Quelle anzeigen

Description:

This document describes how you set up a network connection using an IKEv2 client-to-site VPN connection between the LANCOM Advanced VPN Client and a LANCOM router.

Requirements:

LCOS as of version 9.20 (download latest version)
LANtools as of version 9.20 (download latest version)
LANCOM Advanced VPN Client as of version 3 (download latest version)

Scenario:

A company wants its sales representatives to have access to the corporate network via IKEv2 client-to-site connection.
The notebooks used by the sales representatives have the LANCOM Advanced VPN Client installed on them.
The company headquarters has a LANCOM router as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
The local network at the headquarters has the IP address range 192.168.1.0/24.

Procedure:

1) Manual configuration of the LANCOM router at the headquarters:

1.1) Open the configuration for the LANCOM router at the headquarters and switch to the menu item VPN → General.

1.2) Enable the function Virtual Private Network.

1.3) Open the menu item VPN → IKEv2/IPSec and click the button Authentication.

1.4) Click on the Add... button to create a new entry.

1.5) Enter the information for the authentication of the VPN connection into the configuration window.

Name: Enter the name for the authentication here. This entry is used later in the VPN connection list (see step 1.8).
Local authentication: Select the authentication type used on the router at the headquarters. This example uses authentication by pre-shared key (PSK) .
Local password: Set the pre-shared key to be used to authenticate at the router at the headquarters.
Remote authentication: Select the authentication type used by the LANCOM Advanced VPN Client . This example uses authentication by pre-shared key (PSK) .
Remote identifier type: Select the identifier type used by the LANCOM Advanced VPN Client. In this example, the identity type was set to E-mail address (FQUN) .
Remote identifier: Use the remote identity employee@company.com .
Remote password: Set the pre-shared key to be used to authenticate at the LANCOM Advanced VPN Client.

1.6) Open the menu item VPN → IKEv2/IPSec and click the button Connection list.

1.7) Click on the Add... button to create a new entry.

1.8) Enter the following information into the configuration dialog:

Connection name: Enter a name for the VPN connection.
Short hold time: Specify the short-hold time in seconds for the VPN connection. In this example, a 0 is entered into the LANCOM router at the headquarters. This means that this router will not actively establish the VPN connection.
Authentication: Select the authentication. The entry here corresponds to the name of the authentication that you set in step 1.5.
IKE-CFG: This parameter is set to Server.
IPv4 address pool: Here you set a local IP addresses range, from which each dial-in VPN client is assigned an IP address. If you have not specified an address pool yet, click on the Select button and, in the dialog that follows, click the link Manage source...

Info:
In IKEv2 connections an IPv4 address pool must be a configured in this dialog. The use of address pools in the dialogues Communication → Remote sites → WAN tag table or IPv4 → addresses has no effect on IKEv2 connections, they are only used for IKEv1 connections.

Create an IPv4 address pool in the following dialog.

Rule creation: Rule creation must be performed manually .
IPv4 rules: Here you set the parameter RAS-WITH-CONFIG-PAYLOAD .

1.9) Write the configuration back to the LANCOM router at the headquarters.

2) Manually set up the VPN connection profile on the LANCOM Advanced VPN Client:

2.1) Open the LANCOM Advanced VPN Client and navigate to the menu Configuration → Profiles.

2.2) Click the button Add/Import.

2.3) Select you the option Link to corporate network using IPSec.

2.4) Enter a name for the VPN connection.

2.5) In the next dialog box, select the Communication medium: This example uses LAN (over IP).

2.6) Enter the public IP address or the DNS name of the tunnel endpoint. This example uses the address 81.81.81.81.

2.7) Set the Exchange mode to IKEv2.

2.8) Since in this example the configuration of the LANCOM router uses the default encryption parameters (see menu VPN → IKEv2/IPSec → Encryption), the PFS group must be set to the value DH group 14 (2048 bit).

2.9) The local identity needs to be of the type Fully Qualified Username and, in the field below, the ID needs to be set to the remote identity you configured in step 1.5 (in this case: employee@company.com).

2.10) Set the pre-shared key to the same value as you configured for the remote password in step 1.5.

2.11) Set the IP address assignment to IKE config mode.

2.12) If necessary, enter the remote networks to be accessed via the VPN connection into the next dialog.

Note:
By not entering anything here, all of your data are sent through the secure VPN tunnel. This is an interesting option if you are connected via a WLAN hotspot. Information about the configuration is available in this Knowledge Base article.

2.13) Click Finish to complete the configuration of the VPN connection profile.

2.14) Just click on the Connection switch to connect to the company network.

Thank you for your feedback! You can also send us constructive suggestions for improving our knowledge base or ideas for new articles by email to knowledgebase@lancom.de.