Description:

This document describes how the local networks at two branch offices can communicate with one another via existing VPN connections to the router at the headquarters.


Requirements:


Scenario:

  • A LANCOM router is used at each of three locations, with each one running a local area network and providing access to the Internet.
    • The router at branch office 1 has the local network 192.168.1.0/24.
    • The router at the headquarters has the local network 192.168.2.0/24.
    • The router at branch office 2 has the local network 192.168.3.0/24.
  • A functioning VPN via the Internet has been set up between the routers at Branch office 1 and Headquarters. This VPN link connects the local networks 192.168.1.0/24 (Branch office 1) and 192.168.2.0/24 (Headquarters) allowing data to be exchanged.
  • A functioning VPN via the Internet has been set up between the routers at Branch office 2 and Headquarters. This VPN link connects the local networks 192.168.3.0/24 (Branch office 2) and 192.168.2.0/24 (Headquarters) allowing data to be exchanged.

Additionally communications between the local networks at Branch office 1 (192.168.1.0/24) and Branch office 2 (192.168.3.0/24) should be enabled by routing the data traffic via the router at the headquarters using the VPN connections that are already in place.

Image showing a diagram or interface layout for LANCOM systems, featuring labels for BranchOffice and Headquarter connections.


Procedure:

One option is to use ANY-TO-ANY VPN rules, which allow communications between any networks. Another option is to use custom VPN rules, which allow communication only between specified networks.

The procedure for configuring routing entries when using ANY-TO-ANY VPN rules and custom VPN rules is basically the same. When using custom VPN rules, the VPN rules also need to be checked and adjusted if necessary (see step 2).  


1) Configuration steps when using ANY-TO-ANY VPN rules:

If all routers are to use ANY-TO-ANY VPN rules (as is the case when configuring with the Setup Wizard), the VPN rules allow communication in any network. All you have to do is add additional routing entries at the two branches.

LANCOM Systems recommends ANY-TO-ANY VPN rules as they are much easier to configure. All you have to do is adjust the routing entries.

Furthermore, this only creates one VPN rule. This can reduce the load on the router, especially in larger scenarios.


1.1) Configuration steps on the router at branch office 1:

1.1.1) In LANconfig, open the configuration of the router at branch office 1 and switch to the menu item IP router → Routing → IPv4 routing table

Screenshot of a network management interface showing settings for remote IP routing, load balancing with WAN connections, and SIP router configurations.

1.1.2) Add an additional route to branch office 2 by clicking Add.

An image of a complex network configuration interface displaying settings including routing tables, net masks, enable states, and options for blocking private networks.

1.1.3) Modify the following parameters:

  • IP address: Enter the network address of the network at branch office 2 (in this example 192.168.3.0).
  • Netmask: Enter the netmask of the network at branch office 2 (in this example 255.255.255.0).
  • Router: Select the VPN connection to the headquarters (in this example HEADQUARTER).
  • IP masquerading: Select the option IP masquerading switched off.

A screenshot of a networking configuration interface displaying options for routing tables, netmask settings, route propagation via RIP, enabling states, and IP masquerading settings.

1.1.4) This concludes the configuration steps at branch office 1. Write the configuration back to the router.


1.2) Configuration steps on the router at branch office 2:

1.2.1) In LANconfig, open the configuration of the router at branch office 2 and switch to the menu item IP router → Routing → IPv4 routing table.

A technical interface screen displaying settings for remote IP network access, load balancing configurations with WAN connections, and SIP router settings.

1.2.2) Add an additional route to branch office 1 by clicking Add

Screenshot of a technical configuration interface showing routing table entries, network mask settings, and options for modifying RIP (Routing Information Protocol) routes in a private network environment.

1.2.3) Modify the following parameters:

  • IP address: Enter the network address of the network at branch office 1 (in this example 192.168.1.0).
  • Netmask: Enter the netmask of the network at branch office 1 (in this example 255.255.255.0).
  • Router: Select the VPN connection to the headquarters (in this example HEADQUARTER).
  • IP masquerading: Select the option IP masquerading switched off.

Image of a network configuration interface displaying options for routing tables, netmask settings, routing tags, and IP masquerading choices, with various routes and their enable states detailed.

1.2.4) This concludes the configuration steps at branch office 2. Write the configuration back to the router.



2) Configuration steps when using custom VPN rules:

When using custom VPN rules, communication is only permitted in the specified networks. This is why the VPN rules need to be checked and adjusted if necessary, and additional routing entries need to be created. 

The configuration of the routing settings at both branches is described in step 1.

For more information on creating VPN rules, see this Knowledge Base article.


2.1) Configuration steps on the router at branch office 1:

2.1.1) Open the configuration for the router at Branch office 1 and switch to the menu item VPN → General → Network rules.

Screenshot of a network configuration interface displaying options such as Virtual Private Network activation, remote gateways, IP settings, and routing protocols.

