Routers & VPN Gateways

LANCOM 1631E
Versatile small-business router with Ethernet for a secure and professional
Internet access for single site businesses

The LANCOM 1631E is a professional small-business router for a secure Internet access via an external modem.
This compact router for professional applications is ideally suited for connecting smaller companies and offices,
meeting maximum requirements for a secure Internet access with LANCOM quality “made in Germany”.

a Versatilely applicable small business router for secure and professional Internet access via an external modem
a Integrated stateful-inspection firewall with intrusion detection and Denial-of-Service protection
a Network virtualization with up to 2 networks on one device (ARF)
a Security Made in Germany
a Maximum future compatibility, reliability, and security
 DATASHEET

LANCOM 1631E

High-speed Internet via external modems Security Made in Germany

The LANCOM 1631E is a small-business router for connecting
external modems via ist Gigabit Ethernet interface, making
it the ideal device for a secure and professional Internet
access for single site businesses.
Secure site connectivity via VPN
The LANCOM 1631E offers high levels of security. The
standard equipment of 3 IPSec VPN channels guarantees
strong encryption, secure connections for mobile employees,
and protection of corporate data. This ensures that your
network is perfectly scalable and can grow
demand—without additional hardware components.
In a market with a strong presence of American and Asian
products, LANCOM offers maximum security "Made in
Germany". The entire LANCOM core product range is
developed and manufactured in Germany, and tested
according to the highest standards of security, data
protection and quality. The company's own "closed-source"
operating system LCOS is developed at the company
headquarters in Germany. Our in-house team of developers
works in a highly secure environment as certified by the BSI
(German Federal Office for Information Security), all of which
on is subject to the highest standards of security, encryption,
and quality.

Stateful inspection firewall

Equipped with a stateful inspection firewall, the LANCOM
1631E protects the entire network. With features such as
intrusion prevention and Denial-of-Service protection, this
business VPN router provides optimal protection and secures
all of the data on the network.

Advanced Routing & Forwarding

The LANCOM 1631E provides up to 2 securely isolated IP
contexts, each of which has its own separate routing. This
is an elegant way of operating IP applications with one
central router and keeping the different communication
channels securely separated from one another.

Maximum future-proofing
LANCOM products are based on professional expertise, years
of experience in IT, and high-quality materials. All of our
devices are equipped with hardware that is dimensioned for
the future and, even reaching back to older product
generations, updates to the LANCOM Operating System –
LCOS – are available several times a year, free of charge. This
guarantees a long service life while staying technically up to
date, which represents a true protection of your investment.
 DATASHEET

LANCOM 1631E LCOS 10.12

High availability / redundancy

Load balancing Static and dynamic load balancing over up to 2 WAN connections. Channel bundling with Multilink PPP (if supported by network
operator)

VPN redundancy Backup of VPN connections across different hierarchy levels, e.g. in case of failure of a central VPN concentrator and re-routing to
multiple distributed remote sites. Any number of VPN remote sites can be defined (the tunnel limit applies only to active connections).
Up to 32 alternative remote stations, each with its own routing tag, can be defined per VPN connection. Automatic selection may be
sequential, or dependant on the last connection, or random (VPN load balancing)

Line monitoring Line monitoring with LCP echo monitoring, dead-peer detection and up to 4 addresses for end-to-end monitoring with ICMP polling
VPN
IPSec over HTTPS Enables IPsec VPN based on TCP (at port 443 like HTTPS) which can go through firewalls in networks where e. g. port 500 for IKE is
blocked. Suitable for client-to-site connections and site-to-site connections. IPSec over HTTPS is based on the NCP VPN Path Finder
technology

Number of VPN tunnels Max. number of concurrent active IPSec, PPTP (MPPE) and L2TPv2 tunnels: 3. Unlimited configurable connections.

