Description: The use of certificates is an effective way to improve the security of VPN connections. Uploading the certificate to a router can be automated by a
SCEP client (
Simple Certificate Enrollment Protocol).
If a branch office should be prevented from establishing a VPN connection to the headquarters (for example, because the branch office is being closed down), the branch-office certificate can be revoked at the headquarters by means of
OCSP (
Online Certificate Status Protocol). The VPN connection then cannot be reestablished after re-authenticating or after the VPN connection is disconnected.
Using the
IKE config mode for dial-in connections at the headquarters avoids the need to set up a dedicated VPN peer for every branch office.
This article describes how to manually set up an IKEv2 VPN connection between two LANCOM routers using
OCSP and
IKE config mode.
Requirements: - Router with Certification Authority (CA) enabled. This is available on the following devices:
- Router with the VPN-25 option
- Configured and functional Internet access at the headquarters and the branch office
Scenario: - A VPN connection is required between the branch office and the headquarters.
- The headquarters has an Internet connection with a fixed public IPv4 address.
- The branch office dials-in to the headquarters using the IKE config mode.
Procedure: 1) Configuring the headquarters: 1.1) Activating the CA and the SCEP client: 1.1.1) In LANconfig, open the configuration of the router at the headquarters. Navigate to the menu
Certificates -> Cert. authority (CA) and set a checkmark next to
Certificate authority (CA) active. This allows the router to generate certificates with its own CA.
1.1.2) Save the
CA distinguished name in a text file and keep it ready. It will be required for some other menus.
1.1.3) Change to the menu
Certificates -> Certificate handling and save the
General challenge password to a text file for later use.
The
general challenge password is set automatically when the
CA is activated (see
step 1.1.1). This requires the configuration to be written back to the device after activating the
CA.
1.1.4) Now change to the menu
Certificates -> SCEP client and set a checkmark next to
SCEP client usage activated.
1.1.5) Navigate to the menu
Certificates -> SCEP Client -> CA table.
1.1.6) Create a new entry and enter the following information:
- Name: Enter a descriptive name.
- URL: Enter the URL in the format https://<IP address of the CA>/cgi-bin/pkiclient.exe.
In this case the router itself is the CA, so you need to use the loopback address 127.0.0.1.
https://127.0.0.1/cgi-bin/pkiclient.exe - Distinguished name: Enter the CA distinguished name (see step 1.1.2).
- Activate the registration authority: Enable automatic approval (RA-Auto-Approve).
1.1.7) Navigate to the menu
Certificates -> SCEP Client -> Certificate table.
1.1.8) Create a new entry and enter the following information:
- Name: Enter a descriptive name.
- CA distinguished name: Enter the CA distinguished name (see step 1.1.2).
- Subject: Specify the subject of the certificate (e.g. /CN=Headquarters).
- Challenge password: Enter the general challenge password.
- Key: From the drop-down menu, select the value 2048.
- Usage type: From the drop-down menu, select the container VPN 1.
1.2) Configuring OCSP:
1.2.1) Switch to the menu
Certificates -> OCSP and enable the following functions:
- OCSP client activated for VPN
Note: If the OCSP server needs to be accessed from the WAN (e.g. to check the certificate of the remote site or to implement geo-redundancy), the drop-down menu next to
Access via WAN must be set to the value
allowed.
If the OCSP server is addressed by means of its
FQDN (see
step 1.2.3), the
Certificate subject needs to be set to the
FQDN (e.g.
/CN=ocsp-server.lancom.eu)
1.2.2) Navigate to the menu
Certificates -> OSCP -> Responder profile table.
1.2.3) Create a new entry and enter the following parameters:
- Responder profile name: Enter a descriptive name.
1.2.4) Navigate to the menu
Certificates -> OSCP -> CA profile table.
1.2.5) Create a new entry and enter the following parameters:
- CA profile name: Enter a descriptive name.
- CA distinguished name: Enter the CA distinguished name (see step 1.1.2).
- Responder profile name: From the drop-down menu, select the entry created in step 1.2.3.
1.3) Configuring the VPN connection: 1.3.1) Switch to the menu
VPN -> General and set the following parameters:
- Virtual Private Network: From the drop-down menu, select Activated.
- Set a checkmark next to Simplified RAS with certificates activated.
- Set a checkmark next to Allow peer to select remote network.
- Set a checkmark next to NAT Traversal activated.
- Set a checkmark next to Flexible identity comparison activated.
1.3.2) Switch to the menu
VPN -> IKEv2/IPSec -> Authentication.
1.3.3) Edit the existing entry
DEFAULT and adjust the following parameters:
- Local authentication: From the drop-down menu, select Digital signature.
- Local identifier type: From the drop-down menu, select ASN.1 Distinguished Name.
- Local identifier: Enter an identifier for the local profile.
- Remote authentication: From the drop-down menu, select Digital signature.
