Description:

This article describes how the Advanced VPN Client is used to establish an IKEv2 connection to a LANCOM router with an IPv6 address.


Requirements:

  • LCOS as of version 10.32 (download latest version)
  • LANtools as of version 10.32 (download latest version)
  • Advanced VPN Client as of version 5.20 (download latest version)
  • Existing and functional Internet connection to the router with an IPv6 address at the headquarters
  • Existing and functional Internet connection with an IPv6 address at the location where the user operates the Advanced VPN Client


Scenario:

Establish the IKEv2 connection via an IPv6 gateway and communicate via IPv4:

  • The VPN connection should be established to a VPN gateway with an IPv6 address
  • Communication on the target network operates with IPv4

Image showing a technical configuration interface with labels for headquarters public IP versus address, IKEv, Internet, and LAN headquarters.


Establish the IKEv2 connection via an IPv6 gateway and communicate via IPv6:

  • The VPN connection should be established to a VPN gateway with an IPv6 address
  • Communication on the target network operates with IPv6

Image of a network configuration interface showing options for a headquarters public IP versus address connection, IKEv2, LAN settings, and Internet connectivity status.



Procedure:

Establish the IKEv2 connection via an IPv6 gateway and communicate via IPv4:

Set up the IKEv2 connection using the setup wizard Provide remote access (RAS, VPN) and import the profile file into the Advanced VPN Client.



Establish the IKEv2 connection via an IPv6 gateway and communicate via IPv6:

1) Set up the IKEv2 connection on the LANCOM router:

1.1) Set up the VPN connection using the setup wizard:

1.1.1) Open the setup wizard for the router, select the option Provide remote access (RAS, VPN) and click Next.

A screenshot of a setup wizard interface for configuring network-related settings, showing options for basic settings, internet access setup, remote access via VPN, connecting local area networks, configuring Dynamic DNS, preparing VoIP provider access, checking security settings, removing remote state of access, and setting up Telekom Internet Protect Pro.

1.1.2) Make sure that IKEv2 is selected and click Next.

Image of a LANCOM setup wizard interface displaying options for configuring a secure VPN remote access, with fields and selection options for IKE or ME exchange modes.

1.1.3) Click Next.

Image of a configuration setup wizard interface for LANCOM VPN, detailing options for setting up remote access, VPN splitting, and instructions on enabling split tunneling.

1.1.4) Make sure that the option LANCOM Advanced VPN Client for Windows is selected and deactivate the option Speed up your configuration with 1-Click-VPN. Then click on Next.

An image displaying a VPN setup wizard interface for configuring remote access via the LANCOM Advanced VPN Client, including options for selecting the VPN client, and automatic generation of unique names and security keys.

1.1.5) Activate the option IPSec-over-HTTPS enabled so that in the event of communication problems via IPsec, the fallback option IPSec-over-HTTPS can be used instead. Then click on Next.

Do not activate this option if the TCP port 443 (HTTPS) is already being used (e.g. for port forwarding), as this will prevent IPsec-over-HTTPS from working.

Screenshot of a network setup wizard interface showing options for configuring IPSec over HTTPS, highlighting its advantages for bypassing firewall restrictions and recommendations for mobile connections, based on NCP VPN Path Finder Technology.

1.1.6) Enter a descriptive name for the VPN connection and then click on Next.

Screenshot of a network configuration interface showing settings for a LANCOM remote access VPN.

1.1.7) Leave the field Address of this router empty. The connection in the Advanced VPN Client is created via the setup wizard, so no profile file is required. Then click on Next

Screenshot of a VPN setup wizard interface showing options for configuring remote access and specifying the public IP or FQDN for VPN client connectivity.

1.1.8) Modify the following parameters and click Next:

  • Fully Qualified Username: Assign a descriptive FQUN (Fully Qualified Username).
  • Preshared Key: Enter a PSK (pre-shared key) that is as secure as possible.

An image displaying a VPN setup wizard interface, highlighting sections for provider remote access, VPN authentication, and fields for entering a Fully Qualified Username or Email, and a Preshared Key.

1.1.9) Leave the entry at the default value 0.0.0.0. Since the IKE Config mode is used, there is no need to enter a fixed IP address here. Then click on Next.

Screenshot of a VPN configuration interface showing options to set up a virtual IP address, network settings, and enable remote access through a VPN client.

1.1.10) Create a new IP address pool if none is available already. Otherwise, select an available pool. Then click on Next.

  • First address: Enter the first IP address of the address pool.
  • Last address: Enter the last IP address of the address pool.
  • Primary DNS: Enter the IP address of a DNS server in the target network (in this example the IP address of the router).

The IP addresses specified in the address pool are reserved for VPN dial-in connections and are no longer available for assignment by the DHCP server integrated in the router. Be certain that there are enough IP addresses available for the DHCP server to use.

Although the IPv4 address pool is not required for IPv6 communication (see step 1.2.5), the setup wizard asks for it so it has to be created.

1.1.11) Leave the setting as the option Allow all IP addresses to be reachable for the VPN client and click on Next.

1.1.12) Click on Finish to write the configuration back to the router.

Image of a software setup wizard interface for LANCOM devices, displaying configuration options.


1.2) Manual configuration steps in the router:

1.2.1) Open the configuration of the router in LANconfig and navigate to VPN → IKEv2/IPsec → IPv6 addresses.

Screenshot of a complex user interface for configuring VPN connections, including options for network management, encryption settings, digital signatures, and routing protocols.

1.2.2) Create a new entry and modify the following parameters:

  • Name: Enter a descriptive name for the IPv6 address pool.
  • First address: Enter the first IPv6 address of the address range that should be available for VPN dial-ins.
  • Last address: Enter the last IPv6 address of the address range that should be available for VPN dial-ins. 
  • Receive prefix from: From the drop-down menu, select the Internet connection that has an IPv6 address (in this example the connection INTERNET).
  • Primary DNS: Leave the entry as the default value ::. This causes the router to transmit its own IPv6 address as a DNS server. 

Please note that IPv6 is based on a hexadecimal system and not a decimal system. This example has 25 addresses available for VPN dial-in.

Image showing a technical or configuration interface related to managing IP addresses, possibly displaying options or entries for an address pool.

1.2.3) Navigate to the menu VPN → IKEv2/IPsec → Connection list.

Image depicting a complex configuration interface for VPN connections and encryption settings, including sections for management networks, firewall quality of service, and digital signature profiles.

1.2.4) Mark the VPN connection created in step 1.1 and click on Edit.

Screenshot of a network configuration interface showing settings such as gateway, encryption, and authentication parameters, with options to add, copy, or remove entries.

1.2.5) Modify the following parameters:

  • IPv6 rules:  Select the predefined IPv6 rule RAS-WITH-CONFIG-PAYLOAD from the drop-down menu.
  • IPv4 address pool: Delete the entry for the IPv4 address pool. Otherwise an IPv4 address will be reserved even though communication via IPv4 is unused.
  • IPv6 address pool: From the drop-down menu, select the IPv6 address pool created in step 1.2.2.
  • IPv6 profile:  From the drop-down menu, select the Internet connection that has an IPv6 address (in this example the connection INTERNET).

Screenshot of a network configuration interface showing settings for IKE (Internet Key Exchange) Config Mode, VPN rule creation, and RADIUS authentication server details.

1.2.6) This concludes the configuration of the VPN connection on the router. Write the configuration back to the router.



2) Set up the IKEv2 connection in the Advanced VPN Client:

2.1) Set up the VPN connection using the setup wizard:

2.1.1) Start the Advanced VPN Client and navigate to the menu Configuration → Profiles.

Screenshot of a BLANcoM Advanced VPN Client software interface showing Connection, Configuration, View, and Help menu options with partially visible text indicating product configurations and settings.

2.1.2) Click on Add/Import to create a new VPN connection.

Image showing a partially visible user interface of a technical configuration menu with selectable profiles and group settings options.

2.1.3) Leave the setting for the option Link to Corporate Network Using IPsec unchanged and click on Next.

Screenshot of the New Profile Wizard interface displaying options for setting up network connections, including linking to a corporate network via IPsec VPN and internet connection setup.

2.1.4) Enter a descriptive profile name and then click on Next.

Screenshot of a network configuration interface with a field to enter a descriptive alphanumeric profile name for a LANCOM connection.

2.1.5) From the drop-down menu, select the communication media being used and click Next.

If various media are used for the connection, select the option automatic media detection.

Image showing the 'NewProfileWizard' interface with options to configure communication settings for a corporate network, including selecting between modem and LAN over IP communication media.

2.1.6) Set the Gateway as the IPv6 address or the corresponding DNS address of the router and click Next.

Screenshot of a VPNGatewayParameters setup wizard interface showing fields for DNS name, official IP address, and XAUTH credentials including user ID and password.

2.1.7) Modify the following parameters and click Next:

  • Exchange mode: From the drop-down menu, select the option IKEv2.
  • PFS Group: From the drop-down menu, select the option DH14 (modp2048).

Screenshot of an IPsec Configuration interface in the NewProfileWizard, showing options for Exchange Mode, PFS Group, and IPsec Compression, suggesting compatibility with LANCOM VPN router operating on LCOS or higher, based on NICP VPN Pathfinder technology.

2.1.8) Modify the following parameters and click Next:

  • Type: From the drop-down menu, select the option Fully Qualified Username.
  • ID: Enter the Fully Qualified Username as specified in step 1.1.8.
  • Shared secret: Enter the pre-shared key name as specified in step 1.1.8.

Screenshot of the New Profile Wizard interface showing settings for VPN configuration, including fields for preshared keys and IKE ID types.

2.1.9) From the drop-down menu, set IP address assignment to the option IKE Config Mode and click Next.

2.1.10) Click Finish to close the Setup Wizard.

For IPv6 communications, do not enter anything for split tunneling!

Screenshot of the NewProfileWizard interface showing options for configuring IPsec tunnel split tunneling, including fields for entering remote IP networks and net masks.


2.2) Manual configuration steps in the Advanced VPN Client:

2.2.1) Mark the profile created in steps 2.1 and click Edit.

Image showing a blurred or partially visible user interface with text and configuration options.

2.2.2) Change to the tab IPSec General Settings and use the drop-down menu to set the Tunnel IP version to the option IPv6

An image showing a detailed configuration menu for IPsec settings, including options for line management, certificate checking, split tunneling, and IKEv2 authentication parameters.

2.2.3) This concludes the configuration of the VPN connection. Confirm your changes by clicking OK.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH