Aller à :navigation, rechercher
Wiki

IPSec IKEv2 connection with LANCOM

De Securepoint Wiki





























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden






































{{var | Remote Host / Gateway ID--pfad

| Authentifizierung$NAMEEntfernte Identität
Wenn dieser gesetzt wird, muss in jedem Fall auch der lokale Identitätstyp gesetzt werden!
| Authentication$NAMERemote identity
If this is set, the local identity type must also be set in any case!}
























Instructions for setting up an IPSec IKEv2 connection with LANCOM routers

New article: 06.2024

notemptyThis article refers to a Beta version

-
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN IPSec

Preliminary remark

The following shows how to configure an IPSec IKEv2 connection with LANCOM routers and where to find the relevant settings in the router web interface.


The following local example networks should be accessible via the S2S connection:

Local router network 172.30.0.0/24
Shared UTM networks 172.31.2.0/24 & 192.168.250.0/24


Configuration of the UTM

notemptyThe connection is set up on the UTM as described in the wiki article IPSec Site-to-Site.
The following configurations are then adjusted:













Phase 1 Edit UTMuser@firewall.name.fqdnVPNIPSec
Fig.1
The following configurations must be adjusted under VPN IPSec  Area Connections button Phase 1:
  • MOBIKE must be deactivated
  • It is also recommended with regard to gateway IDs:
    • with fixed, public IPs on both sides: IP addresses
    • in all other cases: Email addresses
  • When using an email address as an ID, it is essential to pay attention to the double @ in front of the email address! (Example: @@mail@anyideas.de)
    • Phase 2 Edit UTMuser@firewall.name.fqdnVPNIPSec
    Fig.2
    Under VPN IPSec  Area Connections button Phase 2 the grouping of subnet combinations must be switched off.

    Configuration of the LANCOM router

    The connection parameters are then configured on the LANCOM router.

    To do this, the various data records must first be created. This is done in the web interface of the router, mainly under ConfigurationVPNIKEv2/IPSec, exceptions are the IPv4-Rules and the Routing.

    The data records can always be edited by clicking on the name highlighted in blue and new data records can be created using the Add button, which can be found at the bottom center.

  • Under no circumstances should DEFAULT data records be deleted!













    • Checking/troubleshooting

    You can see whether a configured connection has been established in the dashboard in the "VPN" line (scroll down a little if necessary). [[Datei:]]
    Dashboard
    In addition, the actions of the router can be tracked under System informationSyslog to identify possible problems. [[Datei:]]
    Syslog

    Location of relevant settings in the router web interface

    The following table shows where the settings known from the UTM can be configured in the web interface of the Lancom router.
    notempty$NAME is a placeholder for the name of a data record that must be opened by clicking on it.

    Phase 1

    General
    General
    Bezeichnung Securepoint UTM Bezeichung Lancom
    Local Gateway No suitable counterpart available
    Local Gateway ID ConfigurationVPNIKEv2/IPSecAuthentication$NAMELocal identity
    If this is set, the remote identity type must also be set in any case!
    Remote Host / Gateway ConfigurationVPNIKEv2/IPSecConnection list$NAMERemote gateway
    Remote Host / Gateway ID ConfigurationVPNIKEv2/IPSec
    Authentication method ConfigurationVPNIKEv2/IPSecAuthentication$NAMELocal authentication
    ConfigurationVPNIKEv2/IPSecAuthentication$NAMEremote authentication
    Pre-Shared Key ConfigurationVPNIKEv2/IPSecAuthentication$NAMELocal password
    ConfigurationVPNIKEv2/IPSecAuthentication$NAMERemote password
    Starting behavior: Incoming ConfigurationVPNIKEv2/IPSecConnection list$NAMEHold time: 0
    Starting behavior: Outgoing ConfigurationVPNIKEv2/IPSecConnection list$NAMEHold time: 9999
    Dead Peer Detection / DPD Interval ConfigurationVPNIKEv2/IPSecConnection-parameters$NAMEDead Peer Detection
    IKE
    IKE
    Encryption ConfigurationVPNIKEv2/IPSecEncryption$NAMEIKE-SA encryption list
    Authentication ConfigurationVPNIKEv2/IPSecEncryption$NAMEIKE-SA hash list
    Diffie-Hellman Group ConfigurationVPNIKEv2/IPSecEncryption$NAMEAllowed DH groups
    IKE Lifetime ConfigurationVPNIKEv2/IPSecValidity period$NAMEIKE SA

    Phase 2

    General
    General
    Encryption ConfigurationVPNIKEv2/IPSecEncryption$NAMEChild-SA encryption list
    Authentication ConfigurationVPNIKEv2/IPSecEncryption$NAMEChild-SA hash list
    DH Group (PFS) ConfigurationVPNIKEv2/IPSecEncryption$NAMEAllowed DH groupsPFS: Yes
    Key service life ConfigurationVPNIKEv2/IPSecValidity period$NAMEChild SA
    Subnet
    Subnet
    Local network ConfigurationVPNGeneralIPv4 rules$NAMERemote networks
    Remote network ConfigurationVPNGeneralIPv4 rules$NAMELocal networks
    notemptyLocal on one side is always remote on the other side!
    Récupérée de "https://wiki.securepoint.de/index.php?title=UTM/VPN/IPSec-SP-Lancom&oldid=91817"