Description:

If networks separated by ARF tags are to be transmitted separately over a VPN connection, each network previously had to be transmitted via an individual PPTP or L2TP tunnel, or in a separate VPN tunnel. With large numbers of branches and ARF networks, this results in a high overhead.

With the new feature HSVPN (High Scalability VPN), ARF tags used on the networks can be saved in a VPN connection as routing tags. Packets are marked with the ARF tags within the VPN tunnel and are transmitted without overhead.

Important:

  • Multicast routing is not supported over HSVPN. This requires the use of a separate VPN tunnel for multicast.
  • OSPF cannot be used when operating HSVPN.
  • Networks can only communicate if they have been assigned the same ARF tag.


Requirements:


Scenario:

Two branches (Branch Office 1 and Branch Office 2) each establish a VPN connection to the Headquarter.

Diagram illustrating the configuration of VPN connections between branch offices and headquarters with IKEv tags, over the Internet and intranet, incorporating VoIP and administration tags.

The following networks are available on the routers:

  • Headquarter
    • INTRANET: 172.23.56.0/24, ARF-Tag 1
    • VOIP: 172.23.57.0/24, ARF-Tag 2
    • SERVER: 172.23.58.0/24, ARF-Tag 3
    • ADMINISTRATION: 172.23.59.0/24, ARF-Tag 4

Image displaying a complex technical user interface related to network settings, featuring labels such as Network readiness, Network type, VAN ID, and Interface Address.

  • Branch Office 1:
    • INTRANET: 192.168.1.0/24, ARF-Tag 1
    • VOIP: 192.168.2.0/24, ARF-Tag 2
    • SERVER: 192.168.3.0/24, ARF-Tag 3

Image displaying a complex network configuration interface with various technical settings and parameters visible.

  • Branch Office 2:
    • INTRANET: 192.168.4.0/24, ARF-Tag 1
    • VOIP: 192.168.5.0/24, ARF-Tag 2
    • ADMINISTRATION: 192.168.6.0/24, ARF-Tag 4

Image of a technical configuration interface displaying network names, addresses, types, and other network-related settings.


Procedure:

1) Configuring the Headquarter:

1.1) Setting up the VPN connection:

1.1.1 Use the setup wizard to set up the IKEv2 VPN connections for Branch Office 1 and Branch Office 2 .

HSVPN only works in conjunction with an ANY-TO-ANY VPN rule that permits data traffic between any networks. The setup wizard sets up this VPN rule automatically.


1.2) Adding to the routing table:

Since configuring the VPN connection with the setup wizard creates just one VPN route, the remaining routing entries have to be created manually.

1.2.1) In LANconfig, open the configuration of the router at the Headquarter and switch to the menu item IP router → Routing → IPv4 routing table.

Screenshot of a network configuration interface displaying options for remote site access, IP routing, load balancing, and WAN connection management.

1.2.2) Select the routing entry of the VPN connection BRANCH OFFICE1 and click on Edit.

Image of a technical interface showing a partially visible routing table and various network configuration options.

1.2.3) Enter the ARF tag used by this network at the remote site (in this example the tag 1).

An image of a network configuration interface showing options for route propagation via RIP, route disabling, and IP masking settings for different network zones.

1.2.4) Mark the routing entry modified in step 1.2.3 and click on Copy.

The image shows a complex technical user interface, likely related to routing or network configurations, with various labels and terms indicating settings and parameters.

1.2.5) Modify the following parameters:

  • IP address: Enter the network address of the  second network at branch office 1, to which communication is to take place via the VPN connection (in this example the network VOIP).
  • Netmask: If necessary, adjust the Netmask.
  • Routing tag: Enter the ARF tag that belongs to the network (in this example, tag 2).

Image of a network configuration menu displaying options for route propagation via RIP, route enablement, and IP Masquerading settings for a branch office router.

1.2.6) Mark the routing entry modified in step 1.2.5 and click on Copy.

Image of a complex routing table interface displaying various network configuration settings such as IP distances, masks, and connection comments.

1.2.7) Modify the following parameters:

  • IP address: Enter the network address of the  third network at branch office 1, to which communication is to take place via the VPN connection (in this example the network SERVER).
  • Netmask: If necessary, adjust the Netmask.
  • Routing tag: Enter the ARF tag that belongs to the network (in this example, tag 3).

Image displaying a network configuration interface with options for enabling routing through RIP protocol, mask settings for intranet and DMZ, and an option to disable a specific route.

1.2.8) Repeat the steps 1.2.2 – 1.2.7 for the VPN connection BRANCH OFFICE2,

1.2.9) The IPv4 routing table should then look like this.

Image of a complex technical user interface likely related to configuring a routing table, with partially obscured or unreadable text.


1.3) Setting up and assigning the HSVPN profile:

1.3.1) Switch to the menu VPN → IKEv2/IPsec → Extended settings.

Image of a technical configuration interface showing VPN connections settings, encryption parameters, and authentication details for network communication.

1.3.2) Switch to the menu HSVPN profiles.

Screenshot of a network configuration interface highlighting options for RADIUS server settings, preshared key rules, and VPN tunnel configurations.

1.3.3) Create a new profile for the VPN connection BRANCH OFFICE1 and enter the following parameters:

  • Name: Enter a descriptive name.
  • Routing tag list: Enter the ARF tags of the networks to be transmitted via the VPN connection BRANCH OFFICE1. Multiple ARF tags can be comma separated.

Partial view of a digital interface labeled 'Roun Concel' likely indicating a configuration menu or setting option.

1.3.4) Create a new profile for the VPN connection BRANCH OFFICE2 and enter the following parameters:

  • Name: Enter a descriptive name.
  • Routing tag list : Enter the ARF tags of the networks to be transmitted via the VPN connection BRANCH OFFICE2 . Multiple ARF tags can be comma separated.

Image displaying the partial view of a user interface with the label 'paseo Concel'.

1.3.5) Navigate to the menu VPN → IKEv2/IPsec → Connection list.

A technical interface displaying VPN connection settings, including configuration tables for IKEv2 protocols, IP routing, encryption, and DNS settings.

1.3.6) Select the VPN connection BRANCH OFFICE1 and click on Edit.

Screenshot of a technical configuration interface listing various network settings including gateway, encryption, authentication parameters, and IP address pools.

1.3.7) For HSVPN, use the drop-down menu to select the HSVPN profile created for the BRANCH OFFICE1 in Step 1.3.3.

A screenshot of a network configuration interface showing options for setting up a connection named 'IBRANCHOFFICE', with fields for IKE config mode, IP address pools, DNS profile, encryption, authentication, HSVPN settings, and IP rules.

1.3.8) Select the VPN connection BRANCH OFFICE2 and click on Edit.

Image of a complex network configuration interface displaying settings such as Gateway, Tag Encryption, Authentication Parameters, Lifetimes Rule, and IP address pool, among others, likely for a VPN or networking system.

1.3.9) For HSVPN, use the drop-down menu to select the HSVPN profile created for the BRANCH OFFICE2 in Step 1.3.4.

Screenshot of a network configuration interface showing various settings including connection names, IKE config modes, IP address pools, DNS profiles, encryption settings, authentication settings, and VPN configurations.

1.3.10) This concludes the configuration at the headquarter. Write the configuration back to the router.



2) Configuring Branch Office 1:

2.1) Setting up the VPN connection:

2.1.1) Use the setup wizard to set up the IKEv2 VPN connection to the headquarter .

HSVPN only works in conjunction with an ANY-TO-ANY VPN rule that permits data traffic between any networks. The setup wizard sets up this VPN rule automatically.


2.2) Adding to the routing table:

Since configuring the VPN connection with the setup wizard creates just one VPN route, the remaining routing entries have to be created manually.

2.2.1) In LANconfig, open the configuration of the router at the branch office 1 and switch to the menu item IP router → Routing → IPv4 routing table.

Screenshot of a network configuration interface showing options for remote site management, IP routing tables, load balancing settings, communication protocols, and routing protocols.

2.2.2) Select the routing entry of the VPN connection HEADQUARTER and click on Edit.

An image displaying a partial view of a technical configuration menu with various settings and parameters.

2.2.3) Enter the ARF tag used by this network at the remote site (in this example the tag 1).

Image showing a configuration menu for a networking device, highlighting options for route propagation via RIP, IP masquerading settings, and the status of various network routes.

2.2.4) Mark the routing entry modified in step 2.2.3 and click on Copy.

A screenshot of a complex network device interface displaying routing tables and configuration settings that include parameters such as Admin Distance and RIP (Routing Information Protocol) details, possibly part of a setup or diagnostic screen.

2.2.5) Modify the following parameters:

  • IP address: Enter the network address of the second network at Headquarters, to which communication is to take place via the VPN connection (in this example the network VOIP).
  • Netmask: If necessary, adjust the Netmask.
  • Routing tag: Enter the ARF tag that belongs to the network (in this example, tag 2).

Screenshot of a network configuration interface showing options for route propagation via RIP, IP masquerading settings, and route activation choices.

2.2.6) Select the routing entry modified in step 2.2.5 and click on Copy.

This image displays a complex network configuration interface with various technical terms and settings, including routing tables, net masks, routers, and protocol information.

2.2.7) Modify the following parameters:

  • IP address: Enter the network address of the  third network at Headquarter, to which communication is to take place via the VPN connection (in this example the network SERVER).
  • Netmask: If necessary, adjust the Netmask.
  • Routing tag: Enter the ARF tag that belongs to the network (in this example, tag 3).

2.2.8) The IPv4 routing table should then look like this.

Image of a complex user interface showing a partial view of a configuration menu with various options such as edit, save, and convert settings.


2.3) Setting up and assigning the HSVPN profile:

2.3.1) Switch to the menu VPN → IKEv2/IPsec → Extended settings.

Image of a technical configuration interface for VPN connections showing various settings including IKE VPN connections, authentication details, IP routing, encryption parameters, and multiple other network-related configurations.

2.3.2) Switch to the menu HSVPN profiles.

Image displaying a technical configuration interface with options for enforcing pre-shared key rules, generating passwords, setting up RADIUS accounting, and defining server prefixes for HSVPN tunneling.

2.3.3) Create a new profile and enter the following parameters:

  • Name: Enter a descriptive name.
  • Routing tag list : Enter the ARF tags of the networks to be transmitted via the VPN connection HEADQUARTER . Multiple ARF tags can be comma separated

Image showing partial text from a diagram labeled 'Roun Concel', possibly representing a user interface or configuration menu.

2.3.4) Navigate to the menu VPN → IKEv2/IPsec → Connection list.

The image displays a technical configuration interface detailing VPN connections, including encryption settings, routing protocols, and IP configuration options for secure communications.

2.3.5) Select the VPN connection HEADQUARTER and click on Edit.

Screenshot of a technical configuration interface displaying various network settings such as Active Shorthold, Gateway Tag Encryption, Authentication Parameters, Lifetimes Rule, and other VPN-related options.

2.3.6) For HSVPN, use the drop-down menu to select the HSVPN profile created in Step 2.3.3.

Screenshot of a networking device's configuration interface displaying various connection settings including IKE config mode, IP address pools, routing options, encryption, authentication, and VPN settings.

2.3.7) This concludes the configuration at the branch office 1. Write the configuration back to the router.



3) Configuring Branch Office 2:

3.1) Setting up the VPN connection:

3.1.1) use the setup wizard to set up the IKEv2 VPN connection to the headqarter .

HSVPN only works in conjunction with an ANY-TO-ANY VPN rule that permits data traffic between any networks. The setup wizard sets up this VPN rule automatically.


3.2) Adding to the routing table:

Since configuring the VPN connection with the setup wizard creates just one VPN route, the remaining routing entries have to be created manually.

3.2.1) In LANconfig, open the configuration of the router at the branch office 2 and switch to the menu item IP router → Routing → IPv4 routing table.

3.2.2) Select the routing entry of the VPN connection HEADQUARTER and click on Edit.

Image displaying a partial view of a technical configuration interface with various routing table options and settings.

3.2.3) Enter the ARF tag used by this network at the remote site (in this example tag 1).

Screenshot of a network router configuration interface showing options for route propagation via RIP and IP masking settings for various network zones.

3.2.4) Select the routing entry modified in step 3.2.3 and click on Copy.

A screenshot showing a complex routing table interface with various technical parameters and settings, possibly related to network management and configuration.

3.2.5) Modify the following parameters:

  • IP address: Enter the network address of the  second network at Headquarter, to which communication is to take place via the VPN connection (in this example the network VOIP).
  • Netmask: If necessary, adjust the Netmask.
  • Routing tag: Enter the ARF tag that belongs to the network (in this example, tag 2).

Screenshot of a router configuration interface showing options related to RIP routing and IP masquerading settings.

3.2.6) Mark the routing entry modified in step 3.2.5 and click on Copy.

Image displaying a technical interface with components labeled, possibly part of a networking or routing configuration menu, including terms like 'Pvdroutingtable', 'NetnaskTapErbiestste', and 'RIPHEADQUARTER'.

3.2.7) Modify the following parameters:

  • IP address: Enter the network address of the fourth network at the Headquarter, to which communication is to take place via the VPN connection (in this example the network ADMINISTRATION).
  • Netmask: If necessary, adjust the Netmask.
  • Routing tag: Enter the ARF tag that belongs to the network (in this example, tag 4).

Image depicting a configuration menu for network routing, including options for RIP propagation, IP masquerading settings, and route enablement statuses.

3.2.8) The IPv4 routing table should then look like this.

Image displaying a portion of a technical user interface with various editable settings related to routing and data processing, as indicated by text such as Pvdroutingtable and editesNemakTagEnlesteSavterRPdtnceastsAdnndsaceConmertox.


3.3) Setting up and assigning the HSVPN profile:

3.3.1) Switch to the menu VPN → IKEv2/IPsec → Extended settings.

This is an image of a technical user interface for configuring VPN connections, including sections on IKE relationships, authentication details, IP routing, encryption settings, and miscellaneous services.

3.3.2) Switch to the menu HSVPN profiles.

An image of a technical configuration interface displaying settings for RADIUS server accounting and VPN tunnel options.

3.3.3) Create a new profile and enter the following parameters:

  • Name: Enter a descriptive name.
  • Routing tag list : Enter the ARF tags of the networks to be transmitted via the VPN connection HEADQUARTER . Multiple ARF tags can be comma separated.

Image showing a partial view of a user interface with the text 'Roun Concel' visible, possibly indicating a settings or configuration option.

3.3.4) Navigate to the menu VPN → IKEv2/IPsec → Connection list.

Image displaying a technical configuration menu for IKEv2 VPN connections, including sections for interfaces, encryption parameters, and related profiles for routing and DNS settings.

3.3.5) Select the VPN connection HEADQUARTER and click on Edit.

Image displaying a technical configuration interface with options for gateway, encryption, authentication parameters, IP address pool, and DNS profile settings.

3.3.6) For HSVPN, use the drop-down menu to select the HSVPN profile created in Step 3.3.3.

Screenshot of a configuration menu for network connections featuring options for IKE config mode, encryption settings, authentication, and IP address pool selection among other parameters.

3.3.7) This concludes the configuration at the branch office 2. Write the configuration back to the router.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH