Setting up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls (as of LCOS FX 10.4 and up to and including LCOS FX 10.6)

Description:

This article describes how to set up a certificate-based IKEv2 VPN connection between two LANCOM R&S®Unified Firewalls.

Rquirements:

• Two LANCOM R&S® Unified Firewalls with LCOS FX as of version 10.4 up to and including LCOS FX 10.6
• A configured and functional Internet connection on the two Unified Firewalls
• Web browser for configuring the Unified Firewall.
  
  The following browsers are supported:
  • Google Chrome
  • Chromium
  • Mozilla Firefox

Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

• A certificate-based IKEv2 VPN connection should be set up between two Unified Firewalls (headquarters and branch office).
• The Unified Firewall at the headquarters has the local network 192.168.1.0/24.
• The Unified Firewall at the branch office has the local network 192.168.2.0/24.
• The Unified Firewall at the headquarters has the fixed public IP address 81.81.81.81.
• The Unified Firewall at the branch office has the fixed public IP address 80.80.80.80.

A diagram illustrating a VPN connection between a headquarters and an office, displaying elements like UnifiedFirewall, LAN networks, and a public IP address.

2) The Unified Firewall is connected to the Internet via an upstream router:

• A certificate-based IKEv2 VPN connection should be set up between two Unified Firewalls (headquarters and branch office).
• The Unified Firewall at the headquarters has the local network 192.168.1.0/24.
• The Unified Firewall at the branch office has the local network 192.168.2.0/24.
• The Unified Firewall at the headquarters is connected to a router, which establishes the Internet connection. It has the fixed public IP address 81.81.81.81.
• The Unified firewall at the branch office is connected to a router, which establishes the Internet connection. It has the fixed public IP address 80.80.80.80.

A diagram showing the connection configuration between UnifiedFirewall VPN, LANCOM router at the headquarters, and LANCOM router at the office, connected via the internet using public IP addresses.

Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 3).

1) Configuration steps on the Unified Firewall at the headquarters:

1.1) Creating and exporting the certificates:

1.1.1) Use a browser to connect to the Unified Firewall, switch to the menu Certificate Management → Certificates and click on the “+” icon to create a new certificate. 

Image showing a computer interface with various options related to certificates and network security settings, including sections for Firewall, HTTPS Proxy, Mail Proxy initialization, and Certificate Management.

1.1.2) First, create a CA (Certificate Authority). Modify the following parameters for it and then click Create:

• Type: From the drop-down menu, select the option CA for VPN/web-server certificate.
• Private Key Encryption: Make sure that the option RSA is selected.
• Private Key Size: From the drop-down menu, select the option 4096 bit.
• Common Name (CN): Set a descriptive common name for the CA.
• Validity: Select a validity period for this CA. A CA usually requires a long period of validity, which is why it is set to 5 years in this example.
• Private key password: Set a password for the private key. This is used to encrypt the private key.

The image displays a complex user interface for configuring a VPN or web server certificate, indicating various settings such as certificate validity, private key details, organizational information, and options for certificate authority services.

1.1.3) Next, create a VPN certificate for the headquarters. Modify the following parameters for it and then click Create:

• Type: From the drop-down menu, select the option VPN certificate.
• Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
• Private Key Encryption: Make sure that the option RSA is selected.
• Private Key Size: From the drop-down menu, select the option 4096 bit.
• Common Name (CN): Set a descriptive common name for certificate at the headquarters.
• Validity: Select a validity period for this certificate. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
• CA password: Enter the private key password set in step 1.1.2.
• Private key password: Assign any private key password.

Image of a VPN configuration dialog indicating options to set the VPN certificate validity, private key encryption, and details for the certificate authority, along with fields to enter specifics like common name and subject alternative name.

1.1.4) Next, create a VPN certificate for the branch office. Modify the following parameters for it and then click Create:

• Type: From the drop-down menu, select the option VPN certificate.
• Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
• Private Key Encryption: Make sure that the option RSA is selected.
• Private Key Size: From the drop-down menu, select the option 4096 bit.
• Common Name (CN): Set a descriptive common name for certificate at the branch office.
• Validity: Select a validity period for this CA. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
• CA password: Enter the private key password set in step 1.1.2.
• Private key password: Assign any private key password.

An image of a VPN certificate configuration screen highlighting options such as certificate validity, signing CA, private key encryption, and distinguished name settings.

1.1.5) Under Certificate management, go to the certificate of the branch office and click the export button.

Screenshot of a technical configuration menu displaying options for Firewall, Certificate Management, Monitoring Statistics, and various proxy settings.

1.1.6) As the format, select the option PKCS #12 , enter the passwords and click on Export:

• Private key password: Enter the private key password that you set in step 1.1.4.
• Transport Password: Enter a password. This is required when importing the certificate into the Unified Firewall at the branch office (see step 2.1.2).

1.1.7) Under Certificate management, go to the certificate of the headquarters and click the export button.

Image of a technical configuration interface showing various options such as Firewall Activation, Certificate Management, Network Monitoring, and Proxy Initialization settings.

1.1.8) As the format, select the option PEM and click on Export.

