LCOS enables the IKEv2 for authorization and accounting of VPN peers to be configured by an external RADIUS server. Also, the management of the VPN clients for dynamic IKEv2 load balancing is implemented via RADIUS.
In medium- to large-scale VPN scenarios, the tables for VPN configurations are generally rather large and complex. If multiple VPN gateways are operated for redundancy, it is important to ensure that the configuration is identical on all VPN gateways.
Operating a central RADIUS server allows the configuration of the VPN parameters on the VPN gateways to be almost completely outsourced to one or more RADIUS servers. When a device receives an incoming connection from a VPN peer, the device attempts to authenticate the incoming connection via RADIUS and to retrieve other necessary connection parameters, such as VPN network relationships, CFG-mode address or DNS server, from the RADIUS server. In this case, the user is not authenticated by the RADIUS server using the user name/password; instead, it sends the correct password for the requested user to the VPN gateway, which then authenticates the user. The VPN gateway then sets up the tunnel, and the RADIUS server can supply further attributes to the VPN tunnel.
The VPN configuration may be either completely or only partially retrieved from the RADIUS server, in which case it is combined with parameters stored locally. This mechanism works for incoming connections only.
Optional RADIUS accounting allows information about VPN connections to be stored centrally on a RADIUS server. This information may consist of the duration of the connection to the client, the time when the connection is established, or the transmitted data volume.
The RADIUS server is configured in LANconfig under .
RADIUS authentication
When authenticating a VPN peer, the LANCOM gateway transmits the following RADIUS attributes to the RADIUS server in the Access-Request:
| ID : | Name | Meaning |
|---|---|---|
| 1 | User name | The remote ID of the VPN peers sent in the AUTH negotiation with the LANCOM gateway. |
| 2 | User password | The dummy password is configured in LANconfig under . |
| 4 | NAS-IP-Address | Specifies the IPv4 address of the gateway that is requesting access for a user. In the case of an IPv6 connection, the gateway transmits the attribute "95" instead (see below). |
| 6 | Service type | The service type is always "Outbound (5)" or "Dialout-Framed-User". |
| 31 | Calling-Station-Id | Specifies the identifier (as an IPv4 or IPv6 address) of the calling station (e.g. the VPN client). |
| 95 | NAS-IPv6-Address | Specifies the IPv6 address of the gateway that is requesting access for a user. In the case of an IPv4 connection, the gateway transmits the attribute "4" instead (see above). |
Of the attributes contained in the Access-Accept response from the RADIUS server, the LANCOM gateway evaluates the following, in part vendor-specific attributes:
| ID : | Name | Meaning |
|---|---|---|
| 8 | Framed-IP-Address | IPv4 address for the client (in IKE CFG-mode "Server"). |
| 22 | Framed-Route | IPv4 routes that should be entered into the routing table on the VPN gateway in the direction of the client (next-hop client).
Format (string): <Prefix> [ifc=<destination interface>] [rtg_tag=<routing tag>] [admin_distance=<distance>]
|
| 69 | Tunnel-Password | Sets the passwords on the local and remote identity to the same value when using synchronous PSKs. |
| 88 | Framed-Pool | Name of the IPv4 address pool from which the client retrieves its IP address and the DNS server. Note: The values in "Framed-IP-Address" and "LCS-DNS-Server-IPv4-Address" take precedence over this attribute.
|
| 99 | Framed-IPv6-Route | IPv6 routes that should be entered into the routing table on the VPN gateway in the direction of the client (next-hop client).
Format (string): <Prefix> [ifc=<destination interface>] [rtg_tag=<routing tag>] [admin_distance=<distance>]
|
| 168 | Framed-IPv6-Address | IPv6 address for the client (in IKE CFG-mode "Server"). |
| 169 | DNS-Server-IPv6-Address | IPv6 DNS server for the client (in IKE CFG-mode "Server"). |
| 172 | Stateful-IPv6-Address-Pool | Name of the IPv6 address pool (in IKE CFG-mode "Server"). |
| LANCOM 19 | LCS-IKEv2-Local-Password | Local IKEv2 PSK |
| LANCOM 20 | LCS-IKEv2-Remote-Password | Remote IKEv2 PSK |
| LANCOM 21 | LCS-DNS-Server-IPv4-Address | IPv4 DNS server for the client (in IKE CFG-mode "Server"). |
| LANCOM 22 | LCS-VPN-IPv4-Rule | Contains the IPv4 network rules (examples below) |
| LANCOM 23 | LCS-VPN-IPv6-Rule | Contains the IPv6 network rules (examples below) |
| LANCOM 24 | LCS-Routing-Tag | Routing tag to be configured for the client (IPv4/IPv6). |
| LANCOM 25 | LCS-IKEv2-IPv4-Route | Routes in prefix notation (e.g. "192.168.1.0/24") that the LANCOM gateway transfers to the client via INTERNAL_IP4_SUBNET. Multiple attributes can be analyzed. |
| LANCOM 26 | LCS-IKEv2-IPv6-Route | Routes in prefix notation (e.g. "2001:db8::/64") that the LANCOM gateway transfers to the client via INTERNAL_IP6_SUBNET. Multiple attributes can be analyzed. |
| LANCOM 27 | LCS-IKEv2-DNS domain | Split DNS domains (list) that the gateway transfers to the client by means of the attribute INTERNAL_DNS_DOMAIN in the IKE-CFG mode "Server", e.g. mydomain.internal, example.com, |
| LANCOM 28 | LCS load balancer | Format (string): <Load balancer name> [client_binding={no|yes}]
The <load balancer name> can be up to 16 characters long and specifies a load-balancing remote site on the LANCOM routers.
