Setting up a certificate-based IKEv2 VPN connection between the LANCOM Advanced VPN Client and a LANCOM R&S®Unified Firewall (as of LCOS FX 10.4 and up to and including LCOS FX 10.6)

Description:

This document describes how to set up an IKEv2 connection between the LANCOM Advanced VPN Client and a LANCOM R&S®Unified Firewall (referred to here as the United Firewall).

Requirements:

• LANCOM R&S® Unified Firewall with LCOS FX as of version 10.4 and up to and including LCOS FX 10.6
• LANCOM Advanced VPN Client as of version 4.1
  
• A configured and functional Internet connection on the Unified Firewall
• Web browser for configuring the Unified Firewall.
  
  The following browsers are supported:
  • Google Chrome
  • Chromium
  • Mozilla Firefox

Scenario :

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

• A company wants its sales representatives to have access to the corporate network via an IKEv2 client-to-site connection.
• The notebooks used by the sales representatives have the LANCOM Advanced VPN Client installed on them.
• The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.81.
• The local network at the headquarters has the IP address range 192.168.3.0/24.
• The VPN connection should be authenticated using certificates. The CA of the Unified Firewall is used.

An image of a technical configuration interface showing a VPN setup with an Unified Firewall, Internet and LAN connections details.

 2) The Unified Firewall is connected to the Internet via an upstream router:

• A company wants its sales representatives to have access to the corporate network via an IKEv2 client-to-site connection.
• The notebooks used by the sales representatives have the LANCOM Advanced VPN Client installed on them.
• The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.81.
• The local network at the headquarters has the IP address range 192.168.3.0/24.
• The VPN connection should be authenticated using certificates. The CA of the Unified Firewall is used.

Diagram displaying network settings for a VPN connection, including elements like Unified Firewall, public IP address, and LAN headquarters linked to the Internet through a router.

Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port and protocol forwarding to be set up on the upstream router (see section 6).

1) Creating the CA and VPN certificates on the Unified Firewall:

1.1) Connect to the configuration interface of the Unified Firewall, go to the menu Certificate Management → Certificates and click on the "+" icon to create a new routing entry.

A screenshot of a technical configuration interface displaying options for firewall settings, certificate management, and proxy configurations.

1.2) The first step is to create a Certification Authority (CA) for VPN connections.

• In the drop-down menu "Type" of the window displayed at top left, select the option "CA for VPN/Webserver certificates".
• In the field "Private key size", select the value 4096 bit.
• Enter a common name of your choice.
• Set a Validity period.
• Assign any private key password.

1.3) Then click the Create button.

Image displaying a technical configuration interface with sections labeled VPNCACertificate, DistinguishedNameDN, SubjectAlternativeNameSAN, CertificateAuthorityServices, and addresses for OCSP Responder and CRL Download.

1.4) Click on the "+" icon to create a VPN certificate for the LANCOM Advanced VPN Client:

• In the drop-down menu "Type" of the window displayed at top left, select the option "VPN certificate".
• Set the "Signing CA" to the VPN_CA from step 1.2.
• In the field "Private key size", select the value 4096 bit.
• Enter a common name of your choice.
• Set a Validity period.
• In the field CA Password  enter the password set in step 1.2.
• Assign any private key password.

1.5) Then click the Create button.

Image of a VPN client interface displaying various configuration settings, including fields for Certificate, Distinguished Name (DN), Organizational Unit (OU), and Subject Alternative Name (SAN).

1.6) Click on the "+" icon to create a certificate for the Unified Firewall:

• In the drop-down menu "Type" of the window displayed at top left, select the option "VPN certificate".
• Set the "Signing CA" to the VPN_CA from step 1.2.
• In the field "Private key size", select the value 4096 bit.
• Enter a common name of your choice.
• Set a Validity period.
• In the field CA Password enter the password set in step 1.2.
• Assign any private key password.

1.7) Then click the Create button.

Image of a configuration screen for a VPN unified firewall, showing sections for Certificate, Distinguished Name (DN), Organizational Unit (OU), and Subject Alternative Name (SAN).

1.8) The newly created VPN certificates are listed below the newly created VPN certification authority (see following figure).

Image of a technical configuration interface displaying various security options including Firewall, HTTPS Proxy CA, LANCOM CA, Mail Proxy CA, and VPN settings, along with certificate management and monitoring statistics.

2) Creating the VPN connection on the Unified Firewall:

2.1) Navigate to the menu VPN → IPsec settings.

Image displaying a complex user interface for network security management, featuring options such as Firewall, VPN, IPsec settings, and monitoring statistics within a digital security system.

2.2) Activate IPsec.

Image showing a technical configuration menu with options for IPsec Settings, Proxy ARP, DHCP Server, and Radius Server.

2.3) Switch to VPN → IPsec Connections and click on the "+" icon to create a new IPsec connection.

Image of a technical configuration menu displaying options for Firewall, IPsec settings, Network Connections, Security Profiles, and Monitoring Statistics.

2.4) Save the following parameters:

• Name: Enter a descriptive name.
• Security profile: Here you select the ready-made profile LANCOM Advanced VPN Client IKEv2.
• Connection: Select your configured Internet connection.

If you have created your own template or security profile , you can use these here.

Screenshot of a VPN client configuration interface displaying options for connection name, listening addresses, remote gateway, initiate connection, and Force NAT-T settings.

2.5) Open the Tunnels tab.

• Local networks: Here you enter the local networks (in CIDR notation) that the VPN client should reach. In this example, the local network at the headquarters has the IP address range 192.168.3.0/24.
• Virtual IP pool: Select the option Default virtual IP pool. Virtual IP pools can be used to send IP address configurations to connected VPN clients.

Screenshot of a VPN client configuration interface showing options for connection, security profile, authentication, and network settings, including a section for IKEv compatibility mode.

2.6) Change to the Authentication tab and enter the following parameters:

• Authentication type: Select the option Certificate here.
• Local certificate: Here you select the VPN certificate created for the Unified Firewall in step 1.6.
• Remote certificate: Here you select the VPN certificate here created for the LANCOM Advanced VPN Client in step 1.4.

A screenshot of a VPN client connection settings interface showing options for preserving changes, connection tunnels, authentication types including certificate authority and pre-shared key, with details on local and remote certificates.

2.7) Click on Create to save the configuration.

2.8) Click the icon to create a new VPN host.

Image of a technical configuration interface displaying options for VPN hosting, firewall settings, monitoring statistics, network setup, desktop configuration, user group settings, and IPsec settings.

2.9) Save the following parameters:

• Name: Enter a descriptive name.
• VPN connection type: Select the type IPsec.
• IPsec connection: From the drop-down menu under IPsec, select the VPN connection created in steps 2.4 - 2.7.

Image showing a technical configuration interface with options for IPsec connection, client certification, and server settings.

2.10) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the object (the site-to-site connection) should access.

Image of a user interface showing partial VPN client certification settings.

2.11) Use the "+" sign to assign the required protocols to the VPN host.

The image displays a technical user interface with various cybersecurity features, URL and application filters, and settings for online connectivity and communication tools such as Apple FaceTime.

2.12) Finally, implement the configuration changes by clicking Activate in the firewall.

Image displaying a technical user interface with elements for a firewall, network monitoring statistics, and desktop settings.

2.13) Change to the menu VPN → IPsec → Connections and, on the newly created Advanced VPN Client connection, click on the Export connection button.

Screenshot of a network configuration interface showing options for Firewall, IPsec settings, Connections monitoring, and Statistics.

2.14) Enter a password to be used to encrypt the exported ZIP archive.

2.15) In the Gateway field, enter the public IP or DNS address of the Unified Firewall (in this case 81.81.81.81).

2.16) As Key password you enter the one entered in step 1.4 as the Private Key Password for the VPN certificate for the LANCOM Advanced VPN Client.

2.17) Set any transport password.

2.18) Click Export and save the ZIP file on your computer.

Image showing a VPN client configuration export interface with elements labeled, likely part of a technical setup or troubleshooting screen.

3) Export the VPN certificate for the LANCOM Advanced VPN Client:

3.1) Change to the menu Certificate Management → Certificates and, for the VPN certificate for the LANCOM Advanced VPN Client, click the Export button.

3.2) Set that PKCS 12 format.

3.3) Enter the password for the Private Key Password entered in step 1.4.

3.4) Set any transport password. You will need this in step 4.1 to unzip the ZIP file.

3.5) Click Export and save the certificate file on your PC.

Screenshot of a user interface displaying export certificate options with fields for entering a password and an option to show the password.

3.6) This concludes the configuration steps on the Unified Firewall.

4) Import the VPN client certificate into the LANCOM Advanced VPN Client:

4.1) Unzip the ZIP file on your PC and copy the *.p12 file to a directory of your choice.

4.2) In the LANCOM Advanced VPN Client, open the option Configuration → Certificates.

4.3) Create a new certificate configuration using the Add button.

Screenshot displaying the configuration settings of an advanced VPN client interface, including options for certificate management and connection settings.

4.4) Enter a name for the new certificate configuration.

• In the Certificate field, select the option from PKCS#12 file
• In the PKCS#12 file name field, set the path to the certificate file for the VPN client.

5) Import the *.ini file and the configuration of the VPN connection into the LANCOM Advanced VPN Client:

5.1) Unzip the ZIP file exported in step 2.13.

5.2) In the LANCOM Advanced VPN Client open the option Configuration → Profiles and click Add/import.

5.3) Select the option Profile import.

5.4) Set the PATH to the VPN profile file.

5.5) Click on Finish to conclude the import.

5.6) Select the imported profile and then click Next.

5.7) Switch to the menu IPsec general settings and set IKEv2 authentication to the value Certificate.

Screenshot showing a technical configuration interface with the terms 'ExtendedAuthentication', 'HocalIdentityIKE', and other partially visible options.

5.8) You need to set the Certificate configuration to the certificate configuration created in step 4.3.

5.9) This concludes the configuration. Close the dialogs of the LANCOM Advanced VPN Client with OK.

5.10) When establishing the connection, the PIN to enter is the Private Key Password of the Client certificate.

6) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

IPSec requires the use of the UDP ports 500 and 4500 as well as the protocol ESP. These must be forwarded to the Unified Firewall.

Forwarding the UDP ports 500 and 4500 automatically causes the ESP protocol to be forwarded.

6.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq . → Port forwarding table .

Screenshot of a network configuration interface showing options to make specific services such as a Web Server accessible externally, with sections including General, VRRP, and Bonjour visible.

6.2) Save the following parameters:

• First port : Specify the Port 500.
• Last port : Specify the Port 500.
• Intranet address : Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
• Protocol: From the drop-down menu, select UDP.

Image displaying a user interface for configuring port forwarding, with fields labeled PortforwardingtableNewEntry, Entryactive, and options to select remote states and mapping.

6.3) Create a further entry and specify the UDP port 4500.

Image showing a partially visible user interface of a port forwarding configuration menu.

6.4) Write the configuration back to the router.