Versionen im Vergleich

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

...

1.1) Connect to the Unified Firewall, switch to the menu Certificate Management → Certificates and click on the "+” icon to create a new certificate.

Image RemovedImage Added

1.2) Enter the following parameters in order to create a CA:

  • Certificate type: From the drop-down menu, select CA for VPN/web-server certificate.
  • Public key encryption: From the drop-down menu, select RSA.
  • Private key size: Set the value in the drop-down menu to 4096.
  • Common name (CN): Enter a descriptive common name.
  • Validity: Specify how long the certificate should remain valid. For a CA, the period of validity is usually set to be very high.
  • Private key password: Set a password. This is used to encrypt the private key.

...

Image Added

1.3) Create another certificate by clicking on the "+” icon.

...

Image Added

1.4) Store the following parameters in order to create a VPN certificate, which is used to authenticate VPN clients at the Unified Firewall:

  • Certificate type: From the drop-down menu, select VPN certificate.
  • Signing CA: From the drop-down menu, select the CA created in step 1.2.
  • Public key encryption: From the drop-down menu, select RSA.
  • Private key size: Set the value in the drop-down menu to 4096.
  • Common Name (CN): Enter a descriptive common name.
  • Validity: Specify how long the certificate should remain valid. For a VPN certificate used to accept VPN clients, the period of validity is usually set to be very high.
  • CA password: Enter the private key password set in step 1.2.
  • Private key password: Set a password. This is used to encrypt the private key.

Image RemovedImage Added

1.5) Create another certificate by clicking on the "+” icon.

Image RemovedImage Added

1.6) Store the following parameters in order to create a VPN certificate, which is used to authenticate a particular employee or VPN client:

  • Certificate type: From the drop-down menu, select VPN certificate.
  • Signing CA: From the drop-down menu, select the CA created in step 1.2.
  • Public key encryption: From the drop-down menu, select RSA.
  • Private key size: Set the value in the drop-down menu to 4096.
  • Common Name (CN): Enter a descriptive common name that characterizes the employees.
InfoThe field Subject Alternative Name can be used for the easier identification of each employee, such as be entering their e-mail address
  • .
  • Validity: Specify how long the certificate should remain valid. With VPN certificates for individual users, the period of validity is usually set quite low.
  • CA password: Enter the private key password set in step 1.2.
  • Private key password: Set a password. This is used to encrypt the private key.


Info
The field Subject Alternative Name can be used for the easier identification of each employee, such as be entering their e-mail address.

Image AddedImage Removed

1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings.

Image RemovedImage Added

1.8) Enable the VPN SSL service and enter the following parameters:

  • Host certificate: From the drop-down menu, select the VPN certificate created in step 1.4
  • DNS: Enter a DNS server, if required.
  • Routes: The networks that the VPN client should communicate with should be entered in CIDR notation (Classless Inter-Domain Routing). These are shared with all of the VPN SSL clients.
  • Encryption algorithm: From the drop-down menu, select AES256.
Info

If necessary, you can change the protocol and the port.

The address pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall.

Image RemovedImage Added

1.9) Change to the menu VPN → VPN SSL → VPN SSL Connections and click on the “+” icon to create a new VPN SSL connection.

Image RemovedImage Added

1.10) Enable the VPN connection and enter the following parameters:

  • Name: Enter a descriptive name.
  • Certificate: From the drop-down menu, select the VPN certificate for the employees created in step 1.6.
  • Connection type: Choose Client-to-Site.
Info

With the function Set standard gateway activated, the VPN client can communicate with the Internet via the Internet connection of the Unified Firewall.

The item Client IP allows a fixed IP address to be assigned to the VPN client. If this entry is left empty, the VPN client is given an IP address from the address pool (see step 1.8).

Additional server networks optionally allows the VPN client to access other local networks. In this way, individual employees can be given access to different local networks.

Image RemovedImage Added

1.11) Edit For the VPN SSL connection created in step 1.10 by clicking on the “pencil” icon.

Image Removed

1.12) Click Export client configuration to export the VPN profile together with the certificate.

Image Removed

click on the Export this connection button to export the connection parameters including the certificate.

Info
Info

As of LCOS FX 10.5 you can export the profile directly in the menu VPN → VPN SSL → Connections by clicking on the option Export this connection for a specific connection.

It is possible that you have to click on the double arrow symbol first (right next to the field Filter) to expand the menu, so that the symbol for the profile export is visible.Image Removed

As an alternative you can also click on the "pencil" button to edit the configuration and click on Export Client Configuration afterwards.

Image Added

1.1312) Enter the following parameters and then click on Export.

  • Type: Select OVPN to generate a profile for the OpenVPN client.
  • Remote Hosts: Enter the public IPv4 address or the DynDNS name of the Unified Firewall along with the VPN SSL port (see step 1.8).
  • Key Password: Enter the private key password set in step 1.6.
  • Transport Password: Set a password. This has to be entered when the user starts the VPN connection with the OpenVPN client.

Image RemovedImage Added

1.1413) Click the button to create a new VPN host.

Image RemovedImage Added

1.1514) Save the following parameters:

  • Name: Enter a descriptive name.
  • VPN connection type: Select VPN-SSL.
  • VPN SSL connection: From the drop-down menu, select the VPN SSL connection created in step 1.10.

Image RemovedImage Added

1.1615) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the OpenVPN client should access.

Repeat this step for every network that the OpenVPN client should be able to access.

Image RemovedImage Added

1.1716) Use the “+” sign to assign the required protocols to the VPN host.

Info
A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

Image Removed

Info
Firewall objects can also be accessed via Desktop→ Desktop connections and clicking on the “pencil” icon for editing.

Image Removed

Image AddedImage Added

1.171.18) Finally, implement the configuration changes by clicking Activate in the Unified Firewall.

Image RemovedImage Added

1.1918) This concludes the configuration steps on the Unified Firewall.



2) Configuration steps in the OpenVPN client:

2.1) Right click on the OpenVPN icon in the task bar.

2.2) Click Import file to import the VPN profile.

2.3) A message is displayed to indicate that the profile was successfully imported.

2.4) This concludes the configuration steps in the OpenVPN client.
 



3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.

Info
If you are using a router from another manufacturer, ask them about appropriate procedure.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router -> Masq. -> Port forwarding table.

3.2) Save the following parameters:

  • First port: Specify the Port 500.
  • Last port: Specify the Port 500.
  • Intranet address: Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select UDP.

3.3) Create a further entry and specify the UDP port 4500.

3.4) Write the configuration back to the router.