Quelle anzeigen

Description:

This article describes how to set up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls.

The certificate module was updated in LCOS FX 10.7, therefore the corresponding menus differ compared to older LCOS FX versions. The configuration of a certificate-based IKEv2 connection between two Unified Firewalls as of LCOS FX 10.7 is described in the following article:

Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.7)

Rquirements:

Two LANCOM R&S® Unified Firewalls with LCOS FX as of version 10.4 up to and including LCOS FX 10.6
A configured and functional Internet connection on the two Unified Firewalls
Web browser for configuring the Unified Firewall.

The following browsers are supported:
- Google Chrome
- Chromium
- Mozilla Firefox

Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

A certificate-based IKEv2 VPN connection should be set up between two Unified Firewalls (headquarters and branch office).
The Unified Firewall at the headquarters has the local network 192.168.1.0/24.
The Unified Firewall at the branch office has the local network 192.168.2.0/24.
The Unified Firewall at the headquarters has the fixed public IP address 81.81.81.81.
The Unified Firewall at the branch office has the fixed public IP address 80.80.80.80.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > Scenario1.png

2) The Unified Firewall is connected to the Internet via an upstream router:

A certificate-based IKEv2 VPN connection should be set up between two Unified Firewalls (headquarters and branch office).
The Unified Firewall at the headquarters has the local network 192.168.1.0/24.
The Unified Firewall at the branch office has the local network 192.168.2.0/24.
The Unified Firewall at the headquarters is connected to a router, which establishes the Internet connection. It has the fixed public IP address 81.81.81.81.
The Unified firewall at the branch office is connected to a router, which establishes the Internet connection. It has the fixed public IP address 80.80.80.80.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > Scenario2.png

Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).

1) Configuration steps on the Unified Firewall at the headquarters:

1.1) Creating and exporting the certificates:

1.1.1) Use a browser to connect to the Unified Firewall, switch to the menu Certificate Management → Certificates and click on the “+” icon to create a new certificate.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 1.png

1.1.2) First, create a CA (Certificate Authority). Modify the following parameters for it and then click Create:

Type: From the drop-down menu, select the option CA for VPN/web-server certificate.
Private Key Encryption: Make sure that the option RSA is selected.
Private Key Size: From the drop-down menu, select the option 4096 bit.
Common Name (CN): Set a descriptive common name for the CA.
Validity: Select a validity period for this CA. A CA usually requires a long period of validity, which is why it is set to 5 years in this example.
Private key password: Set a password for the private key. This is used to encrypt the private key.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 2.png

1.1.3) Next, create a VPN certificate for the headquarters. Modify the following parameters for it and then click Create:

Type: From the drop-down menu, select the option VPN certificate.
Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
Private Key Encryption: Make sure that the option RSA is selected.
Private Key Size: From the drop-down menu, select the option 4096 bit.
Common Name (CN): Set a descriptive common name for certificate at the headquarters.
Validity: Select a validity period for this certificate. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
CA password: Enter the private key password set in step 1.1.2.
Private key password: Assign any private key password.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 3.png

1.1.4) Next, create a VPN certificate for the branch office. Modify the following parameters for it and then click Create:

Type: From the drop-down menu, select the option VPN certificate.
Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
Private Key Encryption: Make sure that the option RSA is selected.
Private Key Size: From the drop-down menu, select the option 4096 bit.
Common Name (CN): Set a descriptive common name for certificate at the branch office.
Validity: Select a validity period for this CA. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
CA password: Enter the private key password set in step 1.1.2.
Private key password: Assign any private key password.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 4.png

1.1.5) Under Certificate management, go to the certificate of the branch office and click the export button.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 5.png

1.1.6) As the format, select the option PKCS #12 , enter the passwords and click on Export:

Private key password: Enter the private key password that you set in step 1.1.4.
Transport Password: Enter a password. This is required when importing the certificate into the Unified Firewall at the branch office (see step 2.1.2).

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 6.png

1.1.7) Under Certificate management, go to the certificate of the headquarters and click the export button.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 7.png

1.1.8) As the format, select the option PEM and click on Export.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 8.png

1.2) Setting up the VPN connection:

1.2.1) Go to the menu VPN → IPsec → IPsec settings.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 9.png

1.2.2) Use the slider to enable the IPsec functionality and click on Save.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 10.png

1.2.3) Switch to the menu VPN → IPsec → Connections and click on the “+” icon to create a new VPN connection.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 11.png

1.2.4) Modify the following parameters:

Name: Set a descriptive name for the VPN connection (in this example IKEv2_Office).
Security Profile: From the drop-down menu, select the security profile LANCOM LCOS Default IKEv2. If necessary, you can at both ends use a different profile.
Connection: Use the drop-down menu to select the Internet connection (in this example Internet)
Remote Gateway: Enter the IP address or the DNS name of the Unified Firewall at the branch office (in this example the IP address 80.80.80.80).

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 12.png

1.2.5) Go to the Tunnels tab and modify the following parameters:

Local networks: Use the “+” icon to store the network address of the local network at the headquarters in CIDR notation (in this example 192.168.1.0/24).
Remote Networks: Use the “+” icon to store the network address of the local network of the branch office in CIDR notation (in this example 192.168.2.0/24).

