VPN SSL connection settings

Under VPN > VPN SSL > VPN SSL Connections you can add a VPN SSL connection or edit an existing connection.

With the settings under VPN SSL Connections you can adjust the following parameters:

Input box Description
I/0 A slider button indicates whether the VPN SSL connection is enabled (I) or disabled (0). Click on the slider button to change the status of this connection. Newly created connections are enabled by default.
Name Enter a unique name for this connection. The name has to consist of alphanumeric characters (i.e. letters excepting ä, ö, ü and ß, numbers and special characters).
Certificate Select the server certificate for VPN SSL connections from the drop-down list. A CA and certificates derived from it are shown as "Recommended". This means that by using the CA, several connections can be exported that only need to be defined once on the firewall. Do this in the export dialog for VPN-SSL connections by selecting a CA certificate under Remote Certificate.
Important: The VPN certificate must be signed by the same Certificate Authority (CA) at all locations. It is therefore advisable to administer the VPN certification authority and the VPN certificates at one location and to export the VPN certificates from there to all other locations.
Connection type Select the connection type and the function of the LANCOM R&S®Unified Firewall by selecting the appropriate radio button. You can choose from the following types:
  • Client-to-Site – A C2S connection is established (e.g. for full tunneling).
    Note: This connection type can, for example, be used with the OpenVPN client, primarily to connect mobile clients to your local network.
  • Site-to-Site (Server) – An S2S connection is established with your LANCOM R&S®Unified Firewall acting as a server.
  • Site-to-Site (Client) – An S2S connection is established. Your LANCOM R&S®Unified Firewall acts as a client.
  • Bridge (Server) – A bridge server connection is established.
    Note: You can create several bridge server connections; however, all connections must use the same bridge so that, for example, several locations can be combined into one network. No other settings are required.
  • Bridge (Client) – A bridge client connection is established.
    Note: As soon as a connection has been established, an automatically generated TAP interface appears in the port list for the bridge. This TAP interface cannot be removed from the bridge, but it can be used in desktop connections like any other interface in order to help to define rules.

The items displayed in the settings depend on the connection type selected:

You can configure the following items for client-to-site connections:

Input box Description
Set default gateway Check this box to use the VPN SSL tunnel as the default route (for example, for full tunneling).
Client IP Optional: Enter the IP address where the client can be reached.
Additional remote networks The local area networks to which the client sets up connection routes must be specified in valid CIDR notation (IP address followed by a slash "/" and the number of bits specified in the subnet mask, e.g. 192.168.1.0/24). Click on Add to add a network to the list. You can edit or delete any entry in the list by clicking on the appropriate icon. Please refer to Icons and buttons for further information.
Important: When you edit an entry, a checkmark will appear to the right of the entry. Click the checkmark to accept the change.

For site-to-site connections where your LANCOM R&S®Unified Firewall acts as a server, you can configure the following items:

Input box Description
Address pool Specify the address range from which IP addresses will be used for this connection. The address range is specified in the VPN SSL settings. Please refer to VPN-SSL for further information.
Remote IP Optional: Enter the IP address of the remote end of the connection.
Remote Networks Specify the networks available at the remote end of the connection. Once the connection is successfully established, the server creates routes to these networks. Click on Add to add a network to the list. You can edit or delete any entry in the list by clicking on the appropriate icon. Please refer to Icons and buttons for further information.
Important: When you edit an entry, a checkmark will appear to the right of the entry. Click the checkmark to accept the change.
Additional Local Networks Specify any additional local networks. Once the connection is successfully established, the server creates routes to these networks. Click on Add to add a network to the list. You can edit or delete any entry in the list by clicking on the appropriate icon. Please refer to Icons and buttons for further information.
Important: When you edit an entry, a checkmark will appear to the right of the entry. Click the checkmark to accept the change.

For site-to-site connections where your LANCOM R&S®Unified Firewall acts as a client, you can configure the following items:

Input box Description
Address pool Specify the address range from which IP addresses will be used for this connection. The address range is specified in the VPN SSL settings. Please refer to VPN-SSL for further information.
Remote Addresses Enter the IP address where the remote end of the connection can be reached. Click on Add to add a network to the list. If you add more than one network, an automatic failover will be triggered if the first network becomes unreachable. In this case, your LANCOM R&S®Unified Firewall will try to reach the other networks in the list one by one until a network is found. You can edit or delete any entry in the list by clicking on the appropriate icon. Please refer to Icons and buttons for further information.
Important: When you edit an entry, a checkmark will appear to the right of the entry. Click the checkmark to accept the change.
Remote Port Enter the port number used at the remote end of this connection.
Try establishing connection for Specify the timeout in minutes after which no further connection attempts will be made. If this option is set to 0, the connection attempts will continue without interruption.

You can configure the following items for bridge-server connections:

Input box Description
Bridge Select a bridge from the preconfigured bridges. Please refer to VPN-SSL for further information.

You can configure the following items for bridge-client connections:

Input box Description
Bridge Select a bridge from the preconfigured bridges. Please refer to VPN-SSL for further information.
Remote Addresses Enter the IP address where the remote end of the connection can be reached. Click on Add to add a network to the list. If you add more than one network, an automatic failover will be triggered if the first network becomes unreachable. In this case, your LANCOM R&S®Unified Firewall will try to reach the other networks in the list one by one until a network is found. You can edit or delete any entry in the list by clicking on the appropriate icon. Please refer to Icons and buttons for further information.
Important: When you edit an entry, a checkmark will appear to the right of the entry. Click the checkmark to accept the change.
Remote Port Enter the port number used at the remote end of this connection.
Try establishing connection for Specify the timeout in minutes after which no further connection attempts will be made. If this option is set to 0, the connection attempts will continue without interruption.

The buttons available at the bottom right of the edit box depend on whether you are adding a new VPN SSL connection or editing an existing connection. For a new connection, click Create to add the connection to the list of available VPN SSL connections, or Cancel to discard your changes.

If you have made changes, you can use the buttons at the bottom right of the edit window to save them (Save) or discard them (Reset). Otherwise you can close the window (Close).

Click Activate in the toolbar at the top of the desktop to apply your configuration changes.

www.lancom-systems.com

LANCOM Systems GmbH | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E-Mail info@lancom.de

LANCOM Logo