Product: The information in this article is based on Cyberoam Version 10.00 onwards and PIX-Firewall 6.3(5) with 3DES Support.
Applicable to Version: 10.00 onwards
This article describes a detailed configuration example that demonstrates how to set up a Site-to-Site IPSec VPN connection between Cyberoam and Cisco PIX using preshared key to authenticate VPN peers.
Throughout the article we will use the default VPN policy provided by Cyberoam and network parameters as shown in the diagram below.
This document has 2 sections:
Cisco PIX-Firewall Server Configuration
Step 1: Logon to PIX-Firewall with Enable privilege
Pix-firewall> en
Password: ******
Pix-firewall# conf t
Step 2: Configuring IKE Parameters as follows:
isakmp enable outside
isakmp key 0123456789 address 202.134.168.202 netmask 255.255.255.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
Step 3: Verify the IKE Parameters using below given commands
show isakmp
show isamp policy
Step 4: Define Access-list to allow IPSec tunnel traffic
access-list pix_2_cyberoam permit ip 172.50.50.0 255.255.255.0 172.16.16.0 255.255.255.0
Step 5: Specify addresses to be exempt from NAT (traffic to be tunneled)
nat (inside) 0 access-list pix_2_cyberoam
Step 6: Configuring IPSec Parameters
crypto ipsec transform-set pixtransform esp-3des esp-md5-hmac
crypto map pixmap 10 ipsec-isakmp
crypto map pixmap 10 match address pix_2_cyberoam
crypto map pixmap 10 set peer 202.134.168.202
crypto map pixmap 10 set transform-set pixtransform
crypto map pixmap interface outside
Step 7: Implicit permit for all packets that come from IPsec tunnels
sysopt connection permit-ipsec
Note:
Use the below given commands to view your configuration:
show crypto ipsec sa
Or if you want to check your IPSec negotiation, use the debug command:
debug crypto isakmp debug crypto ipsec
Cyberoam Configuration
The entire configuration is to be done from Web Admin Console. Access Web Admin Console with user having “Administrator” profile.
Step 1: Create IPSec connection
Go to VPN à IPSec Connection and click on “Add” button to create Connection with the following values:
|
Parameters
|
Value
|
|
General Settings
|
|
Name
|
CR_2_PIX
|
|
Connection Type
|
Site to Site
|
|
Policy
|
DefaultHeadOffice
|
|
Action on VPN Restart
|
Respond Only
|
|
Authentication Details
|
|
Authentication Type
|
Preshared Key
|
|
Preshared Key
|
Forward this key to the remote peer (PIX) as same preshared key should be used by both the peers. At the remote end, client will have to specify this key for authentication. In SonicWall, preshared key is called ‘Shared Secret’ or ‘Preshared Secret’.
|
|
Confirm Preshared Key
|
Specify preshared key again for confirmation
|
|
Local Network Details
|
|
Local WAN Port
|
202.134.168.202
|
|
Local Subnet
|
172.16.16.0/24
|
|
Remote Network Details
|
|
Remote VPN Sever
|
202.134.168.208
|
|
Remote Subnet
|
172.50.50.0/24
|
Click on OK and the IPSec Connection ‘CR_2_PIX’ will be added successfully.
Step 2: Activate Connection
Go to VPN à IPSec à Connection and click under Status against the CR_2_PIX connection to activate the connection.
 under Status indicates that the connection is successfully activated.
Note:
At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘Unable to activate connection’ hence you need to deactivate all other connections.
Document Version – 1.0 – 03/08/2012
| 
