Quelle anzeigen

Description:

With a site-to-site VPN connection, one site actively establishes the VPN connection (initiator) while the opposite site accepts the connection (responder).

It is also possible for both sites to be able to actively establish a VPN connection. However, this generally leads to problems because connection requests at the same time in both directions will fail.

This document describes how you can prevent both sides of a VPN connection from simultaneously trying to actively establish a connection.

Requirements:

LCOS ac of version 9 (download)
LANtools as of version 9 (download)

Scenario:

In this example, a site-to-site VPN connection should always be established from the branch office to the headquarters.

LANCOM Support Knowledge Base > How can both sides be prevented from trying to establish a VPN connection at the same time? > scenario.png

Procedure:

1) Make sure that the VPN connection configuration at the responder site page does not include a public IP address or DNS name of the initiator site.

1.1) Open the configuration of the LANCOM router that is the VPN responder (in this example the router at the headquarters).

1.2) Switch to the menu

VPN → IKE/IPSec → Connection list (with IKEv1 connections) or
VPN → IKEv2/IPsec → Connection list (with IKEv2 connections).

1.3) Open the entry for the VPN connection in the list.

1.4) Make sure that the short hold time is set to “0” and the remote “Gateway” field is left empty.

LANCOM Support Knowledge Base > How can both sides be prevented from trying to establish a VPN connection at the same time? > filiale_1e.png

2) On the router that is the VPN responder (in this example the router at the headquarters), create a firewall rule, which prohibits sending IP packets to the remote VPN site as long as no VPN connection is established.

2.1) Open the configuration of the LANCOM router that responds to the VPN connection.

2.2) Navigate to the menu Firewall/QoS → IPv4 rules → Action objects.

2.3) Add a new action object.

LANCOM Support Knowledge Base > How can both sides be prevented from trying to establish a VPN connection at the same time? > vpn_1e.png

2.4) Give the new object a name and, on the Actions tab, click Add.

LANCOM Support Knowledge Base > How can both sides be prevented from trying to establish a VPN connection at the same time? > vpn_2e.png

Set the conditions so that action is only taken if not connected and for VPN route.
The Packet action must be set to Reject.

LANCOM Support Knowledge Base > How can both sides be prevented from trying to establish a VPN connection at the same time? > vpn_3e.png

2.5) Click on OK to save the action object and switch to the menu Firewall/QoS → IPv4 rules → Rules.

2.6) Create a new Firewall rule:

Enter a name for the rule.
Set the Priority to the value 9999. This ensures that this rule is the first to be processed by the LANCOM router.
On the Actions tab, select the action object created in step 2.4.

On the Stations tab, set the Connection source to all stations and the Connection destination as the VPN connection (remote site) to the branch office.

LANCOM Support Knowledge Base > How can both sides be prevented from trying to establish a VPN connection at the same time? > vpn_4e.png

2.7) Save the firewall rule and make sure it is always at the top of the list.

LANCOM Support Knowledge Base > How can both sides be prevented from trying to establish a VPN connection at the same time? > vpn_5e.png

2.8) Write the configuration back to the LANCOM router.