HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Version 9.x
DrillDown Icon How To
DrillDown Icon Anti Spam
DrillDown Icon Anti Virus
DrillDown Icon Authentication
DrillDown Icon Blocking
DrillDown Icon Clients
DrillDown Icon Content filtering
DrillDown Icon Firewall
DrillDown Icon IPS
DrillDown Icon Logs & Reports
DrillDown Icon SNMP
DrillDown Icon System
DrillDown Icon Registration
DrillDown Icon User
DrillDown Icon VPN
DrillDown Icon Configure SSL VPN in Cyberoam
DrillDown Icon Configure MS Windows Vista Client for PPTP connection
DrillDown Icon VPN Interoperability
DrillDown Icon VPN Failover
DrillDown Icon Check VPN connection routes
DrillDown Icon Configure L2TP
DrillDown Icon Cyberoam to Cyberoam (Net-to-Net) IPSec VPN using Preshared key
DrillDown Icon Cyberoam to Cyberoam (Net-to-Net) IPSec VPN using Certificate
DrillDown Icon Cyberoam to Cyberoam (Net-to-Net) IPSec VPN when peers have Dynamic IP address
DrillDown Icon Cyberoam VPN Client to Cyberoam IPSec VPN for the remote access using preshared key
DrillDown Icon Cyberoam VPN Client to Cyberoam IPSec VPN for remote access using Digital Certificates
DrillDown Icon Configure MS Windows XP VPN Client for L2TP connection
DrillDown Icon Configure Cyberoam as a PPTP server
DrillDown Icon Configure Cyberoam to establish PPTP connection using MS Windows XP VPN Client
DrillDown Icon Configure MS Windows 2000 Client for PPTP connection
DrillDown Icon Create Hub and Spoke IPSec VPN Network
DrillDown Icon Intimation Regarding US New Daylight Saving Time Support
DrillDown Icon Verify the integrity check of Cyberoam Upgrade file using MD5 checksum
DrillDown Icon Troubleshooting
DrillDown Icon FAQ
DrillDown Icon Tech Notes
DrillDown Icon Visio Stencils for Cyberoam security appliances
DrillDown Icon Product Technical Support
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
 
Create Hub and Spoke IPSec VPN Network

This article describes how to configure Cyberoam Firewall/VPN in a hub and spoke VPN system, as might be used in a headquarters with many branch offices.

 

In a hub and spoke network, all VPN tunnels terminate at the hub. Hub functions as a concentrator on the network, managing all VPN connections between the spokes. Site-to-Site connection between the spokes does not exist but the VPN traffic passes from one tunnel to the other via the hub.

 

In the example throughout the article, below given IP addresses are assigned to Cyberoam deployed at headquarter and 2 branches. Follow the steps for setting up the example hub-and-spoke VPN configuration to create a VPN among Houston branch (Cyberoam_br1), Dallas branch (Cyberoam_br2) and the New York Head office (Cyberoam_ho) network.

 

IP addressing scheme

 

Hub - New York office (Cyberoam_ho)

LAN IP address – 192.168.1.0/24

WAN IP address – 202.11.11.11

 

Spoke 1 – Huston Branch (Cyberoam_br1)

LAN IP address – 5.5.5.0/16

WAN IP address – 202.10.10.10

 

Spoke 2 – Dallas Branch (Cyberoam_br2)

LAN IP address – 10.10.10.0/24

WAN IP address – 202.12.12.12

 

 

 

Configuring Connection at Houston branch (Spoke)

 

Configuration Parameters

Houston Branch (Cyberoam_br1)

Preshared key

Houston_key

Local Network details

Local Server (WAN IP address) – 202.10.10.10

Local LAN address – 5.5.5.0/16

Local ID – john@elitecore.com

Remote Network details

Remote VPN server (Hub IP address) – 202.11.11.11

Remote LAN Network –

10.10.10.0/24 (Dallas Network)

192.168.1.0/24 (New York Network)

Remote ID – dean@elitecore.com

 

Step 1: Create VPN Policy

Go to VPN ® Policy ® Create Policy and create policy with the following values:

 

Policy Name: hub_spoke_policy

Using Template: None

Keying Method: Automatic

Allow Re-keying: Yes

Pass Data In Compressed Format: Yes

Perfect Forward Secrecy (PFS): Yes
Key life: 28800 secs

Action When Peer Is Not Active: Restart

 

Change other values as per your requirements.

 

Step 2: Create IPSec connection

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

 

Connection name: Houston_NY

Policy: hub_spoke_policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

 

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peer i.e. Cyberoam_ho

 

Local server IP address (WAN IP address) – 202.10.10.10

Local LAN Network – 5.5.5.0/16

Local ID – john@elitecore.com

 

Remote server IP address – 202.11.11.11

Remote LAN Network – 10.10.10.0/24, 192.168.1.0/24

Remote ID – dean@elitecore.com

 

User Authentication Mode: As required

Protocol: As required

 

Step 3. Activate Connection

Go to VPN ® IPSec Connection ® Manage Connection and click  under Connection Status against the Houston_NY connection

 

  under Connection Status indicates that the connection is successfully activated

 

 

Configuring Connection at Dallas branch (Spoke)

 

Configuration Parameters

Dallas Branch (Cyberoam_br2)

Preshared key

Dallas_key

Local Network details

Local Server (WAN IP address) – 202.12.12.12

Local LAN address – 10.10.10.0/24

Local ID – mathews@elitecore.com

Remote Network details

Remote VPN server (Hub IP address) – 202.11.11.11

Remote LAN Network –

5.5.5.0/16 (Houston Network)

192.168.1.0/24 (New York Network)

Remote ID – anthony@elitecore.com

 

Step 1: Create VPN Policy

Go to VPN ® Policy ® Create Policy and create policy with the following values:

 

Policy Name: hub_spoke_policy

Using Template: None

Keying Method: Automatic

Allow Re-keying: Yes

Pass Data In Compressed Format: Yes

Perfect Forward Secrecy (PFS): Yes
Key life: 28800 secs

Action When Peer Is Not Active: Restart

 

Change other values as per your requirements.

 

Step 2: Create IPSec connection

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

 

Connection name: Dallas_NY

Policy: hub_spoke_policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

 

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peers i.e. Cyberoam_ho

 

Local server IP address (WAN IP address) – 202.12.12.12

Local LAN Network – 10.10.10.0/24

Local ID – mathews@elitecore.com

 

Remote server IP address – 202.11.11.11

Remote LAN Network – 5.5.5.0/16, 192.168.1.0/24

Remote ID – anthony@elitecore.com

 

User Authentication Mode: As required

Protocol: As required

 

Step 3. Activate Connection

Go to VPN ® IPSec Connection ® Manage Connection and click  under Connection Status against the Dallas_NY connection

 

  under Connection Status indicates that the connection is successfully activated

 

 

Note

At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

 

 

Configuring Connection at New York (Hub)

 

Step 1: Create VPN zone firewall rule (only for version 9.5.8 build 24 onwards)

Go to Firewall ®Create Rule and create rule with the following values:
Source: VPN-Any Host

Destination: VPN-Any Host

Service/Service Group: All Services

Apply Schedule: All the Time

Action: Accept

Step 2: Create VPN Policy

Go to VPN ® Policy ® Create Policy and create policy with the following values:

 

Policy Name: hub_spoke_policy

Using Template: None

Keying Method: Automatic

Allow Re-keying: Yes

Pass Data In Compressed Format: Yes

Perfect Forward Secrecy (PFS): Yes

Action When Peer Is Not Active: Hold

 

Change other values as per your requirements.

 

Step 3: Create IPSec connection for Houston branch

 

Configuration Parameters

New York to Houston

Preshared key

Houston_key

Local Network details

Local Server (WAN IP address) – 202.11.11.11

Local LAN address –

192.168.1.0/24

10.10.10.0/24

Local ID – dean@elitecore.com

Remote Network details

Remote VPN server (Houston) – 202.10.10.10

Remote LAN Network –

5.5.5.0/16

Remote ID – john@elitecore.com

 

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

 

Connection name: NY_ Houston

Policy: hub_spoke_policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

 

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peer i.e. Cyberoam_br1

 

Local server IP address (WAN IP address) – 202.11.11.11

Local LAN Network – 10.10.10.0/24, 192.168.1.0/24

Local ID – dean@elitecore.com

 

Remote server IP address – 202.10.10.10

Remote LAN Network – 5.5.5.0/16

Remote ID – john@elitecore.com

 

User Authentication Mode: As required

Protocol: As required

 

Step 4. Activate Connections

Go to VPN ® IPSec Connection ® Manage Connection and click  under Connection Status against the NY_Houston connection

 

  under Connection Status indicates that the connection is successfully activated

 

Step 5: Create IPSec connection for Dallas branch

 

Configuration Parameters

New York to Dallas

Preshared key

Dallas_key

Local Network details

Local Server (WAN IP address) – 202.11.11.11

Local LAN address –

192.168.1.0/24

5.5.5.0/16

Local ID – anthony@elitecore.com

Remote Network details

Remote VPN server (Houston) – 202.12.12.12

Remote LAN Network –

10.10.10.0/24

Remote ID – mathews@elitecore.com

 

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

 

Connection name: NY_Dallas

Policy: hub_spoke_policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

 

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peer i.e. Cyberoam_br2

 

Local server IP address (WAN IP address) – 202.11.11.11

Local LAN Network – 5.5.5.0/16, 192.168.1.0/24

Local ID – anthony@elitecore.com

 

Remote server IP address – 202.12.12.12

Remote LAN Network – 10.10.10.0/24

Remote ID – mathews@elitecore.com

 

User Authentication Mode: As required

Protocol: As required

 

Step 6. Activate Connections

Go to VPN ® IPSec Connection ® Manage Connection and click  under Connection Status against the NY_Dallas connection

 

  under Connection Status indicates that the connection is successfully activated

 

Note

At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

 

Step 7. Establish Connections

 

You can establish connection, once the all three servers are configured. You can establish connection from either of the servers.

 

Go to VPN ® IPSec Connection ® Manage Connection and click  against the connection

 under the Connection status indicates that the connection is successfully established.

 

If you are not able to establish the connection, check VPN log from Telnet Console. Refer to VPN Troubleshooting Guide for log explanation and error solution.

 

 

Testing Connection

 

To check the connectivity between New York office to Houston branch and vice versa:

·     ping Cyberoam_br1 LAN interface from Cyberoam_ho LAN interface

·     ping Cyberoam_ho LAN interface from Cyberoam_br1 LAN interface

 

To check the connectivity between New York office to Dallas branch and vice versa:

·     ping Cyberoam_br2 LAN interface from Cyberoam_ho LAN interface

·     ping Cyberoam_ho LAN interface from Cyberoam_br2 LAN interface

 

To check the connectivity between Houston branch to Dallas branch and vice versa:

·     ping Cyberoam_br2 LAN interface from Cyberoam_br1 LAN interface

·     ping Cyberoam_br1 LAN interface from Cyberoam_br2 LAN interface

 

 

Reference Documents

·    VPN Troubleshooting Guide

 
 
 

Document version: 96016-2.0-05/06/2009

 

Attachments
Article ID: 288