LCOS enables the configuration of IKEv2 for authorization and accounting of VPN peers to be performed by an external RADIUS server.
In medium- to large-scale VPN scenarios, the tables for VPN configurations are generally rather large and complex. If multiple VPN gateways are operated for redundancy, it is important to ensure that the configuration is identical on all VPN gateways.
Operating a central RADIUS server allows the configuration of the VPN parameters on the VPN gateways to be almost completely outsourced to one or more RADIUS servers. When a device receives an incoming connection from a VPN peer, the device attempts to authenticate the incoming connection via RADIUS and to retrieve other necessary connection parameters, such as VPN network relationships, CFG-mode address or DNS server, from the RADIUS server.
The VPN configuration may be either completely or only partially retrieved from the RADIUS server, in which case it is combined with parameters stored locally. This mechanism works for incoming connections only.
Optional RADIUS accounting allows information about VPN connections to be stored centrally on a RADIUS server. This information may consist of the duration of the connection to the client, the time when the connection is established, or the transmitted data volume.
The RADIUS server is configured in LANconfig under
.RADIUS authorization
When authenticating a VPN peer, the LANCOM gateway transmits the following RADIUS attributes to the RADIUS server in the Access-Request:
ID : | Name | Meaning |
---|---|---|
1 | User name | The remote ID of the VPN peers sent in the AUTH negotiation with the LANCOM gateway. |
2 | User-Password | The dummy password as configured in LANconfig under | .
4 | NAS-IP-Address | Specifies the IPv4 address of the gateway that is requesting access for a user. In the case of an IPv6 connection, the gateway transmits the attribute "95" instead (see below). |
6 | Service type | The service type is always "Outbound (5)" or "Dialout-Framed-User". |
31 | Calling-Station-Id | Specifies the identifier (as an IPv4 or IPv6 address) of the calling station (e.g. the VPN client). |
95 | NAS-IPv6-Address | Specifies the IPv6 address of the gateway that is requesting access for a user. In the case of an IPv4 connection, the gateway transmits the attribute "4" instead (see above). |
Of the attributes contained in the Access-Accept response from the RADIUS server, the LANCOM gateway evaluates the following, in part vendor-specific attributes:
ID : | Name | Meaning |
---|---|---|
8 | Framed-IP-Address | IPv4 address for the client (in IKE CFG-mode "Server"). |
22 | Framed-Route | IPv4 routes that should be entered into the routing table on the VPN gateway in the direction of the client (next-hop client). |
39 | Tunnel-Password | Sets the passwords on the local and remote identity to the same value when using synchronous PSKs. |
88 | Framed-Pool | Name of the IPv4 address pool from which the client retrieves its IP address and the DNS server. Note: The values in "Framed-IP-Address" and "LCS-DNS-Server-IPv4-Address" take precedence over this attribute.
|
99 | Framed-IPv6-Route | IPv6 routes that should be entered into the routing table on the VPN gateway in the direction of the client (next-hop client). |
168 | Framed-IPv6-Address | IPv6 address for the client (in IKE CFG-mode "Server"). |
169 | DNS-Server-IPv6-Address | IPv6 DNS server for the client (in IKE CFG-mode "Server"). |
172 | Stateful-IPv6-Address-Pool | Name of the IPv6 address pool (in IKE CFG-mode "Server"). |
Lancom 19 | LCS-IKEv2-Local-Password | Local IKEv2 PSK |
Lancom 20 | LCS-IKEv2-Remote-Password | Remote IKEv2 PSK |
Lancom 21 | LCS-DNS-Server-IPv4-Address | IPv4 DNS server for the client (in IKE CFG-mode "Server"). |
Lancom 22 | LCS-VPN-IPv4-Rule | Contains the IPv4 network rules (examples below) |
Lancom 23 | LCS-VPN-IPv6-Rule | Contains the IPv6 network rules (examples below) |
Lancom 24 | LCS-Routing-Tag | Routing tag to be configured for the client (IPv4/IPv6). |
Lancom 25 | LCS-IKEv2-IPv4-Route | Routes in prefix notation (e.g. "192.168.1.0/24") that the LANCOM gateway transfers to the client via INTERNAL_IP4_SUBNET. Multiple attributes can be analyzed. |
Lancom 26 | LCS-IKEv2-IPv6-Route | Routes in prefix notation (e.g. "2001:db8::/64") that the LANCOM gateway transfers to the client via INTERNAL_IP6_SUBNET. Multiple attributes can be analyzed. |
Examples of network rules
The format for a network rule on the RADIUS server takes the form <local networks> * <remote networks>.
The entries for <local networks> and <remote networks>are comma-separated lists.
- Example 1: 10.1.1.0/24,10.2.0.0/16 * 172.32.0.0/12
- The result is the following network rules:
- 10.2.0.0/255.255.0.0 <-> 172.16.200.0/255.255.255.255
- 10.1.1.0/255.255.255.0 <-> 172.16.200.0/255.255.255.255
- Example 2: 10.1.1.0/24 * 0.0.0.0/0
- This results in the following network rule:
- 10.1.1.0/255.255.255.0 <-> 0.0.0.0/0.0.0.0
- Example 3: 2001:db8:1::/48 * 2001:db8:6::/48
RADIUS accounting
The LANCOM gateway counts the transmitted data packets and octets and sends this information as regular Accounting-Request messages to the RADIUS accounting server. The RADIUS server answers this message with an Accounting-Response message.
The Accounting-Request messages have the following status types:
- Home
- As soon as a VPN peer contacts the LANCOM gateway, the gateway starts an accounting session via IKEv2 and sends a Start status message with the appropriate RADIUS attributes to the RADIUS accounting server.
- Interim-Update
- During an ongoing accounting session, the gateway sends Interim-Update status messages at specified time intervals to that RADIUS accounting server, which gave a valid response to the Start status message. The gateway ignores any backup servers that may have been configured.
- Stop
- After the end of a session, the LANCOM gateway sends a Stop status message to the RADIUS accounting server. This message is also sent only to that RADIUS accounting server, which gave a valid response to the Start status message. The gateway ignores any backup servers that may have been configured.
In the Access-Request message, the gateway transmits the following RADIUS attributes to the RADIUS server:
ID : | Name | Meaning | Status-Type |
---|---|---|---|
1 | User name | The remote ID of the VPN peers sent in the AUTH negotiation with the LANCOM gateway. |
|
4 | NAS-IP-Address | Specifies the IPv4 address of the gateway that is requesting access for a user. In the case of an IPv6 connection, the gateway transmits the attribute "95" instead (see below). |
|
8 | Framed-IP-Address | IP4 address of the VPN client. |
|
31 | Calling-Station-Id | Specifies the identifier (as an IPv4 or IPv6 address) of the calling station (e.g. the VPN client). |
|
32 | NAS identifier | The device name of the gateway. |
|
40 | Acct-Status-Type | Contains the status type "Start" (1). |
|
40 | Acct-Status-Type | Contains the status type "Interim-Update" (3). |
|
40 | Acct-Status-Type | Contains the status type "Stop" (2). |
|
42 | Acct-Input-Octets | Contains the number of octets received from the direction of the VPN peer. The value refers to the decrypted data, starting with the IP header. |
|
43 | Acct-Output-Octets | Contains the number of octets sent to the VPN peer. The value refers to the decrypted data, starting with the IP header. |
|
44 | Acct-Session-Id | The name of the VPN peer and the timestamp at the start of the session form the unique session ID. |
|
46 | Acct-Session-Time | Contains the elapsed time in seconds since the start of the session. |
|
47 | Acct-Input-Packets | Contains the current number of data packets received from the direction of the VPN peer. |
|
48 | Acct-Output-Packets | Contains the current number of data packets sent to the VPN peer. |
|
49 | Acct-Terminate-Cause | Contains the reason for terminating the session. |
|
52 | Acct-Input-Gigawords | Contains the number of gigawords received from the direction of the VPN peer. The value refers to the decrypted data, starting with the IP header. |
|
53 | Acct-Input-Gigawords | Contains the number of gigawords sent to the VPN peer. The value refers to the decrypted data, starting with the IP header. |
|
95 | NAS-IPv6-Address | Specifies the IPv6 address of the gateway that is requesting access for a user. In the case of an IPv6 connection, the gateway transmits the attribute "4" instead (see above). |
|
168 | Framed-IPv6-Address | IP6 address of the VPN client. |
|