...
This article describes how to set up a VPN connection from the Advanced VPN Client for macOS to a LANCOM router with two-factor authentication (IKEv2-EAP-OTP).
| Info |
|---|
The configuration with a LANCOM Advanced VPN Client for Windows is described in this knowledge base article. |
Requirements:
- LANCOM router with at least 25 VPN licenses (Central-Site gateway, 19xx series router or LANCOM router with the VPN 25 Option)
- Advanced VPN Client for macOS as of version 4.7x
- LCOS as of version 10.70 REL (download latest version)
- LANtools as of version 10.70 REL (download latest version)
- Authenticator app for Android or iOS (e.g. Google Authenticator or Microsoft Authenticator)
...
| Info |
|---|
Repeat this step for each VPN user. |
| Hinweis |
|---|
The Secret must contain capital letters and numbers between 2 - 7 only (see RFC3548). Otherwise the configuration cannot be written back to the router via LANconfig! If the If the Google Authenticator is used, the Secret must have at least 16-digits, as otherwise the scan of the QR code will fail. |
...
4.2) Copy the certificate to the computer that is to establish the VPN connection and save it to the directory C:\ProgramData\LANCOM\Advanced VPN Client\cacerts.
...
directory /Library/Application Support/NCP/Secure Client/cacerts.
4.3) Start the Advanced VPN Client and navigate to the menu Connection → View Certificates → Display CA certificates.
4.4) Check whether the Advanced VPN Client recognized the certificate.
5) Setting up an IKEv2-EAP-OTP connection with the Advanced VPN Client:
5.1) In the Advanced VPN Client, navigate to the menu Configuration → Profiles.
5.2) Click on Add / Import the + button to create a new VPN connection.
5.3) Select Link to Corporate Network Using IPsec and click on Next.
5.4) Enter a descriptive Profile Name.
5.5) From the drop-down menu, select the Communication Media to be used for establishing the VPN connection.
| Info |
|---|
If you wish to establish the VPN connection with different connection media (e.g. LAN and Wi-Fi), select automatic media detection. |
5.6) 4) Under Gateway (Tunnel Endpoint) enter the public IP address or the DNS name of the router.
5.75) Enter the following parameters:
- Exchange Mode: From the drop-down menu, select IKEv2.
- PFS Group: From the drop-down menu, select DH14 (modp2048).
- DH16 (modp4096).
| Info |
|---|
LANCOM Systems recommends to use the PFS group DH16 (modp4096). For this purpose DH16 must also be active in the encryption profile DEFAULT on the router (VPN → IKEv2/IPSec → Encryption).
|
5.6) Authentication via 5.8) Authentication via EAP-OTP cannot be configured in the wizard, so this must be done manually at a later stage. Click Next without making changes.
5.97) For the IP address assignment select the drop-down menu entry IKE Config Mode. This allows the Advanced VPN Client to obtain an IP address from the router when dialing in via VPN.
5.8) Then click Finish.
5.9) Mark the VPN profile created in the steps 5.1 – 5.10 and click Edit.
5.10) Enter the target In the Split Tunneling menu, enter the destination network to which the VPN connection is to should be established. This means ensures that only the data traffic destined for the target destination network is routed via over the VPN tunnel.
Then click Finish.
| Info |
|---|
For more information on split tunneling, see this Knowledge Base article. |
5.11) Mark the VPN profile created in the steps 5.1 – 5.10 and click Edit.
5.12) Go to the tab IPsec General Settings and set the IKEv2 Authentication to EAP.
5.1312) Switch to the Identities tab and enter the user name of the RADIUS user as the Local Identity and also the OTP user name as the user ID for the EAP Authentication.
| Hinweis | ||
|---|---|---|
| ||
5.1312.1 If you are using LCOS firmware up to version 10.80, please leave the password field blank.
5.1312.2 If you are using LCOS firmware version 10.90 or later, please enter any the password you configured in step 3.5 in the Password field.
|
5.1413) This concludes the configuration of the VPN connection in the Advanced VPN Client. Confirm the manually entered changes by clicking on OK.
...
| Hinweis | ||
|---|---|---|
| ||
6.4.1) If you are using LCOS firmware up to version 10.80, you must now enter the password of the RADIUS user assigned in step 3.5, directly followed by the one-time password (OTP) displayed in the Authenticator app when establishing the VPN connection.
6.4.2) If you are using LCOS firmware version 10.90 or later, the one-time password (OTP) displayed in the Authenticator app must be entered when establishing the VPN connection.
|
| PageIdMakro |
|---|
...
| Inhalt nach Stichwort | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|