Virtual Private Networks – VPN / IKEv2
Parent topic: IKEv2

Tutorial: Setting up a certificate-based IKEv2 VPN connection (digital signature)

Initial situation: Two LANCOM routers connect to each other over a WAN connection. You want them to communicate securely with one another using a certificate-based IKEv2 VPN connection. Routers suitable for this purpose include LANCOM central-site gateways, WLAN controllers or LANCOM routers with an activated VPN 25 Option (when using the Smart Certificate feature).

Note: We assume that a WAN connection exists between the two devices.
Note: Certificates have already been created for the LANCOM routers.
  1. Enable the CA function in the LANCOM router at the headquarters:
    Note: In this example configuration, the LANCOM router at the headquarters acts as the CA for creating the certificates (Smart Certificate feature). If you wish to use certificates from another CA, you do not have to use the CA in the LANCOM router and you can skip this step of the configuration.
    1. In LANconfig, open the configuration dialog for the LANCOM router at the headquarters and switch to the menu item Certificates > Cert. authority (CA).
    2. Set a check mark for the option Certificate authority (CA) active. The LANCOM router functions as the root certificate authority (root CA).
      Note: For this configuration example we leave all of the other parameters with their preset values.




  2. Uploading certificates to the LANCOM routers:
    1. Right-click on each of the LANCOM routers in LANconfig and select the option Configuration management > Upload certificate or file.




    2. In the following dialog select the certificate file intended for LANCOM router.
    3. In the certificate type field, select a VPN container.
    4. In the Cert. password box enter the password for the certificate file. Click on Open to start the upload.




  3. Configure the certificate-based VPN connection on the LANCOM router at the headquarters:
    1. Start the Setup Wizard in LANconfig and select the option Connect two local area networks (VPN).




    2. Now create an IKEv2-VPN connection.




    3. In this example, we do not use IPSec-over-HTTPS.




    4. Enter a name for LANCOM router at the remote site.




    5. Enter any values into the following two dialogs, as they will later be manually replaced in the configuration of the LANCOM router by the certificate authentication parameters.
    6. Since LANCOM router at the headquarters receives the VPN connection, no gateway address is required. Specify the local network to be accessed at the remote site.




    7. Click on Finish to exit the setup wizard and write the configuration back to the LANCOM router.




    8. Open the the LANCOM router configuration in LANconfig and navigate to VPN > IKEv2/IPSec > Authentication.
    9. Select the available entry for the certificate-based VPN client connection (in this case: OFFICE).
    10. Set the parameters for local and remote authentication for each entry to the values Digital signature and ASN.1 Distinguished Name.
    11. As the local identity, enter the name of the certificate in the LANCOM router at the headquarters.
    12. As the remote identity, enter the name of the certificate in the LANCOM router at the branch office.




    13. Write the configuration back to the LANCOM router at the headquarters.
  4. Configure the certificate-based VPN connection on the LANCOM router at the branch office
    1. Start the Setup Wizard in LANconfig and select the option Connect two local area networks (VPN).




    2. Now create an IKEv2-VPN connection.




    3. In this example, we do not use IPSec-over-HTTPS.




    4. Enter a name for LANCOM router at the remote site.




    5. Enter any values into the following two dialogs, as they will later be manually replaced in the configuration of the LANCOM router by the certificate authentication parameters.
    6. The LANCOM router at the branch office should establish the VPN connection.




    7. Since the LANCOM router at the branch office establishes the VPN connection, enter the gateway address of the headquarters.
    8. Specify the local network to be accessed at the remote site.




    9. Click on Finish to exit the setup wizard and write the configuration back to the LANCOM router.




    10. Open the the LANCOM router configuration in LANconfig and navigate to VPN > IKEv2/IPSec > Authentication.
    11. Select the available entry for the certificate-based VPN connection (in this case: HEADQUARTERS).
    12. Set the parameters for local and remote authentication for each entry to the values RSA signature and ASN.1 Distinguished Name.
    13. As the local identity, enter the name of the certificate in the LANCOM router at the branch office.
    14. As the remote identity, enter the name of the certificate in the LANCOM router at the headquarters.




    15. Write the configuration back to the LANCOM router at the branch office.
    The certificate-based IKEv2 VPN connection to the headquarters will now be established.
Parent topic: IKEv2

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo