Ir al contenido principal

How to set up a VPN connection between EAGLE20 and the LANCOM Advanced VPN Client (NCP client) ? - Base de conocimiento / Products / Classic Firewalls - Belden Support Center

How to set up a VPN connection between EAGLE20 and the LANCOM Advanced VPN Client (NCP client) ?

This lesson describes how to configure a VPN using Hirschmann EAGLE20 and the LANCOM Advanced VPN Client.

Used software versions:
EAGLE20 firmware v5.2.00
Lancom Advanced VPN Client v2.30 Build 146

 Copy link to   to clipboard

Network Plan
Copy link to Network Plan to clipboard

Install and start LANCOM Advanced VPN Client
Copy link to Install and start LANCOM Advanced VPN Client to clipboard

The LANCOM Client with a 30 day evaluation period can be downloaded from http://www.lancom-systems.de
After installation start the LANCOM VPN Client.

Import Certificates
Copy link to Import Certificates to clipboard

Copy the PEM export of the CA (in our example L3CA.pem) and the PKCS#12 export of the LANCOM Client certificate (in our example LANCOM_client.p12) in the CaCerts directory:
C:\Program Files (x86)\LANCOM\Advanced VPN Client\CaCerts
Note: The file extension of the CA export must be .pem otherwise the LANCOM Client will not find the CA.

 Copy link to   to clipboard

CA Certificates
Copy link to CA Certificates to clipboard

To verify if the LANCOM Client could load the CA, select Connection -> Certificates -> Display CA Certificates from the menu.
The distinguished name of the CA should be displayed, marked with a green checkmark.
Click Close.

Certificates Configuration
Copy link to Certificates Configuration to clipboard

Select Configuration -> Certificates from the menu.

Certificate Selection
Copy link to Certificate Selection to clipboard

Highlight the Standard certificate configuration and click Edit.
Set the PKCS#12 Filename in our example C:\Program Files (x86)\LANCOM\Advanced VPN Client\CaCerts\LANCOM_Client.p12.
Click OK.
Close the Certificates configuration window.

 Copy link to   to clipboard

Creating a new profile
Copy link to Creating a new profile to clipboard


1. Select from the menu Configuration -> Profiles
2. Click Add / Import to create a new profile
3. Select Link to Corporate Network Using IPsec
4. Click Next

Profile Name
Copy link to Profile Name to clipboard

Enter a Profile Name
Click Next

Communication Medium
Copy link to Communication Medium to clipboard


Select LAN (over IP) as communication media
Click Next

VPN Gateway Parameters
Copy link to VPN Gateway Parameters to clipboard

Enter the Gateway to which the connection should be established. Could be an IP address or DynDNS name.

 

IPsec Configuration
Copy link to IPsec Configuration to clipboard

Set the Exchange Mode to main mode (IKEv1)
Set PFS Group to DH-Group 2 (1024 Bit)
Click Next

 

Local Identity (IKE)
Copy link to Local Identity (IKE) to clipboard

Delete the pre-shared keys
Set the Type to ASN1 Distinguished Name
Using the test certificates, copy the DN /C=DE/ST=BW/L=NT/O=HAC/CN=LANCOMClient in the ID field
Click Next

 

IPsec Configuration - IP Addresses
Copy link to IPsec Configuration - IP Addresses to clipboard

Set the IP Address Assignment to Manual IP Address.

 

IPsec Configuration - Split Tunneling
Copy link to IPsec Configuration - Split Tunneling to clipboard

Define the remote IP network to be reached through the IPsec tunnel.
In our example 192.168.10.0/24.
Click Finish.

 

Profile Window
Copy link to Profile Window to clipboard

The new profile is created and displayed in the Profile window
Highlight the profile and click Edit.

 

Profile Settings
Copy link to Profile Settings to clipboard

Highlight IPsec General Settings in the left pane.
Click Policy Editor

 

IKE Policy Settings
Copy link to IKE Policy Settings to clipboard

Highlight RSA Signature in the IKE Policy
Click Edit

 

Set Encryption to AES 128 Bit.
Set Hash to SHA.
Set DH Group to DH-Group 2 (1024 Bit)

Note: The specified encryption and hash algorithms must correspond to the settings in the EAGLE

 

IPsec Policy Settings
Copy link to IPsec Policy Settings to clipboard

Highlight the entry ESP-AES128-MD5 in the IPsec Policy tree.
Click Edit.

 

Change the Name to ESP-AES128-SHA.
Set Encryption to AES-128 Bit.
Set Authentication to SHA.
Click OK.
Close the IPsec Configuration window.

 

Select IKE and IPsec Policy
Copy link to Select IKE and IPsec Policy to clipboard

Set the IKE Policy to RSA Signature
Set the IPsec Policy to ESP-AES 128-SHA

 

Policy Lifetimes
Copy link to Policy Lifetimes to clipboard

Click the button Policy Lifetimes.
Change the IPsec Policy Life Time to 1 hour.
Click OK.

 

Profile Settings - Identities
Copy link to Profile Settings - Identities to clipboard

Navigate to Identities.
Select Standard certificate configuration.
Click OK.
Click Ok to close the Profile Window.

 

LANCOM Client configured
Copy link to LANCOM Client configured to clipboard

The LANCOM Client configuration is finished

 

EAGLE20 Configuration
Copy link to EAGLE20 Configuration to clipboard

1. Switch the EAGLE20 into router mode
2. Set IP addresses of internal and external interface accordingly.
In our example: Internal Interface 192.168.10.1/24; External Interface: 172.16.1.1/24

Starting from a default configuration the CLI commands to configure the device via serial connection are:
(Hirschmann Eagle) #network mode router
(Hirschmann Eagle) #network router param int ip-address 192.168.10.1
(Hirschmann Eagle) #network router param ext ip-address 172.16.1.1

3. Login to the webinterface of the EAGLE20 from the internal network (192.168.10.0/24)

 

1. Navigate in the web interface tree to Virtual Private Network -> Connections.
2. Create a new Entry.
3. Highlight the new entry and click Edit

 

Name the VPN connection.
Change to next tab Authentication.

 

VPN - Authentication - Import Certificate
Copy link to VPN - Authentication - Import Certificate to clipboard

1. Select x509rsa.
 
2. Click on Load PKCS#12

3. Specify location of the AFF certificate and password. The password of the test certificates is 'test'.

4. Click Copy from PC

 

Change the Remote Type to asn1dn.
Copy the distinguished name of the LANCOM Client certificatein the field Remote ID.
In our example /C=DE/ST=BW/L=NT/O=HAC/CN=LANCOMClient
Change to the next tab Certificates.

 

After successfully imported the certificate in the previous step you'll get the content of the PKCS#12 file displayed here.
Change to the next tab IKE (Key Exchange)

 

1. Set Startup as to responder.
2. The Lifetime should correspond to the LANCOM Client settings (8 hours) but is entered here in seconds.
3. Set the encryption algorithms accordingly in our example:
Key Agreement: modp1024
Hash: sha1
Integrity: hmacsha1
Encryption: aes128
4. Set the Local IP Address to 172.16.1.1
5. Set the Remote IP Address to 172.16.1.143
Change to the next tab IPsec (Data Exchange)

 

The Lifetime in seconds should correspond with the settings of the LANCOM Client (1 hour)
Set the encryption algorithms accordingly.
In our example:
Key Agreement: modp1024
Integrity: hmacsha1
Encryption: aes128
Change to the next tab IP Networks

 

1. Create a new Entry
Enter the following values:
Source Address: 192.168.10.0/24 (internal network EAGLE20)
Destination Address: 172.16.106.201/32 (virtual Address of LANCOM Client)
Policy: require (traffic is not routed if tunnel is down)
2. Click Set to write the changes on all tabs in the device
Click Back

 

 

Activate the created VPN connection.
Click Set

 

Initialize Tunnel Setup
Copy link to Initialize Tunnel Setup to clipboard

1. Move the Connection slide to the right to initialize the tunnel setup.
You will get prompted to enter the certificate's pin. In our example 'test'
2. The connection should be established successfully.

 

Select Log -> Logbook

 

In the EAGLE20 web interface navigate to Diagnostics -> Events -> Event Log.
Make sure that all events or at least the category IPsec and VPN VPN is checked, then click Show Events