It is assumed that the reader has a working knowledge of Cyberoam and SonicWall appliance configuration.

Prerequisite: Set same Date and Time on both the peers. Refer to Cyberoam Console Guide for setting Date and time.

Throughout the article we will use the network parameters as shown in the diagram below. Please check the attachment to view the document along with the diagrams. 

Cyberoam Configuration

Step 1. Generate Local Certificate

Go to VPN ® Certificate ® New Certificate and click Self Signed Certificate to create certificate. Create certificate with the following value:

Certificate name: CR_cert

Valid upto: As required

Key length: As required

Password: As required

Certificate ID: john@elitecore.com

Step 2. Generate Remote Certificate

Go to VPN ® Certificate ® New Certificate and click Self Signed Certificate to create certificate. Create certificate with the following value:

Certificate name: SW_cert

Valid upto: As required

Key length: As required

Password: As required

Certificate ID: dean@elitecore.com

Step 3. Download Certificate generated in step 2 and forward to the Remote user

Go to VPN ® Certificate ® Manage Certificate and click Download against the SW_cert. Certificate is downloaded in tar.gz format. One can unzip the file using winzip or winrar.

This Certificate is to be uploaded at SonicWAll.

Step 4: Create IPSec connection

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

Connection name: CR_SW

Policy: Default Policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

Authentication Type – Digital Certificate

Local Certificate – Select Certificate created in step 1 i.e. CR_cert

Remote Certificate - Select Certificate created in step 2 i.e. SW_cert

Local server IP address (WAN IP address) – 192.168.15.204 (Cyberoam WAN IP)

Local Internal Network – 8.8.8.0/24

Local ID – Automatically displays ID specified in the Local certificate created in step 1 i.e. john@elitecore.com

Remote server IP address (WAN IP address) – 192.168.13.71 (SonicWall WAN IP)

Remote Internal Network – 172.18.1.0/24

Remote ID – Automatically displays ID specified in the Remote certificate created in step 2 i.e. dean@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 5. Activate Connection

Go to VPN ® IPSec Connection ® Manage Connection

To activate the connection, click  against the CR_CW connection.

  under the Connection status indicates that the connection is successfully activated

Note

At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

SonicWall Configuration

Step 6. Obtain and Upload Remote Certificate created in Cyberoam

Unzip Certificate received from the Remote user i.e. Cyberoam and extract Password.txt and .p12 file

Go to System ® Certificates and specify following values:

Select ‘Import a local end-user certificate with private key from a PKCS#12 (.p12 or .pfx) encoded file  

Certificate name: As required

Certificate Management Password: As specified in the Password.txt file

Please select a file to import: Using Browser select .p12 file from folder in which the zip file is extracted

Certificate list will include Certificate CA and Certificate, if certificate is imported successfully.

Step 7. Add Address Object to define remote network that is to be connected via VPN tunnel

Go to Network ® Address Object and click ADD under Address Objects and create with the following values:

Name: CR_LAN

Zone: VPN

Type: Network

Network: 8.8.8.0 i.e. defined as Internal Network in Cyberoam

Mask: 255.255.255.0 i.e. subnet mask for the above network

Step 8. Create VPN Policy

Go to VPN ® Settings and click ADD under VPN Policies

A. Input following values in the General Tab fields:

Authentication Method: IKE using 3^rd Party Certificates

Name: sonicwall_2_cyberoam

IPsec Primary Gateway Name or Address: 192.168.15.204 i.e. WAN IP of Cyberoam

IPsec Secondary Gateway Name or Address: Blank

Local Certificate: Certificate imported in step 6

Peer IKE ID Type: E-mail ID  

Peer IKE ID: john@elitecore.com (IKE of Cyberoam)

B. Input following values in the Network Tab fields:

Under Local Networks

Choose local network from list: LAN Subnets (Contains pre-defined object for LAN network)

Under Destination Networks

Choose local network from list: CR_LAN i.e. object created for Cyberoam network in step 7

C. Input following values in the Proposals Tab fields:

IKE Phase I Proposal

Exchange: Main Mode

DH Group: 2

Encryption: 3DES

Authentication: MD5

Life Tine (seconds): 3600

Ipsec (Phase 2) Proposal

Protocol: ESP

Encryption: 3DES

Authentication: MD5

Enable PFS: Yes

DH Group: 2

Life Time (seconds): 3600

VPN Policy is automatically enabled if created successfully.

If SonicWall is able to establish connection with Cyberoam successfully then the connection/tunnel details will be displayed under Currently Active VPN Tunnels.

Step 8. Establish Connection from Cyberoam

Go to VPN ® IPSec Connection ® Manage Connection

To establish the connection/tunnel, click  under Connection Status against the CR_SW connection

 under Connection Status indicates that the connection/tunnel is successfully established

Points to be noted

·    Connection can be initiated from either of the peers provided connection is ‘Active’ in Cyberoam

·    If you try to connect from Cyberoam when the SonicWall VPN policy is not enabled, Cyberoam will display ‘Unable to establish connection’ message.

·    One can re-establish connection from SonicWall by enabling the VPN policy manually only if connection is ‘Active’ in Cyberoam

Reference Documents

·     VPN Troubleshooting Guide

·     Cyberoam Console Guide

Document Version: 9402-1.0-15/11/2006