Versionen im Vergleich

Alte Version 2

changes.mady.by.user LANCOM Redaktion

Gespeichert am

verglichen mit

Neue Version Aktuell

changes.mady.by.user LANCOM Redaktion

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.
Seiteneigenschaften



Description:
This document describes how you set up
a
network connection using an IKEv2 site-to-site VPN connection between two LANCOM routers.


Requirements:


Scenario:
  • A company wishes to interconnect the local networks at their headquarters and at a branch office by means of an IKEv2 site-to-site VPN connection.
  • Both sites have a LANCOM router as their gateway and an Internet connection with a fixed public IP address. The public IP address of the Headquarters is fd00::a, and the branch office is fd00::b.
  • The VPN connection is established from the branch office to the headquarters.
  • The local network at the headquarters has the IP address range 192.168.1.0/24, and the branch office uses the local IP address range 192.168.2.0/24.
Image Removed

Image Added

Procedure:
1) Manual configuration of the LANCOM router at the headquarters:
1.1) Open the configuration for the LANCOM router at the headquarters and switch to the menu item VPN
->
General.
1.2) Enable the function Virtual Private Network.
Image Removed
Image Added
1.3) Open the menu
item
item VPN
->
IKEv2/IPSec and click the button Authentication.
Image Removed
Image Added
1.4) Click on
the
the Add... button to create a new entry.
1.5) Enter
the
the information for the authentication of the VPN connection into the configuration window.
  • Name:
    Enter
the
  • the name for the
authentication
  • authentication here. This entry is used later in the VPN connection list (see step 1.8).
  • Local authentication:
    Select the authentication type used on the router at the headquarters. This example uses authentication by pre-shared key (PSK).
  • Local identifier type:
    Select
the
  • the identifier
type
  • type used on the router at the headquarters. In this example, the identity type was set
to
  • to E-mail address (FQUN).
  • Local identifier:
    Set the local identifier. In this example,
the
  • the LANCOM router at the
headquarters
  • headquarters uses the local identity headquarter@company.com.
  • Local password:
    Set
the
  • the pre-shared
key
  • key to be used to authenticate at the router at the headquarters.
  • Remote authentication:
    Select theauthentication type used by the LANCOM router at the branch office. This example uses authentication
by
  • by pre-shared key (PSK).
  • Remote identifier type:
    Select
the
  • the identifier
type
  • type used on the router at the branch office. In this example, the identity type was set
to
  • to E-mail address (FQUN).
  • Remote identifier:
    Set the remote identifier. In this example,
the
  • the LANCOM router at the branch
office
  • office uses the remote identity office@company.com.
  • Remote password: 
    Set
the
  • the pre-shared
key
  • key to be used to authenticate at the router at the branch office.
Image Removed

Image Added

1.6) Open the menu item VPN
->
IKEv2/IPSec and click the button Connection list.
1.7) Click on
the
the Add
...
button to create a new entry.
Image Removed
Image Added
1.8) Enter the following information into the configuration dialog:
  • Connection name:
    Enter a name for the VPN connection. This name is used later in the routing table (see step 1.10).
  • Short hold time:
    Specify the short-hold time in seconds for the VPN connection. In this example, a 0 is entered into the LANCOM router at the headquarters. This means that this router will not actively establish the VPN connection.
  • Gateway:
    Specify
the
  • the public IPv6
address
  • address of
the
  • the LANCOM router at the branch office. In this example, this is the IPv6
address
  • address fd00::b.
  • Authentication:
    Select the authentication. The entry here corresponds to the name of the authentication that you set in step 1.5.
  • Rule creation:
    In this example, rule creation is performed automatically.
Image Removed

Image Added

1.9) Navigate to the menu IP router
->
Routing
->
IPv4 routing table.
Image Removed
Image Added
1.10) Add
a
new routing entry.
  • As the IP address, enter the address of the local network at the branch office. In this example it is 192.168.2.0.
  • The netmask needs to be set to the value 255.255.255.0 as the local network at the branch office is a class C network.
  • For the Router field, select the identification of the VPN remote station (in this case: OFFICE).
  • IP masquerading is switched off for this entry.
Image Removed

Image Added

1.11) Write the configuration back to the LANCOM router at the headquarters.


2) Manual configuration of the LANCOM router at the branch office:
2.1) Open the configuration for the LANCOM router at the branch office and switch to the menu
item
item VPN
->
General.
2.2) Enable the function Virtual Private Network and set the option Establishment of net relationships (SAs) to the option Collectively with KeepAlive so that net relations are established correctly and according to the same schema.
Image Removed
Image Added
2.3) Open the menu
item
item VPN
->
IKEv2/IPSec and click the button Authentication.
Image Removed
Image Added
2.4) Click on
the
the Add... button to create a new entry.
2.5) Enter
the
the information for the authentication of the VPN connection into the configuration window.
  • Name:
    Enter the name for the authentication here. This entry is used later in the VPN connection list (see step 2.8).
  • Local authentication:
    Select
the
  • the authentication type used on the router at the branch office. This example uses authentication
by
  • by pre-shared key (PSK).
  • Local identifier type:
    Select
the
  • the identifier
type
  • type used on the router at the branch office. In this example, the identity type was set
to
  • to E-mail address (FQUN).
  • Local identifier:
    Set the local identifier. In this example,
the
  • the LANCOM router at the branch
office
  • office uses the local identity office@company.com.
  • Local password:
    Set
the
  • the pre-shared
key
  • key to be used to authenticate at the router at the branch office. This password must match the one configured in step 1.5.
  • Remote authentication:
    Select
the
  • the authentication type used by the LANCOM router at the headquarters. This example uses authentication bypre-shared key (PSK).
  • Remote identifier type:
    Select
the
  • the identifier
type
  • type used on the router at the headquarters. In this example, the identity type was set
to
  • to E-mail address (FQUN).
  • Remote identifier:
    Set the remote identifier. In this example,
the
  • the LANCOM router at the
headquarters
  • headquarters uses the remote identity headquarter@company.com.
  • Remote password:
    Set
the
  • the pre-shared
key
  • key to be used to authenticate at the router at the headquarters. This password must match the one configured in step 1.5. 
Image Removed

Image Added

2.6) Open the menu item VPN
->
IKEv2/IPSec and click the button Connection list.
2.7) Click on
the
the Add
...
button to create a new entry.
Image Removed
Image Added
2.8) Enter the following information into the configuration dialog:
  • Connection name:
    Enter a name for the VPN connection. This name is used later in the routing table (see step 2.10).
  • Short hold time:
    Specify the short-hold time in seconds for the VPN connection. In this example, a value of 9999 seconds is entered into the LANCOM router at the branch office. This means that this router actively establishes the VPN connection.
  • Gateway:
    Specify the public IPv6 address of the LANCOM router at the headquarters. In this example, this is the IPv6 address fd00::a.
  • Authentication:
    Select the authentication. The entry here corresponds to the name of the authentication that you set in step 2.5.
  • Rule creation:
    In this example, rule creation is performed automatically (default setting).
Image Removed

Image Added

2.9) Navigate to the menu IP router
->
Routing
->
IPv4 routing table.
Image Removed
2.10) Add a new routing entry.
As the
Image Added

s the IP address, enter the address of the local network at the headquarters. In this example it is 192.168.1.0.

The netmask needs to be set to the value 255.255.255.0 as the local network at the headquarters is a class C network.

For the Router field, select the identification of the VPN remote station (in this case: HEADQUARTERS).

IP masquerading is switched off for this entry.

Image Removed

2.10) Add a new routing entry.

Image Added

2.11) Write the configuration back to the LANCOM router at the branch office.
After the configuration has been written back to the LANCOM router at the branch office, the VPN connection can be established between the two LANCOM routers. You can check this for example by loading the two LANCOM routers into the LANmonitor.
Note:
Info

If problems occur during connection establishment, or if the established VPN connection does not work properly, a VPN Status Trace can help with the diagnosis. Information is available in

the following KnowledgeBase article Traces - VPN status trace explainedImage Removed

this Knowledge Base article.