Applicable to Version: 9.4.0 build 2 onwards

 

This article describes a detailed configuration example that demonstrates how to configure net-to-net IPSec VPN tunnel between a Cyberoam and WatchGuard using Preshared key to authenticate VPN peers.

 

It is assumed that the reader has a working knowledge of Cyberoam and WatchGuard appliance configuration.

 

Information to be gathered about the both the peers before configuration

1.    Connection details - Encryption algorithm, Authentication Algorithm and DH/PFS Group

2.    Server IP addresses

3.    Internal Network Subnet

4.    Local and Remote ID

 

Cyberoam Configuration

 

Step 1: Create IPSec connection

Go to VPN ® IPSec Connection ® Create Connection and create connection with the following values:

 

Connection name: cr_2_wg

Policy: Default Policy

Action on restart: As required

Mode: Tunnel

Connection Type: Net to Net

 

Authentication Type – Preshared key

Preshared key – Specify Preshared key. Forward this key to the remote peer (WatchGuard) as same preshared key should be used by both the peers.

 

Local server IP address (WAN IP address) – 192.168.15.204

Local Internal Network – 8.8.8.0/24

Local ID – 1.1.1.2 (Specify this IP address as ID Type in Remote Gateway Settings in WatchGuard)

 

Remote server IP address (WAN IP address) – 192.168.1.194

Remote Internal Network – 112.12.1.0/24

Remote ID – 192.168.1.194

 

User Authentication Mode: As required

Protocol: As required

 

Step 2. Activate Connection and establish Tunnel

Go to VPN ® IPSec Connection ® Manage Connection

To activate the connection, click  under Connection Status against the cr_2_wg connection

 

  under Connection Status indicates that the connection is successfully activated

 

 

Note

At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

 

WatchGuard Configuration

 

Step 3. Configure Gateway from Policy Manager

 

Go to VPN ® Branch Office Gateways ® Add and create Gateway with the following values:

 

Gateway name: wg_2_cr

 

Remote Gateway Settings

Gateway IP: 192.168.15.204 (Cyberoam WAN IP address)

ID Type: IP Address: 1.1.1.2 (Specified as Local ID Type in IPSec Connection in Cyberoam)

 

Local Gateway Settings

ID Type: IP Address: 192.168.1.194 (Select the IP address from the adjacent drop-down list. All configured Firebox interface IP addresses are shown)

 

Credential Method

Pre-Shared Key: As specified in IPSec Connection in Cyberoam

 

Phase1 Settings

Authentication: MD5

Encryption: 3DES

Mode: Main

 

Phase1 Advanced Settings

Key Group: Diffie-Hellman Group2

 

Step 4. Configure Tunnel from Policy Manager

 

Go to VPN ® Branch Office Tunnels ® Add tunnel with the following values:

 

Tunnel name: cr_tunnel

Gateway: wg_2_cr (as created in step 1)

 

Phase2 Settings

Proposals: ESP-3DES-MD5

PFS: Enable, Diffie-Hellman Group2

 

Addresses

Local address: Network IP: 112.12.1.0/24 (WatchGuard Network)

Remote Address: Network IP: 8.8.8.0/24 (Specified as Local Internal Network IP in Cyberoam IPSec connection)

 

Step 5. Save configuration

Go to File ® Save ® To Firebox

 

Step 6. Establish Connection from Cyberoam

Go to VPN ® IPSec Connection ® Manage Connection

To establish the connection/tunnel, click  under Connection Status against the cr_2_wg connection

 

 under Connection Status indicates that the connection/tunnel is successfully established

 

Reference Documents

·     VPN Troubleshooting Guide

 

 

 

 

 

 

 

 

 

 

 

 

Document Version: 9402-1.0-12/12/2006