2.1.2) Go to the menu IPv4 rules.

Display of a technical configuration interface showing network rules including IPV4, IPV6, and other protocol settings.

2.1.3) Check the structure of the VPN rule to the headquarters:

  • If the field Remote network contains the network address of the headquarters, the VPN rule has to be adjusted. To do this, click on Edit.

Image of a technical configuration interface displaying options such as IPvrules, Localnetworks, Remotenetworks, and a cancel button, possibly related to network settings.

  • In the Remote networks box, enter the network address for Branch office 2 in CIDR notation, in this example 192.168.3.0/24. The entries are separated by a comma.

An image showing a technical configuration menu with options for editing IP rules, selecting local networks, and accessing further settings.

If the Remote networks box contains the VPN to the headquarters (in this example HEADQUARTERS), there is no need to adjust the VPN rule, since it refers to the entries in the IPv4 routing table.

Image of a technical configuration interface showing options such as 'Localnetworks', 'Remotenetworks', and other settings related to RAS (Remote Access Service).

2.1.4) This concludes the configuration steps at branch office 1.


2.2) Configuration steps on the router at branch office 2:

2.2.1) Open the configuration for the router at Branch office 2 and switch to the menu item VPN → General → Network rules

Image of a technical user interface displaying various settings related to a Virtual Private Network, such as activation statuses, remote gateways, and routing protocols, along with options for network monitoring and security configurations.

2.2.2) Go to the menu IPv4 rules.

The image shows a technical configuration screen displaying network rules including IPvd, IPVE, and IPvG rules, along with option lists.

2.2.3) Check the structure of the VPN rule to the headquarters:

  • If the field Remote networks contains the network address of the headquarters in CIDR notation (in this example 192.168.2.0/24), the VPN rule has to be adjusted. To do this, click on Edit.

Screenshot of a technical configuration interface showing options for RAS WITH CONFIG PAYLOAD and RAS WITH NETWORK SELECTION.

  • In the Remote networks box, enter the network address for Branch office 1 in CIDR notation, in this example 192.168.1.0/24. The entries are separated by a comma.

Screenshot of a technical configuration menu with options to edit IP rules and select local networks.

If the Remote networks box contains the VPN to the headquarters (in this example HEADQUARTERS), there is no need to adjust the VPN rule, since it refers to the entries in the IPv4 routing table.

A screenshot showing a technical configuration menu with options for local and remote networks and RAS configurations.

2.2.4) This concludes the configuration steps at branch office 2.


2.3) Configuration steps on the router at the headquarters:

2.3.1) Open the configuration for the router at the Headquarters and switch to the menu item VPN → General → Network rules

Image of a complex technical interface for managing virtual private networks, highlighting features like site management, IPsec over HTTPS, and dynamic routing protocols.

2.3.2) Go to the menu IPv4 rules.

Screenshot of a technical configuration menu displaying various network rules including IPV4, IPV6, and other protocol settings.

2.3.3) Mark the VPN rule of the VPN connection to branch office 1 (in this example OFFICE1) and click Edit.

The procedure at the Headquarters stays the same, even if the network addresses of the Local networks and Remote networks are stored in CIDR notation. 

Screenshot of a technical configuration interface displaying options such as IPvrules, RASWITHCONFIGPAYLOAD, and RASWITHNETWORKSELECTION.

2.3.4) In the Local networks box, add the network address for Branch office 2 in CIDR notation, in this example 192.168.3.0/24. The entries are separated by a comma. 

Image shows a partial view of a technical configuration interface with unclear text.

2.3.5) Mark the VPN rule of the VPN connection to branch office 2 (in this example OFFICE2) and click Edit.

The image displays a fragment of a technical user interface with configuration options and network selection settings.

2.3.6) In the Local networks box, add the network address for Branch office 1 in CIDR notation, in this example 192.168.1.0/24. The entries are separated by a comma.

Screenshot of a VPN configuration interface with the name 'VPNOFFICEZ' entered in a field.

2.3.7) This concludes the configuration steps at the headquarters.


2.4) Restart the VPN connections:

These changes only come into effect after restarting the VPN connections. The disconnect can be initiated at one of the branch offices or at the headquarters.

2.4.1) Restarting the VPN connection using LANmonitor:

Select the VPN connection, right-click and select the context-menu option Disconnect.

Screenshot of a VPN configuration interface displaying connection status, types of connections, and security settings.


2.4.2) Restarting the VPN connection via the CLI:

Enter the command to disconnect the VPN connection in the following format:

do Other/Manual-Dialing/Disconnect <Name of the VPN connection> 

In this example, the command would appear as follows: 

do Other/Manual-Dialing/Disconnect HEADQUARTER

Screenshot of a technical interface showing options for manual dialing and actions for disconnection at headquarters.


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH