Description:

This document describes how to manually set up a VPN site-to-site connection between two LANCOM routers, i.e. without using the Setup Wizard. The VPN connection is to be established in the main mode.
To use main mode connections, both ends of the connection require a public IPv6 address for authentication. A DynDNS entry is considered to be fixed public IPv6 address.

In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.

The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.

In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.

The configuration of an IPv6 based IKEv2 connection between two LANCOM routers with IPv6 Internet connection is described in this Knowledge Base article.



Requirements:


Scenario:
  • A company wishes to interconnect the local IPv6 networks at their headquarters and at a branch office by means of an IKEv1 site-to-site VPN connection.
  • Both sites have a LANCOM router as their gateway and an Internet connection with a public IPv6 address. The public IPv6 address of the Headquarters is fd00::a, and the branch office is fd00::b.
  • The VPN connection is established from the branch office to the headquarters.
  • The local IPv6 network at the headquarters has the IP address range 2001:db8:a::/64, and the branch office uses the local IPv6 address range 2001:db8:b::/64.


Procedure:
1) Manual configuration of the LANCOM router at the headquarters:
1.1) Open the configuration for the LANCOM router at the branch office and switch to the menu item VPN → IKE/IPSec.
1.2) Click the IKE proposal lists button.
1.3) Create a new IKE proposal list. Name it OFFICE and fill out the proposal list with the IKE proposals that should be used. You can enter one or several IKE proposals.

From the list of proposals, the first IKE proposal that matches at both ends of the VPN connection is used to establish the IKE Phase 1.

1.4) Click the IPSec proposal lists button.
1.5) Create a new IPSec proposal list. Name it OFFICE and fill out the proposal list with the IPSec proposals that should be used. You can enter one or several IPSec proposals.

From the list of proposals, the first IPSec proposal that matches at both ends of the VPN connection is used to establish the IPSec Phase 2.

1.6) Click the IKE keys and identities button.
1.7) Create a new entry. Enter the identification OFFICE and, in the preshared key box, enter a sufficiently secure password.
You can use the button Generate password to select a password strength and then automatically generate a password corresponding to this strength. We recommend that you use the setting Maximum here.
If you select User defined , you can influence the automatically generated password in the Settings pane, although for security reasons you should not change the default settings .
  • Name: Enter the name here.
  • Local identifier type: Select the identifier type used on the router at the headquarters. In this example, the identity type was set to E-Mail address (FQUN) .
  • Local identifier: Set the local identifier. In this example, the LANCOM router at the headquarters uses the local identity headquarter@test.de.
  • Remote identifier type: Select the identifier type used on the router at the branch office. In this example, the identity type was set to E-mail address (FQUN).
  • Remote identifier: Set the remote identifier. In this example, the LANCOM router at the branch office uses the remote identity office@test.de.

1.8) Switch to the menu VPN → General.
  • Enable the VPN feature of the LANCOM router.
  • Set the option Establ. of net relationships (SAs) to the value Collectively with KeepAlive.
1.9) Then click the Connection parameters button.
1.10) Add a new entry. Enter the identification OFFICE and select the entries of the same name for the IKE proposals, IKE key and IPSec proposals.
The PFS and IKE groups in this example are each set to the default group 2 (MODP-1024). You can change these value to suit your needs. However, make sure that both ends of the VPN connection are set with the same PFS and IKE groups.
1.11) Click the Connection list button.
1.12) Add a new entry. Set the name to OFFICE and select the values for the fields as follows:
  • The LANCOM router at the headquarters will be accepting the VPN connection, so the value for the short-hold time must be set to 0 seconds here.
  • The Dead Peer Detection is used for monitoring the VPN connection. Enter the value of 60 seconds here. For more information about the Dead Peer Detection, see the following KnowledgeBase article Dokumentlinksymbol .
  • In the field for the remote Gateway, you need to enter the public IPv6 address of the LANCOM router at the branch office. In this example it is fd00::b.
  • Set the Connection parameters to OFFICE.
  • The Rule creation is carried out automatically in this example.
  • The IKE exchange mode needs to be set to the option Main mode.
1.13) Navigate to the menu IP router → Routing → IPv6 routing table.
1.14) Add a new routing entry.
  • As the IPv6 address, enter the address of the local IPv6 network at the branch office. In this example it is 2001:db8:b: : /64.
  • For the Router field, select the identification of the VPN remote station (in this case: OFFICE).
1.15) Switch to the menu IPv6 → General → WAN interfaces.
1.16) Add a new entry. Set the Interface as the VPN connection OFFICE. The option Firewall for this interface must be disabled.
1.17) Open the menu Firewall/QoS → IPv6 rules → IPv6 inbound rules and add a new firewall rule.

This firewall rule is required in order for data transmission via the VPN connection from the remote station (in this case OFFICE) to be allowed.

1.18) In the Name field, enter a descriptive name.
  • Set the Priority to the value 1.
  • Set the Action to ACCEPT.
  • In the field Server services, set the object to ANY.
  • In the field Source stations, enter the name of the VPN connection to the office.

1.19) Write the configuration back to the LANCOM router at the headquarters.


2) Manual configuration of the LANCOM router at the branch office:
2.1) Open the configuration for the LANCOM router at the branch office and switch to the menu item VPN → IKE/IPSec.
2.2) Click the IKE proposal lists button.
2.3) Create a new IKE proposal list. Name it HEADQUARTERS and fill out the proposal list with the IKE proposals that should be used. You can enter one or several IKE proposals.

Make sure that the same IKE proposals are entered into this list as those used by the LANCOM router at the headquarters (see step 1.3).

2.4) Click the IPSec proposal lists button.

2.5) Create a new IPSec proposal list. Name it HEADQUARTERS and fill out the proposal list with the IPSec proposals that should be used. You can enter one or several IPSec proposals.

Make sure that the same IPSec proposals are entered into this list as those used by the LANCOM router at the headquarters (see step 1.5).

2.6) Click the IKE keys and identities button.

2.7) Create a new entry. Set the identification to HEADQUARTERS and enter the same password into the Preshared key field as that used by the LANCOM router at the headquarters (see step 1.7).
  • Name: Enter the name here.
  • Local identifier type: Select the identifier type used on the router at the headquarters. In this example, the identity type was set to E-mail address (FQUN).
  • Local identifier: Set the local identifier. In this example, the LANCOM router at the branch office uses the local identity office@test.de.
  • Remote identifier type: Select the identifier type used on the router at the branch office. In this example, the identity type was set to E-mail address (FQUN).
  • Remote identifier: Set the remote identifier. In this example, the LANCOM router at the headquarter uses the remote identity headquarter@test.de.
2.8) Switch to the menu VPN → General.
  • Enable the VPN feature of the LANCOM router.
  • Set the option Establ. of net relationships (SAs) to the value Collectively with KeepAlive.
2.9) Then click the Connection parameters button.
2.10) Add a new entry. Enter the identification HEADQUARTERS and select the entries of the same name for the IKE proposals, IKE key and IPSec proposals.
The PFS and IKE groups in this example are each set to the default group 2 (MODP-1024). You can change these value to suit your needs. However, make sure that both ends of the VPN connection are set with the same PFS and IKE groups.
2.11) Click the Connection list button.
2.12) Add a new entry. Set the name to HEADQUARTERS and select the values for the fields as follows:
  • The LANCOM router at the branch office will be actively establishing the VPN connection to the headquarters, so the value for the short-hold time must be set to 9,999 seconds here.
  • The Dead Peer Detection is used for monitoring the VPN connection. Enter the value of 60 seconds here.
  • In the field for the remote Gateway, you need to enter the public IP address of the LANCOM router at the HEADQUARTERS. In this example it is fd00::a.
  • Set the Connection parameters to HEADQUARTER.
  • The Rule creation is carried out automatically in this example.
  • The IKE exchange mode needs to be set to the option Main mode.
2.13) Navigate to the menu IP router → Routing → IPv6 routing table.
2.14) Add a new routing entry.
  • As the IPv6 address, enter the address of the local IPv6 network at the headquarters. In this example it is 2001:db8:a::/64.
  • For the Router field, select the identification of the VPN remote station (in this case: HEADQUARTERS).
2.15) Switch to the menu IPv6 → General → WAN interfaces.
2.16) Add a new entry. Set the Interface as the VPN connection HEADQUARTERS. The option Firewall for this interface must be disabled.
2.17) Open the menu Firewall/QoS → IPv6 rules → IPv6 inbound rules and add a new firewall rule.

This firewall rule is required in order for data transmission via the VPN connection from the remote station (in this case HEADQUARTERS) to be allowed.

2.18) In the Name field, enter a descriptive name.
  • Set the Priority to the value 1.
  • Set the Action to ACCEPT.
  • In the field Server services, set the object to ANY.
  • In the field Source stations, enter the name of the VPN connection to the headquarters.
2.19) Write the configuration back to the LANCOM router at the branch office.
After the configuration has been written back to the LANCOM router at the branch office, the VPN connection can be established between the two LANCOM routers. You can check this for example by loading the two LANCOM routers into the LANmonitor.

If problems occur during connection establishment, or if the established VPN connection does not work properly, a VPN Status Trace can help with the diagno sis. Information is available in this Knowledge Base article .

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH