This article describes how to connect a LANCOM gateway to a SwyxON UC Tenant using the Lancom 1783 VA.
- An installed UC Tenant
- Configured Office for this UC Tenant
- A public fixed IPv4 address for the LANCOM device
- A LANCOM 1783 VA with internal access and configured internal/external IP address
- A rule in the company firewall which allows communication to UDP ports 500 and 4500 and the protocol ESP (IPsec)
- A company wide route to the UC Tenant with the gateway ip addres of the LANCOM device
LANCOM has some tools which makes monitoring, debugging and configuring more easy: https://www.lancom-systems.de/downloads/lancom-management-system/
We recommend to use at least the LanMonitor tool to monitor and debug the VPN connection.
Please use the Lanconfig tool to configure the device, altenatively this can be also done via the webfrontend.
- Open the Lanconfig tool and navigate to "VPN | General" and configure it as following:
- Navigate to "VPN | General | IPv4 rules" and add the internal customer network and the complete remote network which is shown in the SwyxON portal as an object (e.g. SWYXNET_KOMPLETT).
- Navigate to "VPN | IKE/IPSec | IKE proposal lists" and add a new object (here: CISCO) and choose "PSK-AES-256-SHA".
- Continue with "VPN | IKE/IPSec | IKE proposals" and edit the item "PSKA-AES256-SHA" to suit the proposal on Cisco side in datacentre.
- Navigate to "VPN | IKE/IPSec | IKE keys and identities" and add identity object (here: SwyxON), which consists of the PreSharedKey which is generated in the SwyxON portal.
- Navigate to "VPN | IKE/IPSec | IPSec proposal lists" and add a new object (name here CISCOP2) and choose "TN-AES256-SHA" from the list.
- Continue with "VPN | IKE/IPSec | IPSec proposals" and edit the item selected a step before.
- Navigate to "VPN | IKE/IPSec | Connection parameters" and create a new object (here named SwyxIdentity) and choose the created objects from the steps above (CiscoP2 -> Phase 1; CiscoP2 -> Phase 2; IKE key -> SwyxON) and set the correct PFS and IKE group (Group 5 MODP1536).
- Navigate to "VPN | IKE/IPSec | Connection list" and add a new connection to the "Connection list".
- Add a new IPSec Connection to the list and enter all required data and choose the option "Rule Creation: Manual" and pick the created IPv4 from step 3 rule for the internal network, from the drop down list (SWYXNET_KOMPLETT). Also choose the connection parameter that was created in step 7.
- In the end you should have a connection object, which has all parameters configured.
- Navigate to IP router and make sure that routing is enabled.
- Add all additional and/or required subnets as a route to the device. A route to the UC Tenant network is required in any case. You should have an object for the VPN connection (named here SWYXON) as a router if you completed the steps above.
The setup is done. You can have a look to the connection status in the LanMonitor tool.
- Make a right click on the entry "VPN: 1 connected" and choose "View VPN connection" to show the current state.
The tracing is also done with the LanMonitor tool.
- Click on "View" and choose "Create trace output" to start the tracing tool.
- Choose from the left side selection tree the corresponding items (IP Router, Firewall, VPN-Debug, VPN-IKE, VPN-Packet, VPN-Status) and click on the green arrow to start tracing.
- Click on the stop icon to stop tracing.
Required objects which need to be created at the end of this article and short test:
- IKE proposal object with the proposals for IPSec phase 1 (Cisco)
- IPSec proposal object created with the proposal for IPSec phase 2 (CISCOP2)
- IKE key and identity object created with the complete network, which needs to be accessed through the VPN tunnel
- IPv4 rule object created with the complete network, which needs to be accessed through the VPN tunnel
- Connection parameter object created, which includes all above objects (SWYXIDENTITY)
- Connection parameter created, which brings all of the above together with the used endpoint (SWYXON)
- Required IPv4 routes added
- Control the VPN tunnel via LanMonitor. No errors should be shown!
- Access to SwyxWare via SwyxWare Administration possible from the internal network.