Description:

This article describes how a route-based IKEv2 connection can be set up between two LANCOM R&S®Unified Firewalls.

Setting up a policy-based IKEv2 VPN connection between two Unified Firewalls is described in the following knowledge base article:

Setting up a policy-based IKEv2 VPN connection (site-to-site) between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4)


The differences between policy-based and route-based IPSec are described in the following Knowledge Base article:

Differences between policy-based and route-based IPSec with LANCOM R&S®Unified Firewalls

Requirements:

  • LANCOM R&S®Unified Firewallas of LCOS FX 10.4
  • A configured and functional Internet connection on each Unified Firewall
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox

 

Scenario:

The Unified Firewalls are connected directly to the Internet and have a public IPv4 address:

  • A company wants to connect its branch office, which operates a LANCOM R&S®Unified Firewall, via an IKEv2 site-to-site connection to the company headquarters, which also operates a LANCOM R&S®Unified Firewall.
  • The headquarters has an Internet connection with the fixed public IP address 82.82.82.1.
  • The branch office has an Internet connection with the fixed public IP address 81.81.81.1.
  • The Unified Firewall at the headquarters should establish the VPN connection to the branch office.
  • The local network at the headquarters has the IP address range 192.168.100.0/24.
  • The local network at the branch office has the IP address range 192.168.200.0/24.

If the Unified Firewall uses an upstream LANCOM router to connect to the Internet, then the upstream device has to be set to forward its inbound UDP ports 500 and 4500 to the WAN IP address of the Unified Firewall. If the router is from a different manufacturer, the ESP protocol must also be forwarded to the Unified Firewall.


Procedure:

1) Configuration steps on the Unified Firewall at the headquarters:

1.1) Configuring the VPN connection on the Unified Firewall at the headquarters:

1.1.1) Connect to the configuration interface of the Unified Firewall and go to the menu VPN → IPsec → IPsec Settings.

1.1.2) Enable IPsec using the slider and then click Save.

1.1.3) Go to the menu VPN → IPsec → Connections and click on the “+” icon to create a new IPsec connection.

1.1.4) Modify the following parameters:

  • Name : Enter a descriptive name for the VPN connection (in this example IKEv2_S2S_UF-Office).
  • Security Profile: Choose a security profile (in this example LANCOM LCOS Default IKEv2).
  • Connection : From the drop-down menu, select the Network connection used for the Internet connection.
  • Remote Gateways: Enter the public IP address or public DNS address of the branch office (in this example 81.81.81.1).
  • Initiate Connection : Enable this option so that the Unified Firewall at the headquarters establishes the VPN connection.

If you have created your own template or security profile, you can use it here.

Do not use the ready-made security profile IKEv2 Suite-B-GCM-256 (RFC 6379) as both the IKE and the IPsec lifetime values (SA lifetime) are set to 0. This can lead to connection problems.

1.1.5) Go to the Tunnels tab and modify the following parameters:

  • Local Networks: Here you enter the local networks (in CIDR notation) that the branch office should access. In this example, the local network at the headquarters has the IP address range 192.168.100.0/24.
  • Remote Networks: Here you enter the remote local-area networks (in CIDR notation) that the headquarters should access. In this example, the local network at the branch office has the IP address range 192.168.200.0/24.

1.1.6) Go to the Authentication tab and modify the following parameters:

  • Authentication Type: Use the drop-down menu to select the option PSK (Preshared Key).
  • PSK (Preshared Key): Enter a pre-shared key for this connection (in this example Password123).
  • Local Identifier : Set the local identifier (in this example UF@Headquarter).
  • Remote Identifier : Set the remote identifier (in this example UF@Office).

The local and remote identifiers must not match!

1.1.7) Go to the Routing tab and enable the option Route-based IPsec. Then click Create.


1.2) Create the routing entry for the VPN connection: 

The following steps must be repeated for each additional local or remote network.

1.2.1) Go to the menu Network → Routing → Routing Tables and, in Table 254, click on the “pencil” icon to edit the table.

1.2.2) Click on the “+” icon to create a routing entry.

1.2.3) Modify the following parameters and click OK:

  • Interface: From the drop-down menu, select the VPN connection created in step 1.1 (in this example IKEv2_S2S_UF-Office).
  • Destination: Enter the target network at the branch office in CIDR notation, in this example 192.168.200.0/24.

1.2.4) Click Save.

1.2.5) Acknowledge the warning message by clicking Save Anyway.


