Quelle anzeigen

Description:

VPN rules (phase 2) are used to announce which networks are allowed to intercommunicate through a VPN tunnel.

In some cases it may be necessary to manually customize rules created by the Setup Wizard: For example, when establishing a VPN connection to a third-party router, or where only a selection of the available local area networks should be allowed to communicate through the VPN tunnel.

This document describes how to manually customize VPN rules (phase 2).

After changing the VPN rules the VPN connection is interrupted and restarted. These changes should therefore only be carried out during a downtime.

If erroneous values are entered, the VPN connection cannot be established anymore. Therefore it must be ensured that access to the affected routers is possible even without the VPN connection!

Requirements:

LCOS as of version 9.20 (download latest version)
LANtools as of version 9.20 (download latest version)
Previously installed VPN connection

Procedure:

1) Create the VPN rules:

1.1) Open the configuration for the router in LANconfig and switch to the menu item VPN → General → Network rules.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 1.png

1.2) Go to the menu IPv4 rules.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 2.png

For reasons of clarity when operating more than four networks, LANCOM Systems recommends you create several IPv4 rules and collect these into an IPv4 rule list. Instead of the IPv4 rule, the IPv4 rule list is stored in the VPN remote site (see step 2).

1.3) Enter a descriptive name.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 3.png

1.4) Under Local networks, select the networks which are available to the router and which the remote site should be able to access.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 4.png

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 5.png

Instead of selecting the network objects, you can also specify the network address in CIDR notation (e.g. 192.168.1.0/24). Multiple networks are separated by a comma (e.g. 192.168.1.0/24,192.168.2.0/24)

1.5) For Remote networks, select the VPN remote (either VPN / IKE / IPSec / VPN connections with IKEv1 or VPN / IKEv2 / IPSec / VPN connections with IKEv2).

The VPN remote uses the IPv4 routing table (IP router → Routing → IPv4 routing table) to reference which networks it may communicate with at the other end.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 6.png

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 7.png

Instead of selecting the VPN remotes, you can also specify the remote address in CIDR notation (e.g. 192.168.3.0/24). Multiple networks are separated by a comma (e.g. 192.168.3.0/24,192.168.4.0/24)

2) Assign the VPN rule to the VPN remote:

For IKEv1 and IKEv2, the VPN remotes are to be found in different menus.

2.1) IKEv1:

2.1.1) Navigate to the menu VPN → IKE/IPSec → Connection list.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 8.png

2.1.2) Change the following parameters for the VPN remote:

Set Rule creation to manual.
From the drop-down menu IPv4 rules, select the VPN rule created in step 1.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 9.png

2.2) IKEv2:

2.2.1) Navigate to the menu VPN → IKEv2/IPSec → Connection list.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 10.png

2.2.2) Change the following parameters for the VPN remote:

Set Rule creation to Manual.
From the drop-down menu IPv4 rules, select the VPN rule created in step 1.

LANCOM Support Knowledge Base > Manual customization of VPN rules (phase 2) > 11.png

3) Exclude duplicate VPN rules:

Duplicate rules created for the VPN connection (e.g. one rule created by the Setup Wizard and one created manually) can lead to problems. In the worst case, the VPN connection will not be established. This of course must be avoided.

Go to Firewall/QoS → IPv4 rules → Rules and make sure that there are no VPN rules that already apply to the VPN connection being customized (e.g. WIZ-VPN-NETWORKS).

If there is a VPN rule that is valid for several VPN connections and you need to customize the rule creation for one of the VPN connections, then a separate VPN rule has to be created for each of the individual VPN connections.