Quelle anzeigen

Description:

This document describes how to set up a policy-based IKEv2 connection (site-to-site) between two LANCOM R&S®Unified Firewalls.

Setting up a route-based IKEv2 VPN connection between two Unified Firewalls is described in the following knowledge base article:

Setting up a route-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls

The differences between policy-based and route-based IPSec are described in the following Knowledge Base article:

Differences between policy-based and route-based IPSec with LANCOM R&S®Unified Firewalls

Requirements:

LANCOM R&S®Unified Firewall as of LCOS FX 10.4
A configured and functional Internet connection on each Unified Firewall
Any web browser for accessing the web interface of the Unified Firewall

Scenario:

The Unified Firewalls are connected directly to the Internet and have a public IPv4 address:

A company wants to connect its branch office, which operates a LANCOM R&S®Unified Firewall, via an IKEv2 site-to-site connection to the company headquarters, which also operates a LANCOM R&S®Unified
The branch office has an Internet connection with the fixed public IP address 81.81.81.81.
The headquarters has an Internet connection with the fixed public IP address 82.82.82.82.
The Unified Firewall at the headquarters should establish the VPN connection to the branch office.
The local network at the headquarters has the IP address range 168.50.0/23.
The local network at the branch office has the IP address range 168.66.0/24.

If the Unified Firewall uses an upstream LANCOM router to connect to the Internet, then the upstream device has to be set to forward its inbound UDP ports 4500 and 500 to the WAN IP address of the Unified Firewall. If a router from another manufacturer is used, the protocol ESP has to be forwarded to the Unified Firewall as well.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > Scenario.png

Procedure:

1) Configuration steps on the Unified Firewall at the headquarters:

1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN → IPSec → IPSec Settings.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 1.png

1.2) Activate IPSec.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 2.png

1.3) Switch to VPN → IPSec → Connections and click on the “+” icon to create a new IPSec connection.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 3.png

1.4) Save the following parameters:

Name: Enter a descriptive name.
Security Profile: Select the security profile, e.g. LANCOM LCOS Default IKEv2.
Connection: From the drop-down menu, select the Network connection used for the Internet connection.
Remote Gateway: Enter the public IP address or public DNS address of the branch office.
In this example the Unified Firewall at the headquarters should establish the VPN connection, so you select the option Initiate connection.

If you have created your own template or security profile, you can use these here.

The preconfigured security profile IKEv2 Suite-B-GCM-256 (RFC 6379) should not be used, as both the IKE as well as the IPSec lifetime (SA Lifetime) have the value 0. This can cause connection problems.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > VPN-Headquarter-Encryption1.png

1.5) Change to the Tunnels tab and enter the following parameters:

Local Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the headquarters has the IP address range 192.168.50.0/23.
Remote Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the branch office has the IP address range 192.168.66.0/24.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > VPN-Headquarter-Encryption2.png

1.6) Change to the Authentication tab and enter the following parameters:

Authentication Type: Select the option PSK (Preshared Key).
PSK (Preshared Key): Set a preshared key for this connection.
Local Identifier: Set the local identifier.
Remote identifier: Set the remote identifier.

The local and remote identifiers must not match!

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > VPN-Headquarter-Encryption3.png

1.7) Click the icon to create a new VPN host.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 7.png

1.8) Save the following parameters:

Name: Enter a descriptive name.
VPN Connection Type: Select the type IPSec.
IPSec Connection: From the drop-down menu under IPSec, select the VPN connection created in steps 1.4 - 1.6.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 8.png

1.9) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the object (the site-to-site connection) should access. Repeat this step for every network that the branch should be able to access.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 9.png

1.10) Use the “+” sign to assign the required protocols to the VPN host.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 10.png

1.11) Finally, implement the configuration changes by clicking Activate in the firewall.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 11.png

1.12) This concludes the configuration steps on the Unified Firewall at the headquarters.

2) Configuration steps on the Unified Firewall at the branch office:

2.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN → IPSec → IPSec Settings.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 17.png

2.2) Activate IPSec.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 18.png

2.3) Switch to VPN → IPSec → Connections and click on the “+” icon to create a new IPSec connection.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 19.png

2.4) Save the following parameters:

Name: Enter a descriptive name.
Security Profile: Select the security profile, e.g. LANCOM LCOS Default IKEv2.
Connection: From the drop-down menu, select the Network connection used for the Internet connection.
Remote Gateway: Enter the public IP address or public DNS address of the headquarters.

If you have created your own template or security profile, you can use these here.

The preconfigured security profile IKEv2 Suite-B-GCM-256 (RFC 6379) should not be used, as both the IKE as well as the IPSec lifetime (SA Lifetime) have the value 0. This can cause connection problems.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > VPN-Office-Encryption1.png

2.5) Change to the Tunnels tab and enter the following parameters:

Local Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the branch office has the IP address range 192.168.66.0/24.
Remote Networks: Here you enter the local networks (in CIDR notation) that the remote station should reach. In this example, the local network at the headquarters has the IP address range 192.168.50.0/23.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > VPN-Office-Encryption2.png

1.6) Change to the Authentication tab and enter the following parameters:

Authentication Type: Select the option PSK (Preshared Key).
PSK (Preshared Key): Set the same preshared key for this connection as for the headquarters (see step 1.6)
Local Identifier: Set the local identifier.
Remote identifier: Set the remote identifier.

The local and remote identifiers must not match!

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > VPN-Office-Encryption3.png

2.7) Click the icon to create a new VPN host.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 23.png

2.8) Save the following parameters:

Name: Enter a descriptive name.
VPN Connection Type: Select the type IPSec.
IPSec Connection: From the drop-down menu under IPSec, select the VPN connection created in steps 2.4 - 2.6.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 24.png

2.9) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the object (the site-to-site connection) should access. Repeat this step for every network that the branch should be able to access.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 25.png

2.10) Use the “+” sign to assign the required protocols to the VPN host.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 26.png

2.11) Finally, implement the configuration changes by clicking Activate in the firewall.

LANCOM Support Knowledge Base > Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4) > 27.png

2.12) This concludes the configuration steps on the Unified Firewall at the branch office.

The VPN connection to the headquarters is established now.