1.3) Allow communications using firewall rules:

1.3.1) In the menu bar for the desktop objects, click the icon to create a new VPN network.

1.3.2) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name for the VPN network (in this example IKEv2_S2S_UF-Office).
  • Connection Type: Check that the option IPsec is selected.
  • IPsec Connection: From the drop-down menu, select the VPN connection created in step 1.1.
  • Remote Networks: Select whether to use all configured remote networks or specific networks.

1.3.3) For the VPN network created in step 1.3.2, click the “connection tool” and then click on the network object for the local network with which you want to communicate via the VPN connection.

Repeat this step for each additional network with which you want to communicate via the VPN connection.


1.3.4) Use the “+” icon to assign the required protocols to the connection, and then click Create.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

1.3.5) Finally, implement the configuration changes by clicking Activate in the firewall.

1.3.6) This concludes the configuration steps on the Unified Firewall at the headquarters.



2) Configuration steps on the Unified Firewall at the branch office:

2.1) Configuring the VPN connection on the Unified Firewall at the branch office:

2.1.1) Connect to the configuration interface of the Unified Firewall and go to the menu VPN → IPsec → IPsec Settings.

2.1.2) Enable IPsec using the slider and then click Save.

2.1.3) Go to the menu VPN → IPsec → Connections and click on the “+” icon to create a new IPsec connection.

2.1.4) Modify the following parameters:

  • Name : Enter a descriptive name for the VPN connection (in this example IKEv2_S2S_UF-Headquarter).
  • Security Profile: Choose a security profile (in this example LANCOM LCOS Default IKEv2).
  • Connection: From the drop-down menu, select the Network connection used for the Internet connection.
  • Remote Gateways: Enter the public IP address or public DNS name of the headquarters (in this example 82.82.82.1).

If you have created your own template or security profile, you can use it here

Do not use the ready-made security profile IKEv2 Suite-B-GCM-256 (RFC 6379) as both the IKE and the IPsec lifetime values (SA lifetime) are set to 0. This can lead to connection problems.

2.1.5) Change to the Tunnels tab and modify the following parameters:

  • Local Networks : Here you enter the local networks (in CIDR notation) that the headquarters should reach. In this example, the local network at the branch office has the IP address range 192.168.200.0/24.
  • Remote Networks: Here you enter the remote local-area networks (in CIDR notation) that the branch office should access. In this example, the local network at the headquarters has the IP address range 192.168.100.0/24.

 

2.1.6) Go to the Authentication tab and modify the following parameters:

  • Authentication Type:  Select the option PSK (Preshared Key).
  • PSK (Preshared Key): Enter a pre-shared key for this connection (in this example Password123).
  • Local Identifier: Set the local identifier(in this example UF@Office).
  • Remote Identifier: Set the remote identifier (in this example UF@Headquarter).

The local and remote identifiers must not match!

2.1.7) Go to the Routing tab and enable the option Route-based IPsec. Then click Create.


2.2) Create the routing entry for the VPN connection:

2.2.1) Go to the menu Network → Routing → Routing Tables and, in Table 254, click on the “pencil” icon to edit the table.

2.2.2) Click the “+” icon to create a routing entry.

2.2.3) Modify the following parameters and click OK:

  • Interface: From the drop-down menu, select the VPN connection created in step 2.1 (in this example IKEv2_S2S_UF-Headquarter).
  • Destination: Enter the target network at the headquarters in CIDR notation, in this example 192.168.100.0/24.

2.2.4) Click Save.

2.2.5) Acknowledge the warning message by clicking Save Anyway.


2.3) Allow communications using firewall rules:

2.3.1) In the menu bar for the desktop objects, click the icon to create a new VPN network.

2.3.2) Modify the following parameters and then click Create:

  • Name : Enter a descriptive name for the VPN network (in this example IKEv2_S2S_UF-Headquarter).
  • Connection Type: Check that the option IPsec is selected.
  • IPsec Connection : From the drop-down menu, select the VPN connection created in step 2.1.
  • Remote Networks: Select whether to use all configured remote networks or specific networks.

 

2.3.3) For the VPN network created in step 2.3.2, click the “connection tool” and then click on the network object for the local network with which you want to communicate via the VPN connection.

Repeat this step for every network that the branch should be able to access.

2.3.4) Use the “+” icon to assign the required protocols to the connection, and then click Create.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

2.3.5) Finally, implement the configuration changes by clicking Activate in the firewall.

2.3.6) This concludes the configuration steps on the Unified Firewall at the branch office.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH