Description:

This document describes how to set up a VPN-SSL connection (site-to-site) between two LANCOM R&S®Unified Firewalls (referred to in the following as Unified Firewalls).


Requirements:

  • Existing installation on a LANCOM R&S®Unified Firewall with LCOS FX as of version 10.7
  • A configured and functional Internet connection on each Unified Firewall
  • Web browser for configuring the Unified Firewall

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox
Please ensure that the address ranges of the local networks being connected via VPN do not overlap with the default networks configured on the Unified Firewall ports (e.g. 192.168.2.0/24, 192.168.3.0/24)!


Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

A company wants to use a VPN-SSL connection to connect their Unified Firewall at the headquarters to their Unified Firewall at the branch office.

Headquarter:

  • The company headquarters has a Unified Firewall as a gateway. It has an Internet connection with the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 192.168.23.0/24.
  • The headquarters is configured as a site-to-site server which accepts inbound SSL-VPN connections.

Branch office:

  • The branch office has a Unified Firewall as a gateway. It has an Internet connection with the fixed public IP address 82.82.82.2.
  • The local network at the branch office has the IP address range 192.168.24.0/24.
  • The branch office is configured as a site-to-site client which initiates outbound VPN-SSL connections.

Image showing a technical diagram that includes elements labeled as 'Headquarter public IP address', 'MN connection public IP address', 'Office', 'SSL', 'INTERNET', and multiple 'LAN' connections.


2. The Unified Firewall is connected to the Internet via an upstream router:

A company wants to use a VPN-SSL connection to connect their Unified Firewall at the headquarters to their Unified Firewall at the branch office.

Headquarter:

  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 192.168.23.0/24.
  • The headquarters is configured as a site-to-site server which accepts inbound VPN-SSL connections.

Branch office:

  • The branch office has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 82.82.82.2.
  • The local network at the branch office has the IP address range 192.168.24.0/24.
  • The branch office is configured as a site-to-site client which initiates outbound SSL-VPN connections.
This scenario also includes the “parallel” solution as described in this article.

Image of a network configuration interface showing connections between headquarters and office routers, including LAN, SSL, and public IP address settings.



Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port forwarding to be set up on the upstream router (see section 4).

In order for the Unified Firewalls in the headquarter as well as in the branch office to be able to accept VPN SSL dial-in connections, a CA and one certficate have to be created on each Unified Firewall. The VPN SSL certificate is used in the VPN SSL settings and serves to decrypt the connections. The certificate is then exported and imported into the other Unified Firewall. There, the imported certificate is used in the VPN SSL connection and serves to encrypt the connection. 


1) Creating certificates and modifying the VPN SSL settings:

1.1) Creating certificates and modifying the VPN SSL settings on the Unified Firewall in the headquarter:

1.1.1) Connect to the Unified Firewall in the headquarter, switch to the menu Certificate Management → Certificates and click on the "Plus" icon to create a new certificate.

Screenshot of a technical configuration interface displaying various system settings including firewall, certificates, network monitoring statistics, and default proxy settings.

1.1.2) Modify the following parameters to create a CA and click Create:

  • Certificate Type : Select the option Certificate .
  • Template: Select the template Certificate Authority.
  • Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-CA-Headquarter).
  • Private Key Password: Enter a passwor d. This is used for encrypting the Private Key.

Image showing a configuration menu for VPN SSL CA certificates, detailing options for Certificate Type, Common Name, Private Key Password, Validity, Encryption Algorithm, and other settings.

1.1.3) Create another certificate by clicking on the "Plus" icon. In step 1.1.4 it is exported and entered in the VPN SSL settings in the headquarter afterwards (see step 1.1.8). For this purpose modify the following parameters and click Create

  • Certificate Type : Select the option Certificate .
  • Template: Select the template Certificate.
  • Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Headquarter).
  • Private Key Password: Enter a passwor d. This is used for encrypting the Private Key.
  • Validity: Set the validity to at least 5 years. This is recommended, since this certificate is used for all VPN SSL connections. 
  • Signing CA: In the dropdown menu select the CA created in step 1.1.2.
  • CA Password: Enter the Private Key Password entered in step 1.1.2 .

A screenshot of a VPN SSL configuration interface showing options for certificate type, common name, validity period, encryption algorithm, and others, with fields for entering passwords and toggles for displaying them.

1.1.4) For the certificate created in step 1.1.3 click on the icon for the certificate export.

An image displaying a technical configuration menu with options for firewall settings, certificates, user authentication, and VPN management.

1.1.6) Select the format PEM / CRT, activate the option Export Certificate Chain and click Export.

Screenshot of a technical configuration menu related to VPN SSL settings and certificate chain exporting.

1.1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings.

Screenshot of a technical configuration menu displaying options for Firewall, Monitoring Statistics, Network, Desktop, and VPN SSL Settings.

1.1.8) Activate the VPN SSL service via the slider, modify the following parameters and click Save:

  • Host certificate: In the dropdown menu select the VPN certificate created in step 1.1.3.
  • Private Key Password: Enter the Private Key Password entered in step 1.1.3.
  • Routes: Enter the networks in CIDR notation (Classless InterDomain Routing), which should be accessible via the VPN connection. In this example, the local network at the headquarter has the IP address range 192.168.23.0/24.
  • Encryption Algorithm: On the tab Site-to-Site select the option AES 256.

If necessary, you can change the Protocol and the Port. The Adress Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall.

Image showing the user interface of a VPN SSL Settings menu with various configuration options including host certificate, private keys, password settings, protocols, encryption algorithm (AES), and key renegotiation times.


1.2) Creating certificates and modifying the VPN SSL settings on the Unified Firewall in the branch office:

1.2.1) Connect to the Unified Firewall in the branch office, switch to the menu Certificate Management → Certificates and ckick on the "Plus" icon to create a new certificate.

A screenshot of a technical user interface displaying options such as Firewall, Certificates, Monitoring Statistics, Network, and Reset, with various default certificates listed like LCOSFXDefaultRootCA and LCOSFXDefaultHTTPSProxyCA.

1.2.2) Modify the following parameters to create a CA and click Create:

  • Certificate Type : Select the option Certificate .
  • Template: Select the template Certificate Authority.
  • Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-CA-Office).
  • Private Key Password: Enter a passwor d. This is used for encrypting the Private Key.

An image of a VPN SSL Certificate Authority configuration dialog displaying various settings including certificate types, common name, private key password fields, and encryption algorithm options.

1.2.3) Create another certificate by clicking on the "Plus" icon. This is used in the VPN SSL settings in the branch office (see step 1.2.8). For this purpose modify the following parameters and click Create

  • Certificate Type : Select the option Certificate .
  • Template: Select the template Certificate.
  • Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Office).
  • Private Key Password: Enter a passwor d. This is used for encrypting the Private Key.
  • Validity: Set the validity to at least 5 years. This is recommended, since this certificate is used for all VPN SSL connections. 
  • Signing CA: In the dropdown menu select the CA created in step 1.2.2.
  • CA Password: Enter the Private Key Password entered in step 1.2.2 .

Screenshot of a security configuration interface showing options for certificate types, signing requests, and encryption settings.

1.2.4) For the certificate created in step 1.2.3 click on the icon for the certificate export.

Screenshot of a technical configuration interface showing options for system settings, user authentication, and certificate management with various encryption parameters.

1.2.5) Select the format PEM / CRT, activate the option Export Certificate Chain and click Export.

Image of a technical configuration interface for exporting VPN and Certificate Authority certificates, detailing options for file formats and security measures to prevent unauthorized access.

1.2.6) Switch to the menu VPN → VPN SSL → VPN SSL Settings.

Screenshot of a technical configuration interface showing options for Firewall, Monitoring Statistics, Network, Desktop, and VPN SSL settings.

1.2.7) Activate the VPN SSL service via the slider, modify the following parameters and click Save:

  • Host certificate: In the dropdown menu select the VPN certificate created in step 1.2.3.
  • Private Key Password: Enter the Private Key Password entered in step 1.2.3.
  • Routes: Enter the networks in CIDR notation (Classless InterDomain Routing), which should be accessible via the VPN connection. In this example, the local network at the branch office has the IP address range 192.168.24.0/24.
  • Encryption Algorithm: On the tab Site-to-Site select the option AES 256.
If necessary, you can change the Protocol and the Port. The Adress Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall.

Image displaying the configuration settings of a VPN SSL interface with various options such as host certificate, routes, encryption algorithm, and more.



2) Importing the certificates:

2.1) Importing the VPN SSL certificate on the Unified Firewall in the headquarter:

2.1.1) On the Unified Firewall in the headquarter go to the menu Certificate Management → Certificates and click on the button for the certificate import.

Image displaying a complex user interface with various settings including firewall, certificate management, and network monitoring options.

2.1.2) Leave the setting on Import Certificate, select the certificate file exported in the branch office in step 1.2.5) and click Import.

Since the Private Key has not been exported no passwords have to be entered.

An image showing a user interface with options for 'Import Certificate', 'Sign CSR', and 'Certificate Signing'.


2.2) Importing the VPN SSL certificate on the Unified Firewall in the branch office:

2.2.1) On the Unified Firewall in the branch office go to the menu Certificate Management → Certificates and click on the button for the certificate import.

Screenshot of a network configuration interface displaying options for user activation, firewall settings, certificate management, system help, and monitoring statistics.

2.2.2) Leave the setting on Import Certificate, select the certificate file exported in the headquarter in step 1.1.5) and click Import

Since the Private Key has not been exported no passwords have to be entered.

A screenshot showing the 'ImportCertificateSignCSR' option in a software configuration menu.



3) Setting up the VPN SSL connections and the firewall rules:

3.1) Setting up the VPN SSL connection and the firewall rule on the Unified Firewall in the headquarter:

3.1.1) In the headquarter go to the menu VPN → VPN SSL → Connections and click on the "Plus" icon to create a new VPN SSL connection.

A screenshot of a technical configuration interface displaying network connections with options for User Authentication, VPN settings, IPsec and VNSSL, as well as Certificate Management.

3.1.2) Modify the following parameters and click Create:

  • Name: Enter a descriptive name (in this example VPN_SSL_Office). Please note, that only letters, numbers and underscores are allowed in the name.
  • Certificate: In the dropdown menu select the VPN certificate imported in step 2.1.2.
  • Connection type: Select the option Site-To-Site (Server).
  • Remote Networks: Enter the local network of the branch office in CIDR notation and add it via the "Plus" icon (in this example 192.168.24.0/24).

If additional networks should be reachable from the Office via the Headquarter (e.g. via a separate VPN connection), these networks have to be entered as Additional Local Networks. The configuration is pushed from the Headquarter (Server) to the Office (Client), which creates routing entries for the transmitted networks.

Screenshot of a VPN SSL configuration interface showing options such as connection types, site-to-site settings, and address pool modifications, with a notification that changes will be preserved until logout or cancellation.

3.1.3) Click on the button to create a VPN network.

Image showing a partial view of a technical configuration interface labeled 'OyVAtivate teDajsecafaaa Firewall'.

3.1.4) Modify the following parameters and click Create:

  • Name : Enter a descriptive name (in this example VPN-SSL-Office).
  • Connection Type : Select the option VPN-SSL .
  • VPN-SSL Connection : In the dropdown menu select the VPN connection created in step 3.1.2 .

3.1.5) On the desktop click on the VPN network created in step 3.1.4, select the "connection tool" and click on the network object the site-to-site connection should have access to.

The image displays a user interface or configuration menu labeled 'VPNSSLOffice', indicating settings or options related to VPN and SSL for office use.

3.1.6) Click on the "Plus" icons to assign the necessary protocols to the connection.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

A screenshot of a network configuration interface displaying options like VPN, SSL, Office, INTRANET, with multiple selectable tabs for Connection settings, Rules including NAT, URL Content Filter, and Traffic Shaping, alongside another section labeled Connection Set with options for editing Names, Actions, and Schedules. Image of a blurred or corrupted digital screen displaying unrecognizable or scrambled text and icons in a possible technical configuration interface.

3.1.7) Finally, implement the configuration changes by clicking Activate in the Unified Firewall. This concludes the configuration steps on the Unified Firewall in the headquarter.

Screenshort showing firewall monitoring statistics on a technical user interface.


3.2) Setting up the VPN SSL connection and the firewall rule on the Unified Firewall in the branch office:

3.2.1) In the headquarter go to the menu VPN → VPN SSL → Connections and click on the "Plus" icon to create a new VPN SSL connection.

A screenshot of a technical user interface displaying various network connection settings including VPN configurations, IPsec details, and certificate management options.

3.2.2) Modify the following parameters and click Create:

  • Name: Enter a descriptive name (in this example VPN_SSL_Headquarter). Please note, that only letters, numbers and underscores are allowed in the name.
  • Certificate: In the dropdown menu select the VPN certificate imported in step 2.2.2.
  • Connection type: Select the option Site-To-Site (Client).
  • Remote Addresses: Enter the public IP address or the DNS name of the Unified Firewall or the router in the headquarter and addit via the "Plus" icon.

A screenshot displaying a VPN SSL configuration menu with various settings such as connection type, address pools, and remote addresses in a dialogue box.

3.2.3) Click on the button to create a VPN network.

Screenshot of a technical user interface featuring the partial text 'OyVAtivate teDajsecafaaa Firewall', possibly related to a firewall configuration menu.

3.2.4) Modify the following parameters and click Create:

  • Name : Enter a descriptive name (in this example VPN-SSL-Headquarter).
  • Connection Type : Select the option VPN-SSL .
  • VPN-SSL Connection : In the dropdown menu select the VPN connection created in step 3.2.2 .

Image of a VPN configuration dialog box with options for SSL, headquarters network settings, and connection type IPsec, with a notification that changes will be preserved until cancellation or logout.

3.2.5) On the desktop click on the VPN network created in step 3.2.4, select the "connection tool" and click on the network object the site-to-site connection should have access to. 

Image showing a technical interface with options related to 'VPN' and 'SSL' settings for a headquarters network configuration.

3.2.6 Click on the "Plus" icons to assign the necessary protocols to the connection.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

Screenshot of a VPN SSL configuration interface displaying settings for connection modifications, network rules, and traffic management options. Image of a technical user interface with partially visible and unclear configuration settings and labels.

3.2.7 Finally, implement the configuration changes by clicking Activate in the Unified Firewall. This concludes the configuration steps on the Unified Firewall in the branch office.

Screenshot of a user interface showing firewall monitoring and statistics data.



4) Setting up port forwarding on the LANCOM router (scenario 2 only):

Site-to-site VPN SSL uses the UDP port 49152 by default. It must be forwarded to the Unified Firewall.

The port for VPN SSL can be changed in the Unified Firewall. 

If you are using a router from another manufacturer, approach them for information about the appropriate procedure.

4.1) Open the configuration of the router in LANconfig and got to the menu IP Router → Masq. → Port forwarding table .

Image of a technical configuration screen displaying various network management and monitoring settings, including options for ICMP, IPSec, and forwarding.

4.2) Modify the following parameters:

  • First port : Specify the p ort 49152 .
  • Last port : Specify the p ort 49152 .
  • Intranet address : Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol : In the dropdown menu select the option UDP .

Screenshot of a network configuration interface showing a new entry in the port forwarding table, with fields for entry status, street, vase, and comments.

4.3) Write the configuration back to the router.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH