...
- A company wants its sales representatives to have access to the corporate network via an IKEv2 client-to-site connection.
- The notebooks used by the sales representatives have the LANCOM Advanced VPN Client installed on them.
- The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
- The local network at the headquarters has the IP address range 192.168.3.0/24.
- The VPN connection should be authenticated using certificates. The CA of the Unified Firewall is used.
2) The Unified Firewall is connected to the Internet via an upstream router:
- A company wants its sales representatives to have access to the corporate network via an IKEv2 client-to-site connection.
- The notebooks used by the sales representatives have the LANCOM Advanced VPN Client installed on them.
- The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.81.
- The local network at the headquarters has the IP address range 192.168.3.0/24.
- The VPN connection should be authenticated using certificates. The CA of the Unified Firewall is used.
Procedure:
The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 6).
1) Creating the CA and VPN certificates on the Unified Firewall:
1.1) Click on the "+" icon to create a new routing entry.
1.2) The first step is to create a Certification Authority (CA) for VPN connections.
...
1.3) Then click the Create button.
1.4) Click on the "+" icon to create a VPN certificate for the LANCOM Advanced VPN Client:
...
1.5) Then click the Create button.
1.6) Click on the "+" icon to create a certificate for the LANCOM Advanced VPN Client:
...
1.7) Then click the Create button.
1.8) The newly created VPN certificates are listed below the newly created VPN certification authority (see following figure).
2) Creating the VPN connection on the Unified Firewall:
2.1) Connect to the configuration interface of the Unified Firewall and navigate to VPN -> IPsec settings.
2.2) Activate IPsec.
2.3) Switch to VPN -> IPsec Connections and click on the "+" icon to create a new IPsec connection.
2.4) Save the following parameters:
...
If you have created your own template or security profile, you can use these here.
2.5) Open then Tunnels tab.
- Local networks: Here you enter the local networks (in CIDR notation) that the VPN client should reach. In this example, the local network at the headquarters has the IP address range 192.168.3.0/24.
- Virtual IP pool: Select the option Default virtual IP pool. Virtual IP pools can be used to send IP address configurations to connected VPN clients.
2.6) Change to the Authentication tab and enter the following parameters:
- Authentication type: Select the option Certificate here.
- Local certificate: Here you select the VPN certificate created for the Unified Firewall in step 1.6.
- Remote certificate: Here you select the VPN certificate here created for the LANCOM Advanced VPN Client in step 1.4.
2.7) Click on Create to save the configuration.
2.8) Click the icon to create a new VPN host.
2.9) Save the following parameters:
- Name: Enter a descriptive name.
- VPN connection type: Select the type IPsec.
- IPsec connection: From the drop-down menu under IPsec, select the VPN connection created in steps 2.4 - 2.7.
2.10) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the object (the site-to-site connection) should access.
2.11) Use the "+" sign to assign the required protocols to the VPN host.
Info: A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.
Info: Firewall objects can also be accessed via Desktop -> Desktop connections and clicking on the "edit" icon.
2.12) Finally, implement the configuration changes by clicking Activate in the firewall.
2.13) Change to the menu VPN → IPsec → Connections and, on the newly created Advanced VPN Client connection, click on the Export connection button.
2.14) Enter a password to be used to encrypt the exported ZIP archive.
...
2.18) Click Export and save the ZIP file on your computer.
3) Export the VPN certificate for the LANCOM Advanced VPN Client:
3.1) Change to the menu Certificate Management → Certificates and, for the VPN certificate for the LANCOM Advanced VPN Client, click the Export button.
3.2) Set that PKCS 12 format.
...
3.5) Click Export and save the certificate file on your PC.
3.6) This concludes the configuration steps on the Unified Firewall.
...
4.3) Create a new certificate configuration using the Add button.
4.4) Enter a name for the new certificate configuration.
...
5.7) Switch to the menu IPsec general settings and set IKEv2 authentication to the value Certificate.
5.8) You need to set the Certificate configuration to the certificate configuration created in step 4.3.
...
6.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq. → Port forwarding table.
6.2) Save the following parameters:
- First port: Specify the Port 500.
- Last port: Specify the Port 500.
- Intranet address: Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
- Protocol: From the drop-down menu, select UDP.
6.3) Create a further entry and specify the UDP port 4500.
6.4) Write the configuration back to the router.
...