Templates

Connection templates are useful for pre-defining values for connections that are commonly used. Except for the template name, all values are optional and populate the various fields of a VPN connection created using this template.

Various templates have been predefined, such as the template "LANCOM Advanced VPN Client" to simplify IPSec connections with this client. The template "(empty)" is used if the values of an existing connection should be deleted.

Important: The predefined templates cannot be edited or deleted.

Under VPN > IPSec > Templates you can open the window IPSec connection template. Use the IPSec connection template windows to view and configure the following information:

Table 1. IPSec connection template
Input box	Description
Name	Give the template a descriptive name.
Security profile	Select one of the predefined security profiles.

On the Connection tab you can configure the presets for the following fields:

Table 2. Connection
Input box	Description
Connection	By optionally selecting a network or Internet connection, its IP addresses will be used for the IPSec connection.
Listening IP addresses	As an alternative to Connection, you can also enter user-specified IP addresses. If IP addresses are entered here, the Connection setting is ignored. If neither Connection nor Listening IP addresses are set, the IPSec service will automatically use one of the configured IP addresses of all connections.
Remote gateways	This address or list of addresses is necessary for the Initiate connection option in order to determine the address of the remote site.
Initiate connection	The firewall will connect to the address specified in the Remote gateway field.
Force NAT-T	NAT-T is usually set automatically if the connection requires it. If that mechanism fails, this option forces the use of NAT-T on a connection.

On the Tunnels tab you can configure the presets for the following fields:

Table 3. Tunnel
Input box	Description
Local networks	Local networks to be connected to the remote site.
Remote networks	Remote networks to connect to the local area networks. Important: All of the configured local networks are connected to all of the configured remote networks. For IKEv1 connections and IKEv2 connections with the option IKEv2 compatibility mode enabled, the maximum number of combinations is limited to 25. There is no limit for IKEv2 with the option IKEv2 compatibility mode disabled.
Virtual IP pool	The remote site is assigned an IP address from the configured IP pool.
IKEv2 compatibility mode	Instead of sending all configured local and remote networks through a single tunnel, a single tunnel is created for each connection between two networks (as with IKEv1). This option only applies to IKEv2 connections.

On the Authentication tab you can configure the presets for the following fields:

Table 4. Authentication
Input box	Description
Authentication type	Specify the authentication type. Possible values: Certificate – authentication is based on a local and a remote certificate. Certificate Authority – authentication is performed through a local and a remote certificate signed by the selected CA. PSK (preshared key) – authentication is based on the entry of a password. LTA – in LANCOM Trusted Access mode, a client certificate is always expected and the groups of the connecting user are read from this client certificate in order to activate the matching rules.
PSK (preshared key)	For authentication type PSK (preshared key) only – specify the required password here.
Local certificate	The certificate of the firewall for authentication. This must contain a private key.
Local identifier	If this field is empty, PSK authentication automatically uses the outgoing IP address of the firewall and, for certificate authentication, the distinguished name (DN) of the selected local certificate. For PSK authentication, the following values are allowed: IP addresses, fully qualified domain names (FQDN), e-mail addresses (FQUN), and free text between quotation marks ("). For certificate authentication, the following values are allowed: The distinguished name (DN) of the selected certificate, wildcard DN – all DN items must be present (in the correct order), but may be specified as a wildcard (e.g. CN=*) – any subject alternative names (SAN) of the selected certificate.
Extended authentication	Enables the optional use of additional user authentication. Once you have selected a security profile, you have the following options: No Extended Authentication – Do not perform extended authentication. XAUTH (IKEv1) – Either the local user database or a RADIUS server is used (depending on whether RADIUS is enabled in the IPsec settings or not). EAP First Round – This uses an external RADIUS server, which must be enabled in the IPsec settings. The RADIUS server is configured in the IPsec settings. The settings in the Local section are used to authenticate the firewall at the remote site. The remote site authenticates via EAP only. EAP Second Round – This uses an external RADIUS server, which must be enabled in the IPsec settings. The RADIUS server is configured in the IPsec settings. The settings in the Local section are used to authenticate the firewall at the remote site. The remote site uses PSK or a certificate to authenticate at the firewall and then performs an EAP authentication. EAP-TLS – Corresponds to the EAP First Round variant with the difference that a TLS certificate is used for EAP authentication. Note: With IKEv1, the options No extended authentication and XAUTH (IKEv1) are available irrespective of the authentication type. For IKEv2 with certificate or PSK authentication, all of the options are available except for XAUTH (IKEv1). For IKEv2 with CA authentication, the available options are No Extended Authentication and EAP Second Round.
Remote certificate	Only with authentication type "Certificate": Certificate of the remote site.
Certificate authority	Only with authentication type "Certificate Authority": A CA whose signed certificates can be used for authentication.
Remote identifier	If this field is empty, PSK authentication automatically uses the IP address of the remote gateway (if set). For certificate authentication, the distinguished name (DN) of the selected remote certificate. For PSK authentication, the following values are allowed: IP addresses, fully qualified domain names (FQDN), e-mail addresses (FQUN), and free text between quotation marks ("). For certificate authentication, the following values are allowed: The distinguished name (DN) of the selected certificate, wildcard DN – all DN items must be present (in the correct order), but may be specified as a wildcard (e.g. CN=*) – any subject alternative names (SAN) of the selected certificate.

In the Routing tab you modify the following fields:

Table 5. Routing
Input box	Description
Route-based IPsec	This option allows the precise specification of which traffic should be routed through a tunnel, provided that it has been enabled by the exclusively manual setting of routing rules and routing tables (or their entries). This is particularly useful when local or remote networks used on the connection overlap with other networks defined on the device in an undesired way. With this option enabled, the dialogs for the routing configuration (routing rules and tables) allow the selection of IPsec connections that have route-based IPsec enabled, and makes them available under the items where the source/destination interfaces are set. They are marked with a padlock icon to make it easier to distinguish them from other interfaces.
MTU	Here you can set the MTU (Maximum Transmission Unit), i.e. the maximum size of an unfragmented data packet. By default, it is 1400.

In the Traffic Shaping tab you modify the following fields:

Input box	Description
Traffic Group	Optionally select the name of a traffic group. This applies the rules defined for this group to traffic on this connection. See also Traffic shaping. Note: If it is a route-based IPsec tunnel, traffic within a tunnel can be prioritized using a custom shaping configuration.
Outgoing DSCP	From the list, select an optional DSCP value for outbound data traffic. The list contains the designations from the relevant RFCs (e.g. "CS0") and the group (e.g. "Default"). Also, the value is numerically represented in various bases (binary, hexadecimal, and decimal). The list can be searched according to these representations, so that you can quickly find the desired value regardless of your preferred representation.

Input box

Description

Traffic Group

Optionally select the name of a traffic group. This applies the rules defined for this group to traffic on this connection. See also Traffic shaping.

Note: If it is a route-based IPsec tunnel, traffic within a tunnel can be prioritized using a custom shaping configuration.

Outgoing DSCP

From the list, select an optional DSCP value for outbound data traffic. The list contains the designations from the relevant RFCs (e.g. "CS0") and the group (e.g. "Default"). Also, the value is numerically represented in various bases (binary, hexadecimal, and decimal). The list can be searched according to these representations, so that you can quickly find the desired value regardless of your preferred representation.

Click on Create.

The IPSec connection template dialog closes. The new template is added to the list of available templates in the object bar.