Important: This remote site is used for dynamic IKEv2-VPN load balancing and therefore must not be already used for static load balancing under .
The option "client_binding" turns the client binding (see Client binding) on or off. Unless otherwise specified, client binding is off.
Important: The first IKEv2-VPN client to connect specifies this setting. Any subsequent settings for the client binding in connection with this load-balancing remote site are ignored.
|
| LANCOM 29 | LCS-IKEv2-Routing-Tag-List | Format (string): #, e.g. 0,3,7 Contains the routing tags to be transmitted via HSVPN. |
| LANCOM 30 | LCS-IKEv2-IPv4-Tagged-Route | Format (string): <Prefix> rtg_tag=<routing tag>
Note: A prefix with routing tag can occur several times in the attribute and is separated by a comma.
|
| LANCOM 31 | LCS-IKEv2-IPv6-Tagged-Route | Format (String), <Prefix> rtg_tag=<Routing-Tag>
Note: A prefix with routing tag can occur several times in the attribute and is separated by a comma.
|
Example: RADIUS attributes for a simple load balancer made up of IKEv2 VPN tunnels to the central site
LCS-Load-Balancer=LB1 Framed-Route=192.168.45.0/24 ifc=LB1;
Examples of network rules
The format for a network rule on the RADIUS server takes the form <local networks> * <remote networks>.
The entries for <local networks> and <remote networks>are comma-separated lists.
- Example 1: 10.1.1.0/24,10.2.0.0/16 * 172.32.0.0/12
- The result is the following network rules:
- 10.2.0.0/255.255.0.0 <-> 172.16.200.0/255.255.255.255
- 10.1.1.0/255.255.255.0 <-> 172.16.200.0/255.255.255.255
- Example 2: 10.1.1.0/24 * 0.0.0.0/0
- This results in the following network rule:
- 10.1.1.0/255.255.255.0 <-> 0.0.0.0/0.0.0.0
- Example 3: 2001:db8:1::/48 * 2001:db8:6::/48
RADIUS accounting
The LANCOM gateway counts the transmitted data packets and octets and sends this information as regular Accounting-Request messages to the RADIUS accounting server. The RADIUS server answers this message with an Accounting-Response message.
The Accounting-Request messages have the following status types:
- Home
- As soon as a VPN peer contacts the LANCOM gateway, the gateway starts an accounting session via IKEv2 and sends a Start status message with the appropriate RADIUS attributes to the RADIUS accounting server.
- Interim-Update
- During an ongoing accounting session, the gateway sends Interim-Update status messages at specified time intervals to that RADIUS accounting server, which gave a valid response to the Start status message. The gateway ignores any backup servers that may have been configured.
- Stop
- After the end of a session, the LANCOM gateway sends a Stop status message to the RADIUS accounting server. This message is also sent only to that RADIUS accounting server, which gave a valid response to the Start status message. The gateway ignores any backup servers that may have been configured.
In the Access-Request message, the gateway transmits the following RADIUS attributes to the RADIUS server:
| ID : | Name | Meaning | Status-Type |
|---|---|---|---|
| 1 | User name | The remote ID of the VPN peers sent in the AUTH negotiation with the LANCOM gateway. |
|
| 4 | NAS-IP-Address | Specifies the IPv4 address of the gateway that is requesting access for a user. In the case of an IPv6 connection, the gateway transmits the attribute "95" instead (see below). |
|
| 8 | Framed-IP-Address | IP4 address of the VPN client. |
|
| 31 | Calling-Station-Id | Specifies the identifier (as an IPv4 or IPv6 address) of the calling station (e.g. the VPN client). |
|
| 32 | NAS identifier | The device name of the gateway. |
|
| 40 | Acct-Status-Type | Contains the status type "Start" (1). |
|
| 40 | Acct-Status-Type | Contains the status type "Interim-Update" (3). |
|
| 40 | Acct-Status-Type | Contains the status type "Stop" (2). |
|
| 42 | Acct-Input-Octets | Contains the number of octets received from the direction of the VPN peer. The value refers to the decrypted data, starting with the IP header. |
|
| 43 | Acct-Output-Octets | Contains the number of octets sent to the VPN peer. The value refers to the decrypted data, starting with the IP header. |
|
| 44 | Acct-Session-Id | The name of the VPN peer and the timestamp at the start of the session form the unique session ID. |
|
| 46 | Acct-Session-Time | Contains the elapsed time in seconds since the start of the session. |
|
| 47 | Acct-Input-Packets | Contains the current number of data packets received from the direction of the VPN peer. |
|
| 48 | Acct-Output-Packets | Contains the current number of data packets sent to the VPN peer. |
|
| 49 | Acct-Terminate-Cause | Contains the reason for terminating the session. |
|
| 52 | Acct-Input-Gigawords | Contains the number of gigawords received from the direction of the VPN peer. The value refers to the decrypted data, starting with the IP header. |
|
| 53 | Acct-Input-Gigawords | Contains the number of gigawords sent to the VPN peer. The value refers to the decrypted data, starting with the IP header. |
|
| 95 | NAS-IPv6-Address | Specifies the IPv6 address of the gateway that is requesting access for a user. In the case of an IPv6 connection, the gateway transmits the attribute "4" instead (see above). |
|
| 168 | Framed-IPv6-Address | IP6 address of the VPN client. |
|
