Description: This document describes how certificates created by LANCOM Smart Certificate are used for a certificate-based IKEv2-VPN connection between two LANCOM routers.
Requirements: - LANtools version 9.20 or later (download)
- LANCOM central-site gateway, WLAN controller, or LANCOM router with an activated VPN 25 Option (when using the Smart Certificate feature)
- Certificates for the participating LANCOM routers. How to create certificates with LANCOM Smart Certificate is described in the following Knowledge Base article
Image Removed 
Image Added .
Procedure: 1) Enable the CA function in the LANCOM router at the headquarters: In this example configuration, the LANCOM router at the headquarters acts as the CA for creating the certificates (Smart Certificate feature). If you wish to use certificates from another CA, you do not have to use the CA in the LANCOM router and you can skip this step of the configuration. 1.1) In LANconfig, open the configuration dialog for the LANCOM router at the headquarters and switch to the menu item
Certificates -> Cert. authority (CA).
1.2) Set a check mark for the option
Certificate authority (CA) active. The LANCOM router functions as the
root certificate authority (root CA).
Note: - For this configuration example we leave all of the other parameters with their preset values.
Image Removed
Image Added 2) Uploading certificates to the LANCOM routers: 2.1)
Right-click on each of the LANCOM routers in LANconfig and select the option
Configuration management -> Upload certificate or file.
Image Removed
Image Added 2.2) In the following dialog select the
certificate file intended for each LANCOM router.
2.3) In the
certificate type field, select a
VPN container.
2.4) In the
Cert. password box enter the
password for the certificate file. Click on
Open to start the upload.
3) Configure the certificate-based VPN connection on the LANCOM router at the headquarters: 3.1) Start the Setup Wizard in LANconfig and select the option
Connect two local area networks (VPN).
Image Removed
Image Added 3.2) Now create an
IKEv2-VPN connection.
Image Removed
Image Added 3.3) In this example, we
do not use IPSec-over-HTTPS.
Image Removed
Image Added 3.4) Enter a
name for the LANCOM router at the remote site.
Image Removed
Image Added 3.5)
Enter any values into the following two dialogs, as they will later be
manually replaced in the configuration of the LANCOM router by the certificate authentication parameters (see step 3.9ff).
Image Removed
Image Added 
Image Removed
Image Added 3.6) The LANCOM router at the
headquarters should receive the VPN connection.
Image Removed
Image Added 3.7) Since the LANCOM router at the headquarters receives the VPN connection,
no gateway address is required.
Specify the
local network to be accessed at the remote site.
Image Removed
Image Added 3.8) Click on
Finish to exit the setup wizard and
write the configuration back to the LANCOM router.
Image Removed
Image Added 3.9) Open the the LANCOM router configuration in
LANconfig and navigate to
VPN -> IKEv2/IPSec -> Authentication. 3.10) Select the
available entry for the certificate-based VPN client connection (in this case: OFFICE).
- Set the parameters for local and remote authentication for each entry to the values RSA signature and ASN.1 Distinguished Name.
- As the local identity, enter the name of the certificate in the LANCOM router at the headquarters.
- As the remote identity, enter the name of the certificate in the LANCOM router at the branch office.
| Info |
|---|
If you use the parameter type /E (for email address) in the ASN.1 Distinguished Name, you must replace the "E" with "emailAddress" so that the subsequent authentication works (example: /E=test@lancom.de must be changed to /emailAddress=test@lancom.de). |
- As Local certificate choose the VPN container you used in step 2.3).
Image Removed
Image Added 3.15)
Write the configuration back to the LANCOM router at the headquarters.
4) Configure the certificate-based VPN connection on the LANCOM router at the branch office: 4.1) Start the Setup Wizard in LANconfig and select the option
Connect two local area networks (VPN).
Image Removed
Image Added 4.2) Now create an
IKEv2-VPN connection.
Image Removed
Image Added 4.3) In this example, we
do not use IPSec-over-HTTPS.
Image Removed
Image Added 4.4) Enter a
name for the LANCOM router at the remote site.
Image Removed
Image Added 4.5)
Enter any values into the following two dialogs, as they will later be
manually replaced in the configuration of the LANCOM router by the certificate authentication parameters (see step 4.9ff).
Image Removed
Image Added 
Image Removed
Image Added 4.6) The LANCOM router at the
branch office should establish the VPN connection.
Image Removed
Image Added 4.7) Since the LANCOM router at the branch office establishes the VPN connection,
enter the gateway address of the headquarters.
Specify the
local network to be accessed at the remote site.
Image Removed
Image Added 4.8) Click on
Finish to exit the setup wizard and
write the configuration back to the LANCOM router.
Image Removed
Image Added 4.9) Open the the LANCOM router configuration in
LANconfig and navigate to
VPN -> IKEv2/IPSec -> Authentication. 4.10) Select the
available entry for the certificate-based VPN connection (in this case: HEADQUARTERS).
- Set the parameters for local and remote authentication for each entry to the values RSA signature and ASN.1 Distinguished Name.
- As the local identity, enter the name of the certificate in the LANCOM router at the branch office.
- As the remote identity, enter the name of the certificate in the LANCOM router at the headquarters.
| Info |
|---|
If you use the parameter type /E (for email address) in the ASN.1 Distinguished Name, you must replace the "E" with "emailAddress" so that the subsequent authentication works (example: /E=test@lancom.de must be changed to /emailAddress=test@lancom.de). |
- As Local certificate choose the VPN container you used in step 2.3).
Image Removed
Image Added 4.15)
Write the configuration back to the LANCOM router at the branch office.
The certificate-based IKEv2 VPN connection to the headquarters will now be established. 