Description: 

This document describes how to configure a vpn load balancer operating two VPN connections that are divided between two WAN connections, as required by the load. This configuration example is adaptable for more than two WAN connections.


Requirements:


Scenario:

  • A link is to be established between a branch office and the headquarters based on two IKEv2 site-to-site VPN connections using VPN load balancing to spread the load of the data traffic between them.
  • The branch office has two WAN connections, which should be used for WAN load balancing and also for VPN load balancing.
  • All of the LANCOM routers in the following scenarios have at least a basic configuration and can be reached in their respective LAN (or via the WAN).
  • The required WAN connections are already operational at both ends.

Diagram showing IKEv2 connections between WAN public IP addresses and LAN setups at headquarters and an office, with connection to the internet highlighted. 


Procedure:

1) Configuring IKEv2 connections and VPN load balancing on the branch office router:

1.1) Open the Setup Wizard on the LANCOM router at the branch office and select Connect two local area networks (VPN).

An image of a Setup Wizard interface for configuring office software, featuring options for internet access, voiceovers, VPN, dynamic DNS, VoIP provider access, and security settings. 

1.2) In the next dialog, select the exchange mode IKEv2.

Screenshot displaying a VPN setup wizard interface, prompting to connect two local area networks via VPN for secure data transmission using LANCOM devices, with options for IKEv1 and IKEv2 exchange modes. 

1.3) In this example, we do not use IPSec-over-HTTPS.

Screenshot of a VPN setup wizard interface showing options to connect two local area networks using IPSec over HTTPS technology, with additional settings for mobile provider connections and firewall passthrough configurations. 

1.4) In the next dialog, enter the name of the LANCOM router at the remote site. In this example it is HEADQUARTER.

An image of a setup wizard interface for Office, showing options to connect two local area networks via VPN and fields for entering router identifiers and naming a remote device as HEADQUARTER. 

1.5) To establish an encrypted VPN connection, we need an identity that is known to both sites.

In this example, the identity is the e-mail address office@company.com.

Screenshot of a VPN setup wizard interface prompting for fully qualified username as a unique identity for establishing an encrypted VPN connection between two local area networks. 

1.6) Create passwords for the local and the remote identity.

Image showing a setup wizard interface for Office with fields for connecting two local area networks via VPN, including fields for VPN authentication and entry spaces for local and remote passwords. 

1.7) Since the LANCOM router at the branch office should establish the VPN connection to the headquarters, you need to choose the upper option.

Image showing a configuration menu for setting up a VPN connection between two local area networks with options to specify connection initiation and handling interruptions. 

1.8) The gateway needs to be set to the public IP address (or the DNS name) of the LANCOM router at the headquarters.

Because the local network in the headquarters has the address range 192.168.100.0/24, this need to be entered into the fields Address and Netmask.

A user interface for configuring a VPN connection, including fields for entering a remote gateway IP address, DNS name, address, netmask, and options for DNS forwarding. 

1.9) Click on Finish to close the Wizard and write the configuration back to the LANCOM router.

Screenshot of the Setup Wizard for Office interface with partial instructions for completing necessary settings, displaying text fields for user input. 

1.10) Open the configuration for the LANCOM router, switch to the menu item IP router → Routing and enable load balancing.

1.11) Create a new entry for WAN load balancing with the name LB_WAN and two WAN remote sites INTERNET and INTERNET2.

Screenshot of a technical configuration interface showing options for routing, load balancing, timed route control, and various network services settings. 
1.12) Navigate to the menu IP router → Routing → IPv4 routing table.

  • Configure the default routes for the two Internet connections and the WAN load balancer as shown in the following figure

Each of the two Internet connections receives its own routing tag in order to bind a VPN tunnel to an Internet connection.

Image displaying a technical configuration interface for managing remote IP networks, including options for timed control settings and default routing based on time and day.

1.13) Switch to the menu VPN → IKEv2/IPSec → Authentication.

