This document describes how to set up an IKEv2 connection between the LANCOM Advanced VPN Client and a LANCOM R&S®Unified Firewall (referred to here as the United Firewall).
1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:
2) The Unified Firewall is connected to the Internet via an upstream router:
The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).
1) Configuration steps on the Unified Firewall:
1.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN → IPSec → IPSec Settings.
1.2) Activate IPSec.
1.3) Switch to VPN → IPSec Connections and click on the “+” icon to create a new IPSec connection.
1.4) Save the following parameters:
If you have created your own template or security profile, you can use these here.
1.5) Change to the Tunnels tab and enter the following parameters:
1.6) Change to the Authentication tab and enter the following parameters:
The local and remote identifiers must not match!
The Advanced VPN Client transmits the remote identity as an E-Mail address (ID_RFC822_ADDR). If the @ symbol isn't used in the remote identity, the Unified Firewall can't identify the identity type and the VPN connection can't be established. To enforce the use of the identity type E-Mail it is possible to use the string email: before the identity (e.g. email:home).
1.7) Click the icon to create a new VPN host.
1.8) Save the following parameters:
1.9) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the Advanced VPN Client should access.
1.10) Use the “+” sign to assign the required protocols to the VPN host.
A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.
Firewall objects can also be accessed via Desktop → Desktop Connections and clicking on the “edit” icon.
1.11) Implement the configuration changes by clicking Activate in the firewall.
1.12) Change to the menu VPN → IPsec → Connections and click on the button Export this Connection.
If necessary, click on the "double arrow" symbol to toggle in the detailed view where the button for profile export is located.
1.13) Assign an Archive Password to encrypt the exported Zip archive.
1.14) As Gateway enter the public IP address or DNS name of the Unified Firewall (in this case 126.96.36.199).
1.15) Click on Export and save the Zip file to your computer.
1.16) This concludes the configuration steps on the Unified Firewall.
2) Configuring the Advanced VPN Client:
2.1 Unpack the Zip file your exported in step 1.15. In it you will find an *.ini file, which you can import in the LANCOM Advanced VPN Client.
2.2) Open the Advanced VPN Client and navigate to the menu Configuration -> Profiles.
2.3) Click on Add / import to create a new VPN connection.
2.4) Select Profile Import.
2.5) Enter the path where you unpacked the *.ini file (see step 2.1)).
2.6) Click Next.
2.7) Click on Finish to finalize the file import.
2.8) Click on OK to close the Profiles menu.
2.9) The VPN client connection can now be established by clicking on the Connection switch.
3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):
IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.
Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.
If you are using a router from another manufacturer, ask them about appropriate procedure.
If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPSec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPSec-over-HTTPS). Otherwise, no IPSec connection will be established.
3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq. → Port forwarding table.
3.2) Save the following parameters:
3.3) Create a further entry and specify the UDP port 4500.
3.4) Write the configuration back to the router.