Authentication tab, adjust the following parameters and click Create:

  • Authentication Type: Make sure that the drop-down menu is set to the option Certificate.
  • Local certificate: From the drop-down menu, select the certificate for the branch office imported in step 2.1.2.
  • Extended Authentication: Make sure that the option No Extended Authentication is selected.
  • Remote Certificate: From the drop-down menu, select the certificate for the headquarters imported in step 2.1.3.

2.2.7) Click the button Click to create a VPN network.

2.2.8) Modify the following parameters and click Create:

  • Name: Set a descriptive name for the VPN connection (in this example IKEv2_Headquarter).
  • Connection type: Select the option IPsec.
  • IPsec Connection: From the drop-down menu, select the VPN connection created in steps 2.2.4 – 2.2.6.


2.3) Enable communication via the VPN connection in the firewall:

2.3.1) On the desktop, click the VPN network created in step 2.2.8, select the connection tool, and click the network object for which communications should be enabled.

2.3.2) Select the required protocols on the right-hand side and add them using the “+” icon.

 

2.3.3) Click Create to create the firewall rule.

2.3.4) This concludes the configuration of the Unified Firewall at the headquarters. Finally, implement the changes on the Desktop by clicking Activate.



3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPsec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.

If you are using a router from another manufacturer, approach them for information about the appropriate procedure.

If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPsec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPsec-over-HTTPS). Otherwise, no IPsec connection will be established.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP router → Masq. → Port forwarding table.

3.2) Enter the following parameters:

  • First port: Specify the port 500.
  • Last port: Specify the port 500.
  • Intranet address: Specify the IP address of the Unified Firewall in the intermediate network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select UDP.

3.3) Create a further entry and specify the UDP port 4500.

3.4) Write the configuration back to the router.