Quelle anzeigen

Description:

You wish to use the LANCOM Advanced VPN Client to establish a VPN dial-in connection to a LANCOM remote device. The connection should only be established after the entry of user name and password.

In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.

The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.

In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.

Requirements:

LCOS as of version 7.60 (download latest version)
LANtools as of version 7.60 (download latest version)
LANCOM Advanced VPN Client as of version 2.0 (download latest version)
The configuration outlined here assumes the existence of a fully configured VPN dial-up connection without XAUTH extension (IKEv1 Agressive mode).

Procedure:

Configuration steps on the LANCOM router:

1) Open the configuration in LANconfig and navigate to the menu Configuration → VPN → General → Connection list.

2) Highlight the entry for the VPN client connection in the list and click Edit.

3) In the XAUTH field, select the option Server. Now close the dialog window with the OK button.

4) Go to the menu VPN → IKE auth. → IKE keys and identities.

5) Open the entry in the list for the VPN client connection and, in the fields for Local identity type and Remote identity type, select for each one the option Key ID (group name). The fields of Local identity and Remote identity must contain a value (e.g. the word zentrale (Headquarters)).

6) In order for XAUTH to be able to query a user name and password, an entry must be added to the PPP list under Communication → Protocols → PPP list.

7) Here, the Remote site is set as the name of the VPN connection from the connection list in the drop-down menu. No user name is entered here. Enter a password into the field for the password. Finally, the IP routing must be enabled.

8) Close the dialog using the OK button and write the new configuration back to the LANCOM router.

Configuring the LANCOM Advanced VPN Client

1) Open the VPN client profile in the menu Configuration → Profiles.

2) Go to the Identities menu. In the section Local Identity (IKE), set the Type to Free string used to identify groups and enter the ID as the value which you entered in the router configuration step 5. In this example it is zentrale (Headquarters).

3) Additionally enable the option Extended Authentication (XAUTH). By leaving the username and password fields empty here, the login credentials must be entered here every time a VPN connection is made.

4) Store the profile with the OK button.

5) A dialog requesting the user data is displayed before the VPN connection is established. The user name you enter here is the VPN remote site that you selected in the router configuration step 7. The password is the one you set in the router configuration step 7.

Supplementary information:

XAUTH does not increase the security of the VPN connection itself. However, this extension prevents unauthorized access to the company network by means of unprotected or password-cracked devices. Password protection under Windows is relatively weak. Even if you can get around the user password, there is not yet a connection to the company network.

XAUTH can also be used in combination with certificates. The configuration of XAUTH is the same. The only difference is that the setting is changed to use certificates when a client dials in.