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 13.png

1.2.6) Go to the Authentication tab, adjust the following parameters and click Create:

Authentication Type: Make sure that the drop-down menu is set to the option Certificate.
Local certificate: From the drop-down menu, select the certificate for the headquarters created in step 1.1.3.
Extended Authentication: Make sure that the option No Extended Authentication is selected.
Remote Certificate: From the drop-down menu, select the certificate for the branch office created in step 1.1.4.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 14.png

1.2.7) Click the button to create a VPN network.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 15.png

1.2.8) Modify the following parameters and click Create:

Name: Set a descriptive name for the VPN connection (in this example IKEv2_Office).
Connection type: Select the option IPsec.
IPsec Connection: From the drop-down menu, select the VPN connection created in steps 1.2.4 – 1.2.6.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 16.png

1.3) Enable communication via the VPN connection in the firewall:

1.3.1) On the desktop, click the VPN network created in step 1.2.8, select the connection tool, and click the network object for which communications should be enabled.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 17.png

1.3.2) Select the required protocols on the right-hand side and add them using the “+” icon.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 18.png

1.3.3) Click Create to create the firewall rule.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 20.png

1.3.4) This concludes the configuration of the Unified Firewall at the headquarters. Finally, implement the changes on the Desktop by clicking Activate.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 21.png

2) Configuration steps on the Unified Firewall at the branch office:

2.1) Importing the certificates:

2.1.1) Use a browser to connect to the branch-office Unified Firewall, switch to the menu Certificate Management → Certificates and click on the icon for importing a certificate.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > Certificate-Import.png

2.1.2) Under Certificate file, select the branch-office certificate, enter the passwords and click on Import:

Password: Enter the transport password set in step 1.1.6.
New Password: Enter a new password. This is used to encrypt the private key after the import.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 22.png

2.1.3) Import a further certificate. Under Certificate file, select the certificate for the headquarters and click on Import:

There is no need to enter passwords here, because exporting the headquarters certificate does not require passwords to be set.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 23.png

2.1.4) After importing the certificates, the Certificate management should look like this.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 24.png

2.2) Setting up the VPN connection:

2.2.1) Go to the menu VPN → IPsec → IPsec settings.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 9.png

2.2.2) Use the slider to enable the IPsec functionality and click on Save.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 10.png

2.2.3) Switch to the menu VPN → IPsec → Connections and click on the “+” icon to create a new VPN connection.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 11.png

2.2.4) Modify the following parameters:

Name: Set a descriptive name for the VPN connection (in this example IKEv2_Headquarter).
Security Profile: From the drop-down menu, select the security profile LANCOM LCOS Default IKEv2. If necessary, you can use a different profile at both ends.
Connection: Use the drop-down menu to select the Internet connection (in this example Internet)
Remote Gateway: Enter the IP address or the DNS name of the Unified Firewall at the headquarters (in this example the IP address 81.81.81.81).
Set the checkmark next to Initiate Connection, so that the Unified Firewall at the branch office establishes the VPN connection.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 25.png

2.2.5) Go to the Tunnels tab and modify the following parameters:

Local networks: Use the “+” icon to store the network address of the local network at the headquarters in CIDR notation (in this example 192.168.2.0/24).
Remote Networks: Use the “+” icon to store the network address of the local network of the branch office in CIDR notation (in this example 192.168.1.0/24).

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 26.png

2.2.6) Go to the Authentication tab, adjust the following parameters and click Create:

Authentication Type: Make sure that the drop-down menu is set to the option Certificate.
Local certificate: From the drop-down menu, select the certificate for the branch office imported in step 2.1.2.
Extended Authentication: Make sure that the option No Extended Authentication is selected.
Remote Certificate: From the drop-down menu, select the certificate for the headquarters imported in step 2.1.3.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 27.png

2.2.7) Click the button Click to create a VPN network.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 15.png

2.2.8) Modify the following parameters and click Create:

Name: Set a descriptive name for the VPN connection (in this example IKEv2_Headquarter).
Connection type: Select the option IPsec.
IPsec Connection: From the drop-down menu, select the VPN connection created in steps 2.2.4 – 2.2.6.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 28.png

2.3) Enable communication via the VPN connection in the firewall:

2.3.1) On the desktop, click the VPN network created in step 2.2.8, select the connection tool, and click the network object for which communications should be enabled.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 29.png

2.3.2) Select the required protocols on the right-hand side and add them using the “+” icon.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 30.png

2.3.3) Click Create to create the firewall rule.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 32.png

2.3.4) This concludes the configuration of the Unified Firewall at the headquarters. Finally, implement the changes on the Desktop by clicking Activate.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > 21.png

3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPsec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.

If you are using a router from another manufacturer, approach them for information about the appropriate procedure.

If the UDP ports 500 and 4500 and the ESP protocol are forwarded to the Unified Firewall, an IPsec connection to the LANCOM router can only be used if it is encapsulated in HTTPS (IPsec-over-HTTPS). Otherwise, no IPsec connection will be established.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP router → Masq. → Port forwarding table.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > Portf1.png

3.2) Enter the following parameters:

First port: Specify the port 500.
Last port: Specify the port 500.
Intranet address: Specify the IP address of the Unified Firewall in the intermediate network between the Unified Firewall and the LANCOM router.
Protocol: From the drop-down menu, select UDP.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > Portf2.png

3.3) Create a further entry and specify the UDP port 4500.

LANCOM Support Knowledge Base > Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6) > Portf3.png

3.4) Write the configuration back to the router.