This document uses an example configuration to describe how you enable a CA (certificate authority) on a LANCOM router and how the CA helps you to create and use new certificates for a VPN connection between two LANCOM routers.
Certificate distribution is carried out
via
via SCEP (simple certificate enrollment protocol).
LANCOM central-site gateway, WLAN controller, or LANCOM router with an activated VPN 25 Option
Scenario:
A company wishes to interconnect the local networks at their headquarters and at a branch office by means of a site-to-site VPN connection.
Both sites have a LANCOM router as their gateway and an Internet connection. The public IP addressof the Headquartersis 80.80.80.80, and the branch office is 81.81.81.81.
The VPN connection is established from the branch office to the headquarters.
The local network at the headquartershas the IP address range 192.168.1.0/24, and the branch officeuses the local IP address range 192.168.2.0/24.
Authentication is to be realized via certificates, which are distributed using SCEP by the LANCOM router at the headquarters.
Image Removed
Image Added
Procedure:
1) Setting up the certificate authority and the SCEP client functionality on the LANCOM router at the headquarters:
1.1) Open the configuration for the LANCOM router at the headquarters and switch to the menu
item
item Certificates
->
→ Cert. authority (CA).
1.2) Enable the
option
option Certification authority (CA) activeand set the LANCOM router as the principle certificate authority, the root CA.
Image Removed
Image Added
1.3) Navigate to
the
the Certificate handlingmenu and set a general challenge password. This is used if no dedicated password has been configured for the SCEP client.
Note:
Info
If the field is left empty the CA generates a random password.
Image Removed
Image Added
1.4) Navigate to
the
the SCEP clientmenu and enable the SCEP client usage.
1.5) Then click
the
the CA tablebutton.
Image Removed
Image Added
1.5) Add
a
a new entrywith the following parameters:
Note:
Info
If this device is a LANCOM WLAN controller, the list already contains an entry with the default name CONTROLLER_CA. In this case, there is no need to create a new entry in the table.
Name:The name can be freely selected and used to identify this device.
URL:The URL is constructed as follows: https://<IP address>/cgi-bin/pkiclient.exe.
Replace
the
the <IP address>with the IPv4 address where the CA is accessible from the WAN.
Since
Since the CA in this example is on the LANCOM router itself, which at the same time is the endpoint of the VPN connection, the URL is entered as https://127.0.0.1/cgi-bin/pkiclient.exe.
Set the Distinguished nameas the name of the CA. In this example, this is the default
name
name /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE.
Image Removed
Image Added
1.6) Then click the Certificate tablebutton.
Image Removed
Image Added
1.5) Add a new entrywith the following parameters:
·Name:The name can be freely selected and used to identify this device.
CA distinguished name:Set the Distinguished nameas the name of the CA. In this example, this is the default
name
name /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE.
Subject:Here you enter the certificate name to be used by the headquarters. This example uses the common name only (/CN=HEADQUARTER).
You need
this
this certificate namefor the configuration of the VPN connection on the router at the headquarters (as the local identity)and on the router at the branch office (as the remote identity).
Challenge password: In this example, we use the general challenge password. Here you enter the password that was set in step 1.3.
Key length: Select a key length. In this example we use a key length of 2048 bits.
Usage type:For certificate-based VPN connections, you need to specify the VPN certificate container in the device to which the certificate of the headquarters is to be loaded. In this example we use the container VPN1.
Image Removed
Image Added
2) Setting up the SCEP client on the LANCOM router at the branch office:
2.1) Navigate to
the
the SCEP clientmenu and enable the SCEP client usage.
2.2) Then click
the
the CA tablebutton.
Image Removed
Image Added
2.3) Add
a
a new entrywith the following parameters:
Name:The name can be freely selected and used to identify this device.
URL:The URL is constructed as follows: https://<IP address>/cgi-bin/pkiclient.exe. Replace the <IP address>with the IPv4 address where the CA is accessible from the WAN.
Since the CA in this example is located on the LANCOM router at the headquarters, the URL is entered
Set the Distinguished nameas the name of the CA. In this example, this is the default
name
name /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE.
Image Removed
Image Added
2.4) Click
the
the Certificate tablebutton.
Image Removed
Image Added
2.5) Add a new entrywith the following parameters:
Name:The name can be freely selected and used to identify this device.
CA distinguished name:Set the Distinguished nameas the name of the CA. In this example, this is the default name /CN=LANCOM CA/O=LANCOM SYSTEMS/C=DE
Subject:Here you enter the certificate name to be used by the branch office. This example uses the common name (CN) only (/CN=BRANCH).
