Description:
This article describes how to set up an IKEv2 connection using a Mac/MacBook with the VPN client integrated in macOS to a LANCOM R&S®Unified Firewall.
Requirements:
Scenario:
1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:
2) The Unified Firewall is connected to the Internet via an upstream router:
Procedure:
The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).
1) Configuration steps on the Unified Firewall:
1.1) Connect to the configuration interface of the Unified Firewall and navigate to the menu VPN → IPsec → IPsec Settings.
1.2) Activate IPsec and the option Proxy ARP and then click on Save.
With proxy ARP active, the Unified Firewall responds to ARP requests from local networks by sending its own MAC address to the virtual IP address used by the VPN client. This allows VPN clients to be integrated as if they were in the local network. |
1.3) Switch to the menu VPN → IPsec → Connections and click on the “+” icon to create a new IPsec connection.
1.4) Change the following parameters:
If you have created your own template or security profile, you can use these here.
1.5) Change to the Tunnels tab and modify the following parameters:
If an IP address from a local network should be assigned to the VPN client instead of an address from the Virtual IP Pool (via the field Virtual IP), Route-based IPSec has to be activated and a routing entry for the VPN interface has to be created in the Routing Table 254 which refers to the virtual IP address in the local network. |
1.6) Switch to the tab Authentication, adjust the following parameters and click Create:
The local and remote identifiers must not match! |
1.7) Click the icon to create a new VPN host.
1.8) Modify the following parameters and then click Create:
1.9) On the Desktop, click on the VPN host, select the “connection tool” icon and then select the network object that the Mac/MacBook should access. This opens the firewall object.
1.10) Use the “+” sign to assign the required protocols to the VPN host and then click Create.
A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication. |
1.11) Finally, implement the configuration changes by clicking Activate in the firewall.
1.12) This concludes the configuration steps on the Unified Firewall.
2) Manual setup of the VPN connection on the Mac/MacBook:
2.1) Click the System Preferences icon in the Dock of your Mac/MacBook and then switch to the menu Network.
2.2) Click on the “+” icon to create a new network connection.
2.3) Modify the following parameters and then click Create:
2.4) Change the following parameters:
2.5) Go to the menu Authentication Settings.
2.6) Select the option None and, under Shared secret, enter the pre-shared key that you set as the PSK (Preshared Key) in step 1.6.
2.7) This concludes the configuration of the VPN connection on the Mac/MacBook.
3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):
IPsec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.
Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.
If you are using a router from another manufacturer, approach them for information about the appropriate procedure. |
If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPsec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPsec-over-HTTPS). Otherwise, no IPsec connection will be established. |
3.1) Open the configuration for the router in LANconfig and switch to the menu item IP router → Masq. → Port forwarding table.
3.2) Enter the following parameters:
3.3) Create a further entry and specify the UDP port 4500.
3.4) Write the configuration back to the router.