Seitenhistorie

...

This article describes how to set up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls.

Rquirements:

• Two LANCOM R&S® Unified Firewalls with LCOS FX as of version 10.4 up to and including LCOS FX 10.6
• A configured and functional Internet connection on the two Unified Firewalls
• Web browser for configuring the Unified Firewall.
  
  The following browsers are supported:
  • Google Chrome
  • Chromium
  • Mozilla Firefox

...

• A certificate-based IKEv2 VPN connection should be set up between two Unified Firewalls (headquarters and branch office).
• The Unified Firewall at the headquarters has the local network 192.168.1.0/24.
• The Unified Firewall at the branch office has the local network 192.168.2.0/24.
• The Unified Firewall at the headquarters: has  has the fixed public IP address 81.81.81.81.
• The Unified Firewall at the branch office has the fixed public IP address 80.80.80.80.

...

• A certificate-based IKEv2 VPN connection should be set up between two Unified Firewalls (headquarters and branch office).
• The Unified Firewall at the headquarters has the local network 192.168.1.0/24.
• The Unified Firewall at the branch office has the local network 192.168.2.0/24.
• The Unified Firewall at the headquarters: is  is connected to a router, which establishes the Internet connection. It has the fixed public IP address 81.81.81.81.
• The Unified firewall at the branch office is connected to a router, which establishes the Internet connection. It has the fixed public IP address 80.80.80.80.

...

• Type: From the drop-down menu, select the option CA for VPN/web-server certificate.
• Private Key Encryption: Make sure that the option RSA is selected.
• Private Key Size: From the drop-down menu, select the option 4096 bit.
• Common Name (CN): Set a descriptive common name for the CA (in this example IKEv2_ CA).
• Validity: Select a validity period for this CA. A CA usually requires a long period of validity, which is why it is set to 5 years in this example.
• Private key password: Set a password for the private key. This is used to encrypt the private key.

...

• Type: From the drop-down menu, select the option VPN certificate.
• Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
• Private Key Encryption: Make sure that the option RSA is selected.
• Private Key Size: From the drop-down menu, select the option 4096 bit.
• Common Name (CN): Set a descriptive common name for certificate at the headquarters (in this example IKEv2_Headquarter).
• Validity: Select a validity period for this certificate. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
• CA password: Enter the private key password set in step 1.1.2.
• Private key password: Set a password for the private key. This is used to encrypt the private key of the VPN certificateAssign any private key password.

1.1.4) Next, create a VPN certificate for the branch office. Modify the following parameters for it and then click Create:

• Type: From the drop-down menu, select the option VPN certificate.
• Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
• Private Key Encryption: Make sure that the option RSA is selected.
• Private Key Size: From the drop-down menu, select the option 4096 bit.
• Common Name (CN): Set a descriptive common name for certificate at the branch office (in this example IKEv2_Office).
• Validity: Select a validity period for this CA. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
• CA password: Enter the private key password set in step 1.1.2.
• Private key password: Set a password for the Assign any private key . This is used to encrypt the private key of the VPN certificate.password.

1.1.5) Under Certificate management, go to the certificate of the branch office and click the export button.

...

• Local networks: Use the “+” icon to store the network address of the local network at the headquarters in CIDR notation (in this example 192.168.1.0/24).
• Remote Networks: Use the “+” icon to store the network address of the local network of the branch office in CIDR notation (in this example 192.168.2.0/24). 

...

• Authentication Type: Make sure that the drop-down menu is set to the option Certificate.
• Local certificate: From the drop-down menu, select the certificate for the headquarters created in step 1.1.3.
• Extended Authentication: Make sure that the option No Extended Authentication is selected.
• Remote Certificate: From the drop-down menu, select the certificate for the branch office created in step 1.1.4.

1.2.7) Click the button Click to create a VPN network.

1.2.8) Modify the following parameters and click Create:

...

• Name: Set a descriptive name for the VPN connection (in this example IKEv2_Headquarter).
• Security Profile: From the drop-down menu, select the security profile LANCOM LCOS Default IKEv2. If necessary, you can at both ends use a different profile at both ends.
• Connection: Use the drop-down menu to select the Internet connection (in this example Internet)
• Remote Gateway: Enter the IP address or the DNS name of the Unified Firewall at the headquarters (in this example the IP address 81.81.81.81).
• Set the checkmark next to Initiate Connection, so that the Unified Firewall at the branch office establishes the VPN connection.

...

• Local networks: Use the “+” icon to store the network address of the local network at the headquarters in CIDR notation (in this example 192.168.2.0/24).
• Remote Networks: Use the “+” icon to store the network address of the local network of the branch office in CIDR notation (in this example 192.168.1.0/24). 

...

• First port: Specify the port 500.
• Last port: Specify the port 500.
• Intranet address: Specify the IP address of the Unified Firewall in the intermediate network between the Unified Firewall and the LANCOM router.
• Protocol: From the drop-down menu, select UDP.

Image Modified

3.3) Create a further entry and specify the UDP port 4500.

Image Modified

3.4) Write the configuration back to the router.