Jump to:navigation, search
Wiki

IPSec IKEv2 connection with LANCOM

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden






































{{var | Remote Host / Gateway ID--pfad

| Authentifizierung$NAMEEntfernte Identität
Wenn dieser gesetzt wird, muss in jedem Fall auch der lokale Identitätstyp gesetzt werden!
| Authentication$NAMERemote identity
If this is set, the local identity type must also be set in any case!}























Instructions for setting up an IPSec IKEv2 connection with LANCOM routers

New article: 06.2024

notempty
This article refers to a Beta version
-
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN IPSec

Preliminary remark

The following shows how to configure an IPSec IKEv2 connection with LANCOM routers and where to find the relevant settings in the router web interface.


The following local example networks should be accessible via the S2S connection:

Local router network 172.30.0.0/24
Shared UTM networks 172.31.2.0/24 & 192.168.250.0/24


Configuration of the UTM

notempty
The connection is set up on the UTM as described in the wiki article IPSec Site-to-Site.
The following configurations are then adjusted:
Phase 1 Edit UTMuser@firewall.name.fqdnVPNIPSec
Fig.1
The following configurations must be adjusted under VPN IPSec  Area Connections button Phase 1:
  • MOBIKE must be deactivated
  • It is also recommended with regard to gateway IDs:
    • with fixed, public IPs on both sides: IP addresses
    • in all other cases: Email addresses
  • When using an email address as an ID, it is essential to pay attention to the double @ in front of the email address! (Example: @@mail@anyideas.de)
    • Phase 2 Edit UTMuser@firewall.name.fqdnVPNIPSec
    Fig.2
    Under VPN IPSec  Area Connections button Phase 2 the grouping of subnet combinations must be switched off.

    Configuration of the LANCOM router

    The connection parameters are then configured on the LANCOM router.

    To do this, the various data records must first be created. This is done in the web interface of the router, mainly under ConfigurationVPNIKEv2/IPSec, exceptions are the IPv4-Rules and the Routing.

    The data records can always be edited by clicking on the name highlighted in blue and new data records can be created using the Add button, which can be found at the bottom center.

  • Under no circumstances should DEFAULT data records be deleted!
    • Fig.2

    Encryption

    Encryption
    ConfigurationVPNIKEv2/IPSecEncryption
    Here you will find a list of data records that contain cipher suites. It is not absolutely necessary to create your own data set here. The default data set contains the most common ciphers that are also supported by the UTM. However, if the proposal negotiation fails, this would be the first place to troubleshoot.
    Fig.3

    Authentication

    Authentication
    ConfigurationVPNIKEv2/IPSecAuthenticationAdd
    The parameters required for authentication in phase 1 are configured here in the unique data records for the corresponding remote station.
    Fig.4

    Connection-parameters

    Connection-parameters
    ConfigurationVPNIKEv2/IPSecConnection-parameters
    The DPD interval and the target port for UDP encapsulation can be changed here. The default values generally do not need to be changed.
    Fig.5

    Validity period

    Validity period
    ConfigurationVPNIKEv2/IPSecValidity period
    The lifetimes of the IKE-SA and the child SA(s) are configured here. It is also possible to use the DEFAULT data set, in which case the values (24h phase 1, 4h phase 2) must be transferred to the UTM.
    Fig.6

    IPv4-Rules

    IPv4-Rules
    ConfigurationVPNGeneralIPv4-Rules
    This point corresponds to the subnet configuration in phase 2 on the UTM, i.e. the local and remote subnets are configured here.
    Fig.7
    A data record must be created here to match the values on the UTM. The corresponding local or remote networks are entered in the corresponding labeled fields, separated by spaces.
    Fig.8

    Connection list

    Connection list
    ConfigurationVPNIKEv2/IPSecConnection list
    Now that all the data records required to configure the connection have been created, a new connection can be created and configured using the Add button.
    Fig.9
    For this connection, the appropriate data records must now be selected for the following points: In addition, the VPN registration must be configured manually with the previously created data set .
    Fig.10

    Routing

    Routing
    ConfigurationIP routerRoutingIPv4 routing table
    Finally, routing entries must be created here for the remote subnets with the corresponding IPSec connection as router , as the corresponding policy-based routing is not automatic, unlike with the UTM.

    Checking/troubleshooting

    You can see whether a configured connection has been established in the dashboard in the "VPN" line (scroll down a little if necessary).
    Dashboard
    In addition, the actions of the router can be tracked under System informationSyslog to identify possible problems.
    Syslog

    Location of relevant settings in the router web interface

    The following table shows where the settings known from the UTM can be configured in the web interface of the Lancom router.
    notempty
    $NAME is a placeholder for the name of a data record that must be opened by clicking on it.

    Phase 1

    General
    General
    Bezeichnung Securepoint UTM Bezeichung Lancom
    Local Gateway No suitable counterpart available
    Local Gateway ID ConfigurationVPNIKEv2/IPSecAuthentication$NAMELocal identity
    If this is set, the remote identity type must also be set in any case!
    Remote Host / Gateway ConfigurationVPNIKEv2/IPSecConnection list$NAMERemote gateway
    Remote Host / Gateway ID ConfigurationVPNIKEv2/IPSec
    Authentication method ConfigurationVPNIKEv2/IPSecAuthentication$NAMELocal authentication
    ConfigurationVPNIKEv2/IPSecAuthentication$NAMEremote authentication
    Pre-Shared Key ConfigurationVPNIKEv2/IPSecAuthentication$NAMELocal password
    ConfigurationVPNIKEv2/IPSecAuthentication$NAMERemote password
    Starting behavior: Incoming ConfigurationVPNIKEv2/IPSecConnection list$NAMEHold time: 0
    Starting behavior: Outgoing ConfigurationVPNIKEv2/IPSecConnection list$NAMEHold time: 9999
    Dead Peer Detection / DPD Interval ConfigurationVPNIKEv2/IPSecConnection-parameters$NAMEDead Peer Detection
    IKE
    IKE
    Encryption ConfigurationVPNIKEv2/IPSecEncryption$NAMEIKE-SA encryption list
    Authentication ConfigurationVPNIKEv2/IPSecEncryption$NAMEIKE-SA hash list
    Diffie-Hellman Group ConfigurationVPNIKEv2/IPSecEncryption$NAMEAllowed DH groups
    IKE Lifetime ConfigurationVPNIKEv2/IPSecValidity period$NAMEIKE SA

    Phase 2

    General
    General
    Encryption ConfigurationVPNIKEv2/IPSecEncryption$NAMEChild-SA encryption list
    Authentication ConfigurationVPNIKEv2/IPSecEncryption$NAMEChild-SA hash list
    DH Group (PFS) ConfigurationVPNIKEv2/IPSecEncryption$NAMEAllowed DH groupsPFS: Yes
    Key service life ConfigurationVPNIKEv2/IPSecValidity period$NAMEChild SA
    Subnet
    Subnet
    Local network ConfigurationVPNGeneralIPv4 rules$NAMERemote networks
    Remote network ConfigurationVPNGeneralIPv4 rules$NAMELocal networks
    notempty
    Local on one side is always remote on the other side!
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/IPSec-SP-Lancom&oldid=91817"