Screen displaying options for exporting a Certificate Authority certificate in different formats, including PEM for the public part and PKCS for the entire certificate with private key, used in managing secure internet and VPN connections.

1.2) Setting up the VPN connection:

1.2.1) Go to the menu VPN → IPsec → IPsec settings.

Screenshot of a technical configuration menu displaying options for Firewall, Monitoring Statistics, Network, Desktop, User Authentication, and IPsec settings.

1.2.2) Use the slider to enable the IPsec functionality and click on Save.

Screenshot of IPsec settings interface showing options for excluded interfaces and IP addresses, with additional configuration options for proxy, DHCP server, and RADIUS server.

1.2.3) Switch to the menu VPN → IPsec → Connections and click on the “+” icon to create a new VPN connection.

Screenshot of a technical configuration interface displaying options such as Firewall, IPsec, Monitoring Statistics, and Connection Security Profiles.

1.2.4) Modify the following parameters:

• Name: Set a descriptive name for the VPN connection (in this example IKEv2_Office).
• Security Profile: From the drop-down menu, select the security profile LANCOM LCOS Default IKEv2. If necessary, you can at both ends use a different profile.
• Connection: Use the drop-down menu to select the Internet connection (in this example Internet)
• Remote Gateway : Enter the IP address or the DNS name of the Unified Firewall at the branch office (in this example the IP address 80.80.80.80 ).

Screenshot of a network configuration interface showing options for IKEvOffice connection, IP addresses, connection tunnels, and routing settings with a reminder that changes are preserved until logout.

1.2.5) Go to the Tunnels tab and modify the following parameters:

• Local networks: Use the “+” icon to store the network address of the local network at the headquarters in CIDR notation (in this example 192.168.1.0/24).
• Remote Networks : Use the “+” icon to store the network address of the local network of the branch office in CIDR notation (in this example 192.168.2.0/24 ). 

Image displaying a user interface for configuring VPN settings, featuring options for IKEv Office connection, local and remote networks, and a virtual IP pool.

1.2.6) Go to the Authentication tab, adjust the following parameters and click Create:

• Authentication Type: Make sure that the drop-down menu is set to the option Certificate.
• Local certificate: From the drop-down menu, select the certificate for the headquarters created in step 1.1.3.
• Extended Authentication: Make sure that the option No Extended Authentication is selected.
• Remote Certificate: From the drop-down menu, select the certificate for the branch office created in step 1.1.4.

Image of a configuration interface for IKEvOffice connection, displaying sections for connection tunnels, authentication, and routing with fields for security profiles, certificates, and identifiers.

1.2.7) Click the button to create a VPN network.

This image shows a user interface for setting up a VPN network and activating a firewall, displayed on a technical configuration screen.

1.2.8) Modify the following parameters and click Create:

• Name: Set a descriptive name for the VPN connection (in this example IKEv2_Office).
• Connection type: Select the option IPsec.
• IPsec Connection : From the drop-down menu, select the VPN connection created in steps 1.2.4 – 1.2.6 .

Screenshot showing the configuration settings of an IPsec connection with options for IKEvOffice network, color settings, connection types, and remote network configuration menus.

1.3) Enable communication via the VPN connection in the firewall:

1.3.1) On the desktop, click the VPN network created in step 1.2.8, select the connection tool, and click the network object for which communications should be enabled.

Screenshot showing a partial view of a digital configuration menu with unclear or incomplete text visible.

1.3.2) Select the required protocols on the right-hand side and add them using the “+” icon.

An image of a network configuration interface displaying options such as URL Content Filter, Application Filter, and Application Based Routing, with an instructional note to add items by clicking an icon on the right-hand side of the screen.  Image showing a blurred or partial view of a technical configuration interface, possibly related to software settings or commands.

1.3.3) Click Create to create the firewall rule.

Screenshot of a network configuration interface displaying various settings including Connection x, IKEvZ, Office SINTRANET description, and rules for URL Content Filter, Application Filter, and Application Based Routing.

1.3.4) This concludes the configuration of the Unified Firewall at the headquarters. Finally, implement the changes on the Desktop by clicking Activate.

Image displaying a user interface with an option to activate a firewall, featuring partially visible and unclear text.

2) Configuration steps on the Unified Firewall at the branch office:

2.1) Importing the certificates:

2.1.1) Use a browser to connect to the branch-office Unified Firewall, switch to the menu Certificate Management → Certificates and click on the icon for importing a certificate.

Image of a computer security interface showing options such as Firewall, Certificate Management, Monitoring Statistics, HTTPS Proxy, User Authentication, and Mail Proxy configurations.

2.1.2) Under Certificate file, select the branch-office certificate, enter the passwords and click on Import:

• Password: Enter the transport password set in step 1.1.6.
• New Password: Enter a new password. This is used to encrypt the private key after the import.

Screenshot of a technical interface showing options for a BP import certificate and new password setup.

2.1.3) Import a further certificate. Under Certificate file, select the certificate for the headquarters and click on Import:

Screenshot of a digital security interface for importing a certificate, showing fields for entering a Password, selecting a Certificate file, and setting a New Password with options to show the new password.

2.1.4) After importing the certificates, the Certificate management should look like this.

Screen capture of a technical configuration menu displaying various network security settings including Firewall, Certificate Management, Monitoring Statistics, and Proxy Initialization.

2.2) Setting up the VPN connection:

2.2.1) Go to the menu VPN → IPsec → IPsec settings.

An interface screen displaying various network settings including firewall, IPsec configurations, monitoring statistics, and user authentication options.

2.2.2) Use the slider to enable the IPsec functionality and click on Save.

Screenshot of an IPsec settings interface showing options for general settings, excluded interfaces, and IP addresses, with note on traffic exclusion from IPSec tunnels.

2.2.3) Switch to the menu VPN → IPsec → Connections and click on the “+” icon to create a new VPN connection.

Screenshot of a network configuration interface showing options for Firewall, IPsec settings, Monitoring Statistics, and Security Profiles.

2.2.4) Modify the following parameters:

• Name: Set a descriptive name for the VPN connection (in this example IKEv2_Headquarter).
• Security Profile: From the drop-down menu, select the security profile LANCOM LCOS Default IKEv2. If necessary, you can use a different profile at both ends.
• Connection: Use the drop-down menu to select the Internet connection (in this example Internet)
• Remote Gateway: Enter the IP address or the DNS name of the Unified Firewall at the headquarters (in this example the IP address 81.81.81.81).
• Set the checkmark next to Initiate Connection, so that the Unified Firewall at the branch office establishes the VPN connection.

An image showing a user interface for configuring network security and connection settings, including options for IKEv2 headquarters connections, security profiles, authentication, and routing.

2.2.5) Go to the Tunnels tab and modify the following parameters:

• Local networks: Use the “+” icon to store the network address of the local network at the headquarters in CIDR notation (in this example 192.168.2.0/24).
• Remote Networks : Use the “+” icon to store the network address of the local network of the branch office in CIDR notation (in this example 192.168.1.0/24 ). 

Screenshot of a configuration menu for IKEv2 VPN connection settings, displaying fields for security profile, authentication, local and remote networks, and virtual IP settings.

2.2.6) Go to the Authentication tab, adjust the following parameters and click Create:

• Authentication Type: Make sure that the drop-down menu is set to the option Certificate.
• Local certificate: From the drop-down menu, select the certificate for the branch office imported in step 2.1.2.
• Extended Authentication: Make sure that the option No Extended Authentication is selected.
• Remote Certificate: From the drop-down menu, select the certificate for the headquarters imported in step 2.1.3.

An image of a technical user interface for configuring IKEv Headquarter connection settings, displaying fields for security profiles, authentication type, certificates, and identifiers. Changes are preserved unless cancelled or logged out.

2.2.7) Click the button Click to create a VPN network.

Screenshot of a configuration menu for setting up a VPN network and activating firewall options.

2.2.8) Modify the following parameters and click Create:

• Name: Set a descriptive name for the VPN connection (in this example IKEv2_Headquarter).
• Connection type: Select the option IPsec.
• IPsec Connection: From the drop-down menu, select the VPN connection created in steps 2.2.4 – 2.2.6.

Screenshot of a network configuration interface showing settings for an IKEv2 Headquarters VPN connection with options for preserving changes, configuring remote networks, and connection types.

2.3) Enable communication via the VPN connection in the firewall:

2.3.1) On the desktop, click the VPN network created in step 2.2.8, select the connection tool, and click the network object for which communications should be enabled.

Image displaying a partial view of a possibly technical user interface with jumbled and unclear text, likely involving settings or information related to 'IKEvHeadquarter'.

2.3.2) Select the required protocols on the right-hand side and add them using the “+” icon.

A screenshot displaying a user interface for configuring network settings, featuring sections for Connection, Description, Rules URLContentFilter, ApplicationFilter, and ApplicationBasedRouting with an option to add items.  Image of a complex technical user interface displaying various configuration options and system commands, with some text partially obscured or unclear.

2.3.3) Click Create to create the firewall rule.

Screenshot of a technical configuration dialog from an intranet interface displaying rules for URL content filtering, application filtering, and application-based routing.

2.3.4) This concludes the configuration of the Unified Firewall at the headquarters. Finally, implement the changes on the Desktop by clicking Activate.

Image showing a screen displaying the activation settings for a firewall with partial, unclear text.

3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPsec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP router → Masq. → Port forwarding table.

Screenshot of a complex network management interface displaying various settings, such as UDP, IP monitoring, port forwarding, and service mapping options.

3.2) Enter the following parameters:

• First port: Specify the port 500.
• Last port: Specify the port 500.
• Intranet address: Specify the IP address of the Unified Firewall in the intermediate network between the Unified Firewall and the LANCOM router.
• Protocol: From the drop-down menu, select UDP.

Image of a user interface showing a new entry form for port forwarding, with partially visible fields and labels.

3.3) Create a further entry and specify the UDP port 4500 .

Image of a complex networking interface showing partial configuration options likely related to port forwarding and network settings.

3.4) Write the configuration back to the router.