- Remote identifier type: From the drop-down menu, select ASN.1 Distinguished Name.
- Remote identifier: Enter an identifier for the remote profile.
This can consist of the wildcards * and ?. The * stands for any number of characters and that ? for exactly one character.
If you use a number of remote sites, using a uniform naming scheme for the identities allows you to make just one entry in the Authentication table. The remote site in this scenario has the subject CN=AS02.
- Local certificate: From the drop-down menu, select the container VPN1.
- OCSP check: From the drop-down menu, select yes in order to use OCSP.
1.3.4) Navigate to the menu
VPN -> IKEv2/IPSec -> Extended settings -> IPv4 routing.
1.3.5) Create a new entry and enter the following parameters:
- Name: Enter a descriptive name.
- Network: Use the menu to select the local networks that the remote site(s) should communicate with.
Note:
Instead of selecting the networks from the list, you can also enter these in CIDR notation (e.g. 192.168.1.0/24).
- Set the checkmark for Send IKE-CFG-Address.
- Setzen Sie den Haken bei Send IKE-CFG-Address.
1.3.6) Navigate to the menu
VPN -> IKEv2/IPSec -> Connection list.
1.3.7) Edit the
DEFAULT entry and modify the following parameters:
- IPv4 rules: From the drop-down menu, select the rule object RAS-WITH-NETWORK-SELECTION.
Note:
The object RAS-WITH-NETWORK-SELECTION corresponds to an ANY-ANY SA. - IKE-CFG: From the drop-down menu, select Server.
- Routing: From the drop-down menu, select the routing entry created in step 1.3.5.
1.3.8) This concludes the configuration at the
headquarters. Write the configuration back to the router.
2) Configuring the branch office: 2.1) Activating the SCEP client: 2.1.1) In LANconfig, open the configuration for the branch-office device and navigate to the menu
Certificates -> SCEP client and set a checkmark next to
SCEP client usage activated.
2.1.2) Navigate to the menu
Certificates -> SCEP Client -> CA table.
2.1.3 2.1.3) Create a new entry and enter the following information:
- Name: Enter a descriptive name.
- URL: Enter the URL in the format https://<IP address of the CA>/cgi-bin/pkiclient.exe.
In this case the headquarters is the CA, so you enter the WAN address of the headquarters here. Access to the HTTPS protocol must be allowed at the headquarters.
https://82.82.82.1/cgi-bin/pkiclient.exe - Distinguished name: Enter the CA distinguished name (see step 1.1.2).
- Activate the registration authority: Enable automatic approval (RA-Auto-Approve).
2.1.4) Navigate to the menu
Certificates -> SCEP Client -> Certificate table.
2.1.5) Create a new entry and enter the following parameters:
- Name: Enter a descriptive name.
- CA distinguished name: Enter the CA distinguished name (see step 1.1.2).
- Subject: Specify the subject of the certificate (e.g. /CN=AS02).
The subject must agree with the remote identity entered at the headquarters (see step 1.3.3). - Challenge password: Enter the general challenge password for the headquarters (see step 1.1.3).
2.2) Setting up the VPN connection: 2.2.1) Switch to the menu
VPN -> General and set the following parameters:
- Virtual Private Network: From the drop-down menu, select Activated.
- Set a checkmark next to NAT traversal activated.
2.2.2) Switch to the menu
VPN -> IKEv2/IPSec -> Authentication.
2.2.3) Create a new entry and modify the following parameters:
- Name: Enter a descriptive name.
- Local authentication: From the drop-down menu, select Digital signature.
- Local identifier type: From the drop-down menu, select ASN.1 Distinguished Name.
- Local identifier: Enter an identifier for the local profile.
- Remote authentication: From the drop-down menu, select Digital signature.
- Remote identifier type: From the drop-down menu, select ASN.1 Distinguished Name.
- Remote identity: Enter the subject for the headquarters (see step 1.1.8).
- Local certificate: From the drop-down menu, select the container VPN1.
2.2.4) Navigate to the menu
VPN -> IKEv2/IPSec -> Connection list.
2.2.5) Create a new entry and modify the following parameters:
- Name of connection: Enter a descriptive name.
- Short hold time: Enter the value 9999 so that the VPN connection remains permanently established.
- Gateway: Enter the IP address or the DNS name of the headquarters.
- Authentication: From the drop-down menu, select the entry created in step 2.2.3.
2.2.6) Navigate to the menu
IP router -> Routing -> IPv4 routing table.
2.2.7) Create a new entry and enter the following parameters:
- IP address: Enter the address of the network at the headquarters.
- Netmask: Enter the associated subnet mask.
- Router: From the drop-down menu, select the VPN remote site created in step 2.2.5.
- IP masquerading: Set the radio button to IP masquerading switched off.
2.2.8) This concludes the configuration at the
branch office. You can now write the configuration back to the device.