You need
this
this certificate namefor the configuration of the VPN connection on the router at the branch office (as the local identity)and on the router at the headquarters (as the remote identity).
Challenge password: In this example, we use the general challenge password. Here you enter the password that was set in step 2.1.
Key length: Select a key length. In this example we use a key length of 2048 bits.
Usage type:For certificate-based VPN connections, you need to specify the VPN certificate container in the device to which the certificate of the headquarters is to be loaded. In this example we use the container VPN1.
Image Removed
Image Added
3) Configuring the VPN connection on the LANCOM router at the headquarters:
3.1) Start
the
the Setup Wizard on the router at the headquartersand select the option Connect two local area networks (VPN).
Image Removed
Image Added
3.2) The VPN connection should be established via an Internet connection.
Image Removed
Image Added
3.3) In this example,
we
we do not useIPSec-over-HTTPS.
Image Removed
Image Added
3.4) We
are
are not using a dynamic VPNconnection.
Image Removed
Image Added
3.5) Since both ends have
a
a static public IP address, you can select the first option.
Image Removed
Image Added
3.6) Set
your
your own identityto HEADQUARTER.
Image Removed
Image Added
3.7)
The
The name of the remote deviceis BRANCH.
Image Removed
Image Added
3.8)
The
The VPN connection authenticationis performed via Certificates (RSA signature).
Image Removed
Image Added
3.9) Set
a
a passwordfor the connection. This is used for communicating the IP address of the remote gateway.
Make a note of the password now as you will need it again for step 4.9.
Image Removed
Image Added
3.10) In this case, enter
the
the local identity as /CN=HEADQUARTERand the remote identity as /CN=BRANCH.
Image Removed
Image Added
3.11) Select the
option
option Optimized connection establishment.
Image Removed
Image Added
3.12) Since
the
the LANCOM router at the headquarters should accept the VPN connection, you need to choose the lower option and set the VPN short hold time to 0.
Image Removed
Image Added
3.13) In the next dialog, specify
the
the public IP address or FQDN of the router at the branch. In this example it is 81.81.81.81.
The
The local networkat the branchoffice has the IP address 192.168.2.0/24.
Image Removed
Image Added
3.14)Extranet VPNis not usedin this example.
Image Removed
Image Added
3.15)NetBIOSis not usedin this example.
Image Removed
Image Added
3.16) Click
on
on Finishto write the configuration back to the LANCOM router.
Image Removed
Image Added
4) Configuring the VPN connection on the LANCOM router at the branch:
4.1) Start
the
the Setup Wizard on the router at the branchand select the option Connect two local area networks (VPN).
Image Removed
Image Added
4.2) The VPN connection should be established via an Internet connection.
Image Removed
Image Added
4.3) In this example,
we
we do not useIPSec-over-HTTPS.
Image Removed
Image Added
4.4) We
are
are not using a dynamic VPNconnection.
Image Removed
Image Added
4.5) Since both ends have
a
a static public IP address, you can select the first option.
Image Removed
Image Added
4.6) Set
your
your own identityto BRANCH.
Image Removed
Image Added
4.7)
The
The name of the remote deviceis HEADQUARTER.
Image Removed
Image Added
4.8)
The
The VPN connection authenticationis performed via Certificates (RSA signature).
Image Removed
Image Added
4.9) In
the
the Passwordfield you have to enter the same password that you set in step 3.9.
Image Removed
Image Added
4.10) In this case, enter
the
the local identity as /CN=BRANCHand the remote identity as /CN=HEADQUARTER.
Image Removed
Image Added
4.11) Select the
option
option Optimized connection establishment.
Image Removed
Image Added
4.12) Since
the
the LANCOM router at the branch office should establish the VPN connection, you need to choose the upper option.
Image Removed
Image Added
4.13) In the next dialog, specify
the
the public IP address or FQDN of the router at the headquarters. In this example it is 80.80.80.80.
The
The local networkat the headquartershas the IP address 192.168.1.0/24.
Image Removed
Image Added
4.14)Extranet VPNis not usedin this example.
Image Removed
Image Added
4.15)NetBIOSis not usedin this example.
Image Removed
Image Added
4.16) Click
on
on Finishto write the configuration back to the LANCOM router.
Image Removed
Image Added
This concludes the configuration.After the configuration has been written back to the LANCOM router at the branch office, it immediately establishes the VPN connection to the router at the headquarters.
