Description:

This document describes how to set up a scenario where a single network client on the local network sends all of its data traffic (including Internet data) via a VPN site-to-site connection set up on the LANCOM R&S®Unified Firewall.


Requirements:

  • LANCOM R&S®Unified Firewall with LCOS FX as of version 10.5 RU3
  • Functional Internet connection
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox
  • One or more operational VPN site-to-site connections set up on the LANCOM R&S®Unified Firewall (e.g. between two Unified Firewalls)


Scenario:

  • Between two locations each operating a LANCOM R&S®Unified Firewall, there is an IKEv2 VPN connection, that connects the local network at the branch office (192.168.66.0/24) with the local network at the headquarters (192.168.50.0/23).
  • At the branch office, a single network client with the IP address 192.168.66.4 should send all of its data traffic, including Internet data, via the VPN connection to the headquarters.

Illustration displaying a network diagram with elements labeled as UnifiedFirewall, VPN connection, IKEv2, LAN Headquarter, and LAN Office connected via the internet.


Procedure:

1) Configuration steps on the Unified Firewall at the branch office:

1.1) On the Unified Firewall at the branch office, open the configuration of the VPN connection in the menu VPN → IPsec → Connections and go to the Tunnels tab.

1.2) Modify the entry to create an “Any-to-Any” SA. To do this, fill out the Remote Networks field with the IP address 0.0.0.0/0. In the field Local Networks, enter the local network at the branch office (in this case 192.169.66.0/24).

A screenshot displaying a technical user interface related to IKEv2 SSUF connection configurations and security settings.

1.3) Switch to the Routing tab and enable the option Routing-based IPsec.

Screenshot of a network configuration interface showing settings for IKEvSSUF with options for security profiles, modified version changes, and manual routing rules for IPsec tunnels.

1.4) Save your modifications and go to the menu Network → Routing → Routing Tables. Open Table 254 for editing.

1.5) Create a new entry by clicking the “+” button.

Image of a computer screen displaying a routing table configuration menu with an option to save the current version.

1.6) Set the interface as the VPN site-to-site connection modified in steps 2 and 3.

  • Set the destination as the IP address range of the local network at the remote location (i.e. the headquarters).

1.7) Save the entry with OK and close routing table 254.

Screenshot of a network configuration interface showing options for EditRoute, IKEvSSUF, destination gateway, and subnets with none attached to the selected interface.

1.8) Create a new routing table using the “+” button.

1.9) Set the table number to 512. Then click the “+” button to create a new entry.

Image showing a complex user interface possibly related to networking or routing configuration settings.

1.10) Set the interface as the VPN site-to-site connection to the headquarters modified in steps 2 and 3.

  • Set the destination to the address 0.0.0.0/0.

Screenshot of a network configuration interface showing options for EditRoute, Interface IKEvS SUF, Destination, Geteway, and attached Subnets with none selected.

1.11) Save the entry with OK and click Create to close routing table 512.

Screenshot of a technical configuration interface displaying routing table and unicast settings, with partially obscured text.

1.12) Go to the menu Network → Routing → Routing Rules and create one new routing rule using the “+” button.

  • Set a Priority with a value greater than 64.
  • In the field Source Subnet you enter the local IP address of the client that should send all of its data traffic over the VPN connection. In this example, this is the client with the IP address 192.168.66.4. In CIDR notation you have to enter 192.168.66.4/32.
  • Set the Destination Subnet to the address 0.0.0.0/0.
  • Set the Action as the routing table created as of step 9.

1.13) Save the routing rule with Create.

Screenshot of a technical configuration interface displaying routing rules, selectors, and action options.

1.14) This concludes the configuration steps on the Unified Firewall.


2) Configuration steps at the remote site:

2.1) Unified Firewall at the headquarters:

If the remote site operates a LANCOM R&S®Unified Firewall, you need to make the following adjustments to the configuration of the VPN connection:

2.1.1) On the Unified Firewall at the branch office, open the configuration of the VPN connection in the menu VPN → IPsec → Connections and go to the Tunnels tab.

Image of a technical configuration menu displaying settings related to IKEv2 SSUF connection and security profiles.

2.2) LANCOM router at the headquarters:

If the remote site operates a LANCOM router, you need to make the following adjustments to the configuration of the VPN connection:

2.2.1) Use LANconfig to open the configuration for the LANCOM router and navigate to the menu item VPN → IKEv2/IPsec → Connection list.

2.2.2) Open the entry for the VPN connection to the branch office.

  • Set Rule creation to Manual.
  • Set the IPv4 rule to the ready-made rule RAS-WITH-NETWORK-SELECTION.

A screenshot of a technical configuration interface displaying a variety of settings including authentication, connection parameters, and routing options.

2.2.3) Save your modifications with OK and write the configuration back to the LANCOM router.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH