Quelle anzeigen

Description:

This document describes how to configure an Advanced Mesh VPN connection on LANCOM routers.

For information about LANCOM Advanced Mesh, see the LCOS Reference Manual.

Requirements:

LCOS as of version 10.70 (download latest version)
LANtools from version 10.70 (download latest version)
Functioning IKEv2 VPN connections from each branch office to the central site (or Headquarters) (see the article “Configuring an IKEv2 VPN connection between two LANCOM routers using the Setup Wizard (IPv4)”)

Scenario:

The scenario consists of two branches (A and B) with public IPv4 addresses and a central site (Headquarters) that also has a public IPv4 address.
The two branches have already set up a static IKEv2 VPN tunnel to the headquarters, and this is running.
The VPN peer at each of the branches is called “HEADQUARTERS”.
Branch A has the subnet 192.168.1.0/24 called “INTRANET”.
Branch B has the subnet 192.168.2.0/24 called “INTRANET”.

Image displaying a technical configuration menu involving VPN tunnels, IKEv protocols, subnets, and dynamic mesh VPN tunnel settings.

Procedure:

1. Configuration steps at branch office A:

1.1 Create a new entry, e.g. “MESH-TEMPLATE”, in the IKEv2 connection list under VPN → IKEv2/IPsec → Connection list.

This entry serves as a template from which the dynamic mesh tunnels take their parameters.

1.2 The Short hold time is the time of data inactivity after which Mesh-VPN tunnels disconnect, e.g. 300 seconds.

Deactivating the short hold time by setting it to the value 0 is not recommended, otherwise dynamic Mesh-VPN tunnels will never terminate after inactivity, and this will consume licenses.

1.3 Leave the remote gateway blank as it is set dynamically.

1.4 The Routing parameter transmits the local network to the opposite branch, in this case the network “INTRANET”.

To do this, create a new entry in the “IPv4 Routing” table under VPN → IKEv2/IPsec → Extended settings.
Set the name to (e.g.) “INTRANET-ROUTING” and, in the field Network, select the local network to be used as the Mesh-VPN, for example “INTRANET”.

Screenshot of a network configuration interface showing options for IPvroutingEditEntry, INTRANETROUTING name setup, and SendIKECFGAddress settings.

1.5 Go to the Authentication settings.

Create a new entry, e.g. “MESH“.
Enter the local identifier of the branch and the PSK used for all dynamic mesh tunnels. The PSK must be identical on all branches involved in the mesh VPN tunnel.
Leave the field “Remote identifier” blank and select the option “No identity” for the Remote identifier type, so that all incoming identities with the correct PSK are accepted as mesh tunnels.

Screenshot of a technical configuration menu with options for local and remote digital signature profiles, identity types, and password generation settings.

1.6 Set the VPN rule to “ANY” or set the IPv4 rules to “RAS-WITH-NETWORK-SELECTION”. Thus uses 0.0.0.0/0 <=> 0.0.0.0/0.

1.7 Set Rule creation to “Manual”.

1.8 Now configure the Mesh-VPN parameters under VPN → IKEv2/IPsec → Extended settings → Advanced Mesh VPN.

1.9 Set the Operation mode to “Spoke“.

1.10 Under VPN peer template select the previously created IKEv2 peer as a template for the Mesh-VPN tunnel.

1.11 Under Detect on VPN peers, select the name of the VPN peer that corresponds to the name of the tunnel to the headquarters.

Image of a technical user interface for AdvancedMeshVPN, displaying options related to VPN peer detection, network settings, and forwarding filters.

1.12 Write the configuration back to the router at branch office A.

2. Configuration steps at branch office B:

2.1 The configuration is performed similar to branch A (see steps 1.1 to 1.11).

2.2 Change the Local identifier for the Authentication to the name of branch B.

3. Configuration steps at the headquarters:

3.1 Since the headquarters itself does not establish a dynamic mesh tunnel, there is no need to create a template for the peer.

Under VPN → IKEv2/IPsec → Extended settings → Advanced Mesh VPN, set the operation mode to “Hub”.

3.2 Write the configuration back to the router at the headquarters.

If you now transfer data from branch A to branch B, the first packets take the detour via the headquarters.

After that, the dynamic mesh tunnel is set up between the branches.

Screenshot of an Advanced Mesh VPN configuration menu with various settings including operation mode, VPN peers detection, and forwarding filter options.

A ping to the router’s IP address at the other end will not establish a mesh tunnel.

A (possibly non-existent) station in the LAN at the other end must be used as the destination.

Thank you for your feedback! You can also send us constructive suggestions for improving our knowledge base or ideas for new articles by email to knowledgebase@lancom.de.