This article describes how to configure Cyberoam Firewall/VPN in a hub and spoke VPN system, as might be used in a headquarters with many branch offices.

In a hub and spoke network, all VPN tunnels terminate at the hub. Hub functions as a concentrator on the network, managing all VPN connections between the spokes. Site-to-Site connection between the spokes does not exist but the VPN traffic passes from one tunnel to the other via the hub.

In the example throughout the article, below given IP addresses are assigned to Cyberoam deployed at headquarter and 2 branches. Follow the steps for setting up the example hub-and-spoke VPN configuration to create a VPN among Houston branch (Cyberoam_br1), Dallas branch (Cyberoam_br2) and the New York Head office (Cyberoam_ho) network.

IP addressing scheme

Hub - New York office (Cyberoam_ho)

LAN IP address – 192.168.1.0/24

WAN IP address – 202.11.11.11

Spoke 1 – Huston Branch (Cyberoam_br1)

LAN IP address – 5.5.5.0/16

WAN IP address – 202.10.10.10

Spoke 2 – Dallas Branch (Cyberoam_br2)

LAN IP address – 10.10.10.0/24

WAN IP address – 202.12.12.12

Configuring Connection at Houston branch (Spoke)

Step 1: Create VPN Policy

Go to VPN ® Policy ® Create Policy and create policy with the following values:

Policy Name: hub_spoke_policy

Using Template: None

Keying Method: Automatic

Allow Re-keying: Yes

Pass Data In Compressed Format: Yes

Action When Peer Is Not Active: Restart

Change other values as per your requirements.

Step 2: Create IPSec connection

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

Connection name: Houston_NY

Policy: hub_spoke_policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peer i.e. Cyberoam_ho

Local server IP address (WAN IP address) – 202.10.10.10

Local LAN Network – 5.5.5.0/16

Local ID – john@elitecore.com

Remote server IP address – 202.11.11.11

Remote LAN Network – 10.10.10.0/24, 192.168.1.0/24

Remote ID – dean@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 3. Activate Connection

Go to VPN ® IPSec Connection ® Manage Connection and click  under Connection Status against the Houston_NY connection

  under Connection Status indicates that the connection is successfully activated

Configuring Connection at Dallas branch (Spoke)

Step 1: Create VPN Policy

Go to VPN ® Policy ® Create Policy and create policy with the following values:

Policy Name: hub_spoke_policy

Using Template: None

Keying Method: Automatic

Allow Re-keying: Yes

Pass Data In Compressed Format: Yes

Action When Peer Is Not Active: Restart

Change other values as per your requirements.

Step 2: Create IPSec connection

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

Connection name: Dallas_NY

Policy: hub_spoke_policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peers i.e. Cyberoam_ho

Local server IP address (WAN IP address) – 202.12.12.12

Local LAN Network – 10.10.10.0/24

Local ID – mathews@elitecore.com

Remote server IP address – 202.11.11.11

Remote LAN Network – 5.5.5.0/16, 192.168.1.0/24

Remote ID – anthony@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 3. Activate Connection

Go to VPN ® IPSec Connection ® Manage Connection and click  under Connection Status against the Dallas_NY connection

  under Connection Status indicates that the connection is successfully activated

Note

At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

Configuring Connection at New York (Hub)

Step 1: Create VPN zone firewall rule (only for version 9.5.8 build 24 onwards)

Go to Firewall ®Create Rule and create rule with the following values:
Source: VPN-Any Host

Destination: VPN-Any Host

Service/Service Group: All Services

Apply Schedule: All the Time

Action: Accept

Go to VPN ® Policy ® Create Policy and create policy with the following values:

Policy Name: hub_spoke_policy

Using Template: None

Keying Method: Automatic

Allow Re-keying: Yes

Pass Data In Compressed Format: Yes

Perfect Forward Secrecy (PFS): Yes

Action When Peer Is Not Active: Hold

Change other values as per your requirements.

Step 3: Create IPSec connection for Houston branch

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

Connection name: NY_ Houston

Policy: hub_spoke_policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peer i.e. Cyberoam_br1

Local server IP address (WAN IP address) – 202.11.11.11

Local LAN Network – 10.10.10.0/24, 192.168.1.0/24

Local ID – dean@elitecore.com

Remote server IP address – 202.10.10.10

Remote LAN Network – 5.5.5.0/16

Remote ID – john@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 4. Activate Connections

Go to VPN ® IPSec Connection ® Manage Connection and click  under Connection Status against the NY_Houston connection

  under Connection Status indicates that the connection is successfully activated

Step 5: Create IPSec connection for Dallas branch

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

Connection name: NY_Dallas

Policy: hub_spoke_policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peer i.e. Cyberoam_br2

Local server IP address (WAN IP address) – 202.11.11.11

Local LAN Network – 5.5.5.0/16, 192.168.1.0/24

Local ID – anthony@elitecore.com

Remote server IP address – 202.12.12.12

Remote LAN Network – 10.10.10.0/24

Remote ID – mathews@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 6. Activate Connections

Go to VPN ® IPSec Connection ® Manage Connection and click  under Connection Status against the NY_Dallas connection

  under Connection Status indicates that the connection is successfully activated

Note

At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

Step 7. Establish Connections

You can establish connection, once the all three servers are configured. You can establish connection from either of the servers.

Go to VPN ® IPSec Connection ® Manage Connection and click  against the connection

 under the Connection status indicates that the connection is successfully established.

If you are not able to establish the connection, check VPN log from Telnet Console. Refer to VPN Troubleshooting Guide for log explanation and error solution.

Testing Connection

To check the connectivity between New York office to Houston branch and vice versa:

·     ping Cyberoam_br1 LAN interface from Cyberoam_ho LAN interface

·     ping Cyberoam_ho LAN interface from Cyberoam_br1 LAN interface

To check the connectivity between New York office to Dallas branch and vice versa:

·     ping Cyberoam_br2 LAN interface from Cyberoam_ho LAN interface

·     ping Cyberoam_ho LAN interface from Cyberoam_br2 LAN interface

To check the connectivity between Houston branch to Dallas branch and vice versa:

·     ping Cyberoam_br2 LAN interface from Cyberoam_br1 LAN interface

·     ping Cyberoam_br1 LAN interface from Cyberoam_br2 LAN interface

Reference Documents

·    VPN Troubleshooting Guide

Document version: 96016-2.0-05/06/2009