Hardware accelerator Integrated hardware accelerator for 3DES/AES encryption and decryption

Realtime clock Integrated, buffered realtime clock to save the date and time during power failure. Assures timely validation of certificates in any case

Random number generator Generates real random numbers in hardware, e. g. for improved key generation for certificates immediately after switching-on

1-Click-VPN Client assistant One click function in LANconfig to create VPN client connections, incl. automatic profile creation for the LANCOM Advanced VPN Client

1-Click-VPN Site-to-Site Creation of VPN connections between LANCOM routers via drag and drop in LANconfig

IKE, IKEv2 IPSec key exchange with Preshared Key or certificate (RSA signature, digital signature)

Smart Certificate* Convenient generation of digital X.509 certificates via an own certifaction authority (SCEP-CA) on the webpage or via SCEP.

Certificates X.509 digital multi-level certificate support, compatible with Microsoft Server / Enterprise Server and OpenSSL. Secure Key Storage
protects a private key (PKCS#12) from theft.

Certificate rollout Automatic creation, rollout and renewal of certificates via SCEP (Simple Certificate Enrollment Protocol) per certificate hierarchy

Certificate revocation lists (CRL) CRL retrieval via HTTP per certificate hierarchy

OCSP Client Check X.509 certifications by using OCSP (Online Certificate Status Protocol) in real time as an alternative to CRLs

XAUTH XAUTH client for registering LANCOM routers and access points at XAUTH servers incl. IKE-config mode. XAUTH server enables clients
to register via XAUTH at LANCOM routers. Connection of the XAUTH server to RADIUS servers provides the central authentication of
VPN-access with user name and password. Authentication of VPN-client access via XAUTH and RADIUS connection additionally by
OTP token

RAS user template Configuration of all VPN client connections in IKE ConfigMode via a single configuration entry

Proadaptive VPN Automated configuration and dynamic creation of all necessary VPN and routing entries based on a default entry for site-to-site
connections. Propagation of dynamically learned routes via RIPv2 if required

Algorithms 3DES (168 bit), AES-CBC and -GCM (128, 192 or 256 bit), Blowfish (128 bit), RSA (1024-4096 bit) and CAST (128 bit). OpenSSL
implementation with FIPS-140 certified algorithms. MD-5, SHA-1, SHA-256, SHA-384 or SHA-512 hashes

NAT-Traversal NAT-Traversal (NAT-T) support for VPN over routes without VPN passthrough

IPCOMP VPN data compression based on Deflate compression for higher IPSec throughput on low-bandwidth connections (must be supported
by remote endpoint)

LANCOM Dynamic VPN Enables VPN connections from or to dynamic IP addresses. The IP address is communicated via ISDN B- or D-channel or with the ICMP
or UDP protocol in encrypted form. Dynamic dial-in for remote sites via connection template

Dynamic DNS Enables the registration of IP addresses with a Dynamic DNS provider in the case that fixed IP addresses are not used for the VPN
connection

Specific DNS forwarding DNS forwarding according to DNS domain, e.g. internal names are translated by proprietary DNS servers in the VPN. External names
are translated by Internet DNS servers

IPv4 VPN Connecting private IPv4 networks

IPv4 VPN over IPv6 WAN Use of IPv4 VPN over IPv6 WAN connections

IPv6 VPN Connecting private IPv6 networks

IPv6 VPN over IPv4 WAN Use of IPv6 VPN over IPv4 WAN connections
 DATASHEET

LANCOM 1631E LCOS 10.12

High availability / redundancy

Load balancing Static and dynamic load balancing over up to 2 WAN connections. Channel bundling with Multilink PPP (if supported by network
operator)

VPN redundancy Backup of VPN connections across different hierarchy levels, e.g. in case of failure of a central VPN concentrator and re-routing to
multiple distributed remote sites. Any number of VPN remote sites can be defined (the tunnel limit applies only to active connections).
Up to 32 alternative remote stations, each with its own routing tag, can be defined per VPN connection. Automatic selection may be
sequential, or dependant on the last connection, or random (VPN load balancing)

Line monitoring Line monitoring with LCP echo monitoring, dead-peer detection and up to 4 addresses for end-to-end monitoring with ICMP polling
VPN
IPSec over HTTPS Enables IPsec VPN based on TCP (at port 443 like HTTPS) which can go through firewalls in networks where e. g. port 500 for IKE is
blocked. Suitable for client-to-site connections and site-to-site connections. IPSec over HTTPS is based on the NCP VPN Path Finder
technology

Number of VPN tunnels Max. number of concurrent active IPSec, PPTP (MPPE) and L2TPv2 tunnels: 3. Unlimited configurable connections.

Hardware accelerator Integrated hardware accelerator for 3DES/AES encryption and decryption

Realtime clock Integrated, buffered realtime clock to save the date and time during power failure. Assures timely validation of certificates in any case

Random number generator Generates real random numbers in hardware, e. g. for improved key generation for certificates immediately after switching-on

1-Click-VPN Client assistant One click function in LANconfig to create VPN client connections, incl. automatic profile creation for the LANCOM Advanced VPN Client

1-Click-VPN Site-to-Site Creation of VPN connections between LANCOM routers via drag and drop in LANconfig

IKE, IKEv2 IPSec key exchange with Preshared Key or certificate (RSA signature, digital signature)

Smart Certificate* Convenient generation of digital X.509 certificates via an own certifaction authority (SCEP-CA) on the webpage or via SCEP.

Certificates X.509 digital multi-level certificate support, compatible with Microsoft Server / Enterprise Server and OpenSSL. Secure Key Storage
protects a private key (PKCS#12) from theft.

Certificate rollout Automatic creation, rollout and renewal of certificates via SCEP (Simple Certificate Enrollment Protocol) per certificate hierarchy

Certificate revocation lists (CRL) CRL retrieval via HTTP per certificate hierarchy

OCSP Client Check X.509 certifications by using OCSP (Online Certificate Status Protocol) in real time as an alternative to CRLs

XAUTH XAUTH client for registering LANCOM routers and access points at XAUTH servers incl. IKE-config mode. XAUTH server enables clients
to register via XAUTH at LANCOM routers. Connection of the XAUTH server to RADIUS servers provides the central authentication of
VPN-access with user name and password. Authentication of VPN-client access via XAUTH and RADIUS connection additionally by
OTP token

RAS user template Configuration of all VPN client connections in IKE ConfigMode via a single configuration entry

Proadaptive VPN Automated configuration and dynamic creation of all necessary VPN and routing entries based on a default entry for site-to-site
connections. Propagation of dynamically learned routes via RIPv2 if required

Algorithms 3DES (168 bit), AES-CBC and -GCM (128, 192 or 256 bit), Blowfish (128 bit), RSA (1024-4096 bit) and CAST (128 bit). OpenSSL
implementation with FIPS-140 certified algorithms. MD-5, SHA-1, SHA-256, SHA-384 or SHA-512 hashes

NAT-Traversal NAT-Traversal (NAT-T) support for VPN over routes without VPN passthrough

IPCOMP VPN data compression based on Deflate compression for higher IPSec throughput on low-bandwidth connections (must be supported
by remote endpoint)

LANCOM Dynamic VPN Enables VPN connections from or to dynamic IP addresses. The IP address is communicated via ISDN B- or D-channel or with the ICMP
or UDP protocol in encrypted form. Dynamic dial-in for remote sites via connection template

Dynamic DNS Enables the registration of IP addresses with a Dynamic DNS provider in the case that fixed IP addresses are not used for the VPN
connection

Specific DNS forwarding DNS forwarding according to DNS domain, e.g. internal names are translated by proprietary DNS servers in the VPN. External names
are translated by Internet DNS servers

IPv4 VPN Connecting private IPv4 networks

IPv4 VPN over IPv6 WAN Use of IPv4 VPN over IPv6 WAN connections

IPv6 VPN Connecting private IPv6 networks

IPv6 VPN over IPv4 WAN Use of IPv6 VPN over IPv4 WAN connections
 DATASHEET

LANCOM 1631E LCOS 10.12

VPN
Radius RADIUS authorization and accounting, outsourcing of VPN configurations in external RADIUS server in IKEv2, RADIUS CoA (Change
of Authorization)

*) Only with VPN 25 option

Performance
Routing-Performance Data regarding the overall routing performance can be found inside the LANCOM tech paper "Routing-Performance" on
www.lancom-systems.com
VoIP
SIP ALG The SIP ALG (Application Layer Gateway) acts as a proxy for SIP communication. For SIP calls the ALG opens the necessary ports for
the corresponding media packets. Automatic address translation (STUN is no longer needed).
Interfaces
WAN: Ethernet 10/100/1000 Mbps Gigabit Ethernet

Ethernet ports 3 individual 10/100/1000 Mbps Ethernet ports; up to 3 ports can be operated as additional WAN ports with load balancing. Ethernet
ports can be electrically disabled within LCOS configuration. The ports support energy saving according to IEEE 802.3az

Port configuration Each Ethernet port can be freely configured (LAN, DMZ, WAN, monitor port, off). LAN ports can be operated as a switch or separately.
Additionally, external DSL modems or termination routers can be operated as a WAN port with load balancing and policy-based routing.
DMZ ports can be operated with their own IP address range without NAT

USB 2.0 host port USB 2.0 hi-speed host port for connecting USB printers (USB print server), serial devices (COM port server), USB data storage (FAT file
system); bi-directional data exchange is possible

ISDN ISDN BRI port (S0 bus)

Serial interface Serial configuration interface / COM port (8 pin Mini-DIN): 9,600 - 115,000 baud, suitable for optional connection of analog/GPRS
modems. Supports internal COM port server and allows for transparent asynchronous transmission of serial data via TCP
Management and monitoring
Management LANCOM Management Cloud, LANconfig, WEBconfig, LANCOM Layer 2 management (emergency management)

Management functions Alternative boot configuration, voluntary automatic updates for LCMS and LCOS, individual access and function rights up to 16
administrators, RADIUS and RADSEC user management, remote access (WAN or (W)LAN, access rights (read/write) adjustable seperately),
SSL, SSH, HTTPS, Telnet, TFTP, SNMP, HTTP, access rights via TACACS+, scripting, timed control of all parameters and actions through
cron job

FirmSafe Two stored firmware versions, incl. test mode for firmware updates

Monitoring LANCOM Management Cloud, LANmonitor, WLANmonitor

Monitoring functions Device SYSLOG, SNMPv1,v2c,v3 incl. SNMP-TRAPS, extensive LOG and TRACE options, PING and TRACEROUTE for checking connections,
internal logging buffer for firewall events

Monitoring statistics Extensive Ethernet, IP and DNS statistics; SYSLOG error counter, accounting information exportable via LANmonitor and SYSLOG

LANCAPI Available for all LANCOM routers with integrated ISDN interface. LANCAPI provides CAPI 2.0 features for Microsoft Windows to utilize
ISDN channels over the IP network

CAPI Faxmodem Softmodem for Microsoft Windows that makes use of LANCAPI to send and receive faxes via ISDN

iPerf iPerf is a tool for measurements of the bandwidth on IP networks (integrated client and server)

SLA-Monitor (ICMP) Performance monitoring of connections

SD-LAN SD-LAN – automatic LAN configuration via the LANCOM Management Cloud

SD-WAN SD-WAN – automatic WAN configuration via the LANCOM Management Cloud

*) Note Not for use with All-IP connection

Hardware
Power supply 12 V DC, external power adapter (230 V) with bayonet cap to protect against accidentally unplugging

Environment Temperature range 5–40° C; humidity 0–95%; non-condensing

Housing Robust synthetic housing, rear connectors, ready for wall mounting, Kensington lock; 210 x 45 x 140 mm (W x H x D)

Fans None; fanless design without rotating parts, high MTBF

 DATASHEET

LANCOM 1631E LCOS 10.12

Hardware
Power consumption (max) 10 watt
Declarations of conformity*
CE EN 60950-1, EN 55022, EN 55024

IPv6 IPv6 Ready Gold

Country of Origin Made in Germany

*) Note You will find all declarations of conformity in the products section of our website at www.lancom-systems.com
Scope of delivery
Manual Hardware Quick Reference (DE/EN), Installation Guide (DE/EN)

CD/DVD Data medium with management software (LANconfig, LANmonitor, WLANmonitor, LANCAPI) and documentation

Cable 1 Ethernet cable, 3 m

Cable ISDN cable, 3m

Power supply unit External power adapter (230 V), NEST 12 V/1.5 A DC/S, coaxial power connector 2.1/5.5 mm bayonet, temperature range from -5 to
+45° C, LANCOM item no. 111301 (EU)/LANCOM item no 110829 (UK)
Support
Warranty 3 years support

Software updates Regular free updates (LCOS operating system and LANtools) via Internet
Options
LANCOM Content Filter LANCOM Content Filter +10 user, 1 year subscription, item no. 61590

LANCOM Content Filter LANCOM Content Filter +25 user, 1 year subscription, item no. 61591

LANCOM Content Filter LANCOM Content Filter +10 user, 3 year subscription, item no. 61593

LANCOM Content Filter LANCOM Content Filter +25 user, 3 year subscription, item no. 61594

LANCOM Warranty Basic Option S Option to extend the manufacturer´s warranty from 3 to 5 years, item no. 10710

LANCOM Warranty Advanced Option S Option to extend the manufacturer´s warranty from 3 to 5 years and replacement of a defective device, item no. 10715

LANCOM All-IP Option Upgrade option for the operation of the LANCOM 1781 series, 1631E, and 831A with All-IP connections, support of ISDN PBX systems
and telephony devices as well as ISDN voice & fax services, incl. Voice Call Manager, All-IP (TAE/RJ45) and cross-over adapters (TE/NT),
item no. 61422

LANCOM VoIP +10 Option
LANCOM Management Cloud
LANCOM LMC-A-1Y LMC License
Upgrade for LANCOM VoIP router with 10 additional internal VoIP numbers (additionally up to 40) and 10 external SIP lines (additionally
up to 55) item no. 61423
LANCOM LMC-A-1Y License (1 Year), enables the management of one category A device for one year via the LANCOM Management
Cloud, item no. 50100

LANCOM LMC-A-3Y LMC License LANCOM LMC-A-3Y License (3 Years), enables the management of one category A device for three years via the LANCOM Management
Cloud, item no. 50101

LANCOM LMC-A-5Y LMC License LANCOM LMC-A-5Y License (5 Years), enables the management of one category A device for five years via the LANCOM Management
Cloud, item no. 50102
Accessories
19" Rack Mount 19" rack mount adaptor, item no. 61501

LANCOM Wall Mount For simple, theft-proof mounting of LANCOM devices with plastic housings, item no. 61349

LANCOM Wall Mount (White) For simple, theft-proof mounting of LANCOM devices with plastic housings, item no. 61345

LANCOM Serial Adapter Kit For the connection of V.24 modems with AT command set and serial interface for the connection to the LANCOM COM interface, incl.
serial cable and connection plug, item no. 61500

VPN Client Software LANCOM Advanced VPN Client for Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, single license, item no. 61600

VPN Client Software LANCOM Advanced VPN Client for Mac OS X (10.5 Intel only, 10.6 or higher), single license, item no. 61606
 Chassis drawing
Item number(s)
LANCOM 1681E (EU)

LANCOM 1681E (UK)

LANCOM 1631E

www.lancom-systems.com
61083
61082

LANCOM Systems GmbH I Adenauerstr. 20/B2 I 52146 Wuerselen I Germany I E-mail [email protected]
DATASHEET

LCOS 10.12

LANCOM, LANCOM Systems and LCOS are registered trademarks. All other names or descriptions used may be trademarks or registered trademarks of their owners. Subject to change without notice. No liability for
technical errors and/or omissions. 04/18