Configuring a LANCOM Advanced Mesh VPN connection

Description:

This document describes how to configure an Advanced Mesh VPN connection on LANCOM routers.

Requirements:

• LCOS as of version 10.70 (download latest version)
• LANtools from version 10.70 (download latest version)
• Functioning IKEv2 VPN connections from each branch office to the central site (or Headquarters) (see the article “Configuring an IKEv2 VPN connection between two LANCOM routers using the Setup Wizard (IPv4)”)

Scenario:

• The scenario consists of two branches (A and B) with public IPv4 addresses and a central site (Headquarters) that also has a public IPv4 address.
• The two branches have already set up a static IKEv2 VPN tunnel to the headquarters, and this is running.
• The VPN peer at each of the branches is called “HEADQUARTERS”.
• Branch A has the subnet 192.168.1.0/24 called “INTRANET”.
• Branch B has the subnet 192.168.2.0/24 called “INTRANET”.

Procedure:

1. Configuration steps at branch office A:

1.1 Create a new entry, e.g. “MESH-TEMPLATE”, in the IKEv2 connection list under VPN → IKEv2/IPsec → Connection list.

1.2  The Short hold time is the time of data inactivity after which Mesh-VPN tunnels disconnect, e.g. 300 seconds.

1.3 Leave the remote gateway blank as it is set dynamically.

1.4 The Routing parameter transmits the local network to the opposite branch, in this case the network “INTRANET”.

• To do this, create a new entry in the “IPv4 Routing” table under VPN → IKEv2/IPsec → Extended settings.
• Set the name to (e.g.) “INTRANET-ROUTING” and, in the field Network, select the local network to be used as the Mesh-VPN, for example “INTRANET”.

1.5  Go to the Authentication settings.

• Create a new entry, e.g. “MESH“.
• Enter the local identifier of the branch and the PSK used for all dynamic mesh tunnels. The PSK must be identical on all branches involved in the mesh VPN tunnel.
• Leave the field “Remote identifier” blank and select the option “No identity” for the Remote identifier type, so that all incoming identities with the correct PSK are accepted as mesh tunnels.

1.6 Set the VPN rule to “ANY” or set the IPv4 rules to  “RAS-WITH-NETWORK-SELECTION”. Thus uses 0.0.0.0/0 <=> 0.0.0.0/0.

1.7 Set Rule creation to “Manual”.

1.8 Now configure the Mesh-VPN parameters under VPN → IKEv2/IPsec → Extended settings → Advanced Mesh VPN.

1.9 Set the Operation mode to “Spoke“.

1.10 Under VPN peer template select the previously created IKEv2 peer as a template for the Mesh-VPN tunnel.

1.11 Under Detect on VPN peers, select the name of the VPN peer that corresponds to the name of the tunnel to the headquarters.

1.12 Write the configuration back to the router at branch office A.

2. Configuration steps at branch office B:

2.1  The configuration is performed similar to branch A (see steps 1.1 to 1.11).

2.2 Change the Local identifier for the Authentication to the name of branch B.

3. Configuration steps at the headquarters:

3.1  Since the headquarters itself does not establish a dynamic mesh tunnel, there is no need to create a template for the peer.

• Under VPN → IKEv2/IPsec → Extended settings → Advanced Mesh VPN, set the operation mode to “Hub”.

3.2 Write the configuration back to the router at the headquarters.

If you now transfer data from branch A to branch B, the first packets take the detour via the headquarters.

After that, the dynamic mesh tunnel is set up between the branches.