  • Select the entry for the headquarters and click on Copy.
  • Change the name of the new entry to HEADQUARTER_2, for example.
  • Change the e-mail address of local and remote identities to office_2@company.com.

Detailed interface of a technical VPN configuration software showing various settings including network rules, VPN connections, firewalls, and authentication protocols.

1.14) Switch to the menu VPN → IKEv2/IPSec → Connection list.

  • Choose the entry for the headquarters.
  • Set the routing tag to 1 (routing tag of the first WAN connection, see step 1.12).
  • Close the dialog with OK.

Image displaying a complex technical user interface for configuring VPN connections, including details about authentication, encryption, gateway settings, IP address pools, and network rules.

  • Select the entry for the headquarters and click on Copy.
  • Change the name of the new entry to HEADQUARTER_2, for example.
  • Set the routing tag to 2 (routing tag of the second WAN connection, see step 1.12).
  • Switch the Authentication to the entry HEADQUARTER_2 (see step 1.13).

A screenshot of a complex technical configuration interface displaying various network settings such as management connection lists, gateway data, routing protocols, firewall configurations, and other network parameters.

1.15) The entries in the connection list must then be configured as shown in the following figure.

Partial view of a technical diagram or user interface displaying the text 'rm ipso rB Ga'. 

1.16) Navigate to the menu IP Router → Routing → Load balancing and create a new entry with the name LB_HEADQUARTER and the two IKEv2 VPN remote sites HEADQUARTER and HEADQUARTER_2.

Image showing a partial view of a technical user interface focused on load balancing configurations. 

1.17) Navigate to the menu IP router → Routing → IPv4 routing table.

  • Select the entry for the Headquarters and click on Edit.
  • Select the load balancer remote site LB_HEADQUARTER.
  • Switch IP masquerading off.
  • Close the dialog with OK.

Image displaying a technical configuration interface with options like IP routing tables, firewall settings, network communication protocols, and various system management tools. 

  • Select the entry for the Headquarters and click on Copy.
  • Assign a previously unused routing tag.
  • Select the VPN remote site HEADQUARTER.
  • Switch IP masquerading off.
  • Close the dialog with OK.

An image of a technical configuration interface displaying options for routing tables, management interfaces, date and time settings, log trace features, and various network-related settings such as firewall policies and IP masquerading.

  • Select the entry for the Headquarters again and click on Copy.
  • Assign a previously unused routing tag.
  • Select the VPN remote site HEADQUARTER_2.
  • Switch IP masquerading off.
  • Close the dialog with OK.

A detailed technical user interface displaying various network configuration settings including remote IP access, routing tables, timed control for default routes, IP address masking options, and firewall settings.

1.18) Close the dialog with OK and write the configuration back to the LANCOM router.



2) Configuring IKEv2 connections and VPN load balancing on the router at the headquarters:

2.1) Open the Setup Wizard on the LANCOM router at the headquarters and select Connect two local area networks (VPN).

Image displaying a Setup Wizard for Headquarters interface with options like Basic settings, Internet access setup, Voice over IP configuration, remote access via VPN, Dynamic DNS configuration, VoIP provider preparation, security settings review, and removing remote site access. 

2.2) In the next dialog, select the exchange mode IKEv2.

An image of a VPN setup wizard interface, displaying options to connect two local area networks securely using Virtual Private Network technology, with configuration settings available for IKEv1 and IKEv2 for enhanced security. 

2.3) In this example, we do not use IPSec-over-HTTPS.

 

2.4) In the next dialog, enter the name of the LANCOM router at the remote site. In this example it is OFFICE.

Image displaying a setup wizard interface for configuring a headquarters VPN connection, including fields for remote station router identification and device name settings. 

2.5) To establish an encrypted VPN connection, we need an identity that is known to both sites.

In this example, the identity is set to the e-mail address office@company.com (this identity must match the one specified in step 1.5).

A screenshot of a VPN setup wizard interface displaying options to connect two local area networks and fields for entering a fully qualified username or email as a unique identity for authentication. 

2.6) Create passwords for the local and the remote identity. These must match the passwords set in step 1.6).

Image displaying a Setup Wizard user interface for configuring a VPN connection, including fields for entering a local and a remote password. 

2.7) Since the LANCOM router at the headquarters should receive the VPN connection from the branch office, you need to choose the lower option.

Screenshot of a VPN setup wizard interface showing options to connect two local area networks, with settings to specify connection establishment and manage device roles in initiating the VPN connection. 

2.8) The gateway needs to be set to the public IP address (or the DNS name) of the first WAN connection at the branch office.

Because the local network in the branch office has the address range 192.168.99.0/24, this needs to be entered into the fields Address and Netmask.

This configuration example uses fixed public IP addresses at the branch office. How to set up the VPN connection when the branch office uses dynamic IP addresses is described in this Knowledge Base article.

Image showing a network configuration interface for setting up a VPN connection, including fields for entering IP addresses, DNS names, netmask details, and options for DNS forwarding. 

2.9) Click on Finish to close the Wizard and write the configuration back to the LANCOM router.

Screenshot of a setup wizard interface for headquarters with options to enter necessary data and finalize settings.

2.10) Open the the LANCOM router configuration and navigate to VPN → IKEv2/IPSec → Authentication.

  • Select the entry for the branch office and click on Copy.
  • Change the name of the new entry to OFFICE_2, for example.
  • Change the e-mail address of local and remote identities to office_2@company.com. The e-mail address entered here must match the address given in step 1.13.

Image of a technical configuration interface showing various settings for managing VPN connections, network rules, firewall configurations, authentication methods, and routing protocols.

2.11) The authentication rules must then be configured as shown in the following figure.

Image displaying a technical configuration menu with fields for local authentication, local identifier type, and identifier code. 

2.12) Switch to the menu VPN → IKEv2/IPSec → Connection list.

  • Select the entry for the branch office and click on Copy.
  • Change the name of the new entry to OFFICE_2, for example.
  • Set the remote gateway to the public IP address (or the DNS name) of the second WAN connection of the LANCOM router at the branch office. If the branch office uses dynamic public IP addresses this field must be left blank.
  • Switch the Authentication to the entry OFFICE_2 (see step 2.10).

The image displays a technical configuration menu for IKEv2 VPN connections, showing various VPN network relationship settings, authentication protocols, encryption defaults, and IP address pools.

2.13) The entries in the connection list must then be configured as shown in the following figure.

Image of a partial and unclear technical user interface or configuration menu with incomplete text visible. 

2.14) Navigate to the menu IP router → Routing and enable the load balancing.

2.15) Create a new entry with the name LB_OFFICE and the two IKEv2 VPN remote stations OFFICE and OFFICE_2.

Image displaying a technical configuration interface with various settings including IP routing table, load balancing, communication protocols, and time-dependent control options for routing management. 

2.16) Navigate to the menu IP router → Routing → IPv4 routing table.

  • Select the entry for the branch office and click on Copy.
  • Assign a previously unused routing tag.
  • Select the VPN remote site OFFICE.
  • Switch IP masquerading off.
  • Close the dialog with OK.

Image displaying a complex network configuration menu with various settings for remote IP network access, routing tables, network protocols, and options for enabling RIP propagation.

  • Select the entry for the office again and click on Copy.
  • Assign a previously unused routing tag.
  • Select the VPN remote site OFFICE_2.
  • Switch IP masquerading off.
  • Close the dialog with OK.

  • Select the entry for the office again and click on Copy.
  • Select the load balancer remote site LB_OFFICE.
  • Switch IP masquerading off.
  • Close the dialog with OK.

Image showing a complex networking interface with configuration options for managing remote IP networks, routing tables, and network security settings such as firewall and quality of service protocols.

2.17) Close the dialog with OK and write the configuration back to the LANCOM router.

2.18) This concludes the configuration.


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH