Objective
This article will detail how to setup Cyberoam VPN Client to securely connect to a Cyberoam for the remote access using digital certificate. Following sections are included:
· Case I – Peers using different Certificate Authority (CA)
This is commonly called a "road warrior" configuration, because the client is typically a laptop being used from remote locations, and connected over the internet using service providers and dialup connections. The most common use of this scenario is when you are at home or on the road and want access to the corporate network.
Configuration Table
|
Configuration Parameters
|
Cyberoam
|
Cyberoam VPN Client
|
|
IPSec Connection
(Road warrior)
|
Local Network details
|
Local Network details
|
|
Cyberoam WAN IP address – 192.168.15.204
|
VPN Client IP address – *
|
|
Local Internal Network – 172.16.16.0/24
|
Local Internal Network – 0.0.0.0/0
|
|
|
|
|
Remote Network details
|
Remote Network details
|
|
Remote VPN server – IP address – *
|
Remote VPN server – IP address – 192.168.15.204
|
|
Remote Internal Network – 0.0.0.0/0
|
Remote Internal Network – 172.16.16.0/24
|
Cyberoam Configuration
Applicable to - Version 9.4.0 build 2 and higher
Task list
· Define VPN policy - configure Phase 1 & Phase 2 parameters to authenticate the remote client and establish a secure connection
· Define VPN connection parameters – configure source and destination network
· Export VPN connection parameters
· Import VPN connection parameters in VPN Client
Step 1: Create VPN Policy
To create VPN policy, go to VPN ® Policy ® Create Policy. Use the values specified in the below given image for creating policy.
Case I: Peers are using different CAs i.e. Cyberoam and Remote User are using different CAs
Step 2: Generate CA
Go to VPN ® Certificate Authority ® Manage Certificate Authority and Click Default certificate authority. If you are generating CA for the first time, enter complete details as required else modify details as per your requirement.
Click Generate/Re-generate
Step 3: Download CA generated in step 2 from VPN ® Certificate Authority ® Manage Certificate Authority and forward to the Remote user. Remote user has to upload this CA.
Remote user has to unzip CA and upload. Use winzip or winrar to unzip CA.
Step 4: Obtain and upload remote CA received from Remote user
Unzip CA received from the Remote user to extract two files: default.pem and default.der
Upload CA from VPN ® Certificate Authority ® Upload Certificate Authority
Step 5: Generate local Certificate
Go to VPN ® Certificate ® New Certificate and click Self Signed Certificate to create certificate. Create certificate with the following value:
Certificate name: local_cert
Certificate ID (Email): john@ddomain.com
Step 6: Download default CRL from VPN ® Certificate Authority ® Manage CRL and forward to Remote user
Step 7: Obtain and upload CRL received from Remote user from VPN ® Certificate Authority ® Upload CRL
Step 8: Create VPN IPSec connection
To create connection, go to VPN ® IPSec Connection ® Create Connection. Use the VPN policy created in step 1 and other values as specified below:
Connection name: road_warrior
Policy: RW_Policy (created in step 1)
Action on restart: Active
Mode: Tunnel
Connection Type: Road Warrior
Authentication Type: Digital Certificate
Local Certificate: local_cert (created in step 5)
Remote Certificate: Select ‘External Certificate’ or select the certificate forwarded by the remote user.
Local server IP address (WAN IP address): 192.168.15.204
Local Internal Network: 172.16.16.0/24
Local ID: Automatically displays ID specified in the Local certificate created in step 5 i.e. john@ddomain.com
Remote Host: *
Remote LAN Network: 0.0.0.0/24
Remote ID: As provided by the remote user
User Authentication Mode: Disabled
Protocol: All
Step 9: Export IPSec connection parameters
Go to VPN ® IPSec Connection ® Manage Connection and click Export against the connection whose detail is to be exported and used for connection. Cyberoam will prompt to save the connection parameter in the tgb format. Save and mail the saved file to the remote user.
Step 10. Activate Connection and establish Tunnel
Go to VPN ® IPSec Connection ® Manage Connection
To activate the connection, click  under Connection Status against the road_warrior connection
 under Connection Status indicates that the connection is successfully activated
Note
At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.
Case II: Peers are using trusted third party CA e.g. Verisign, Microsoft
Step 2. Obtain and upload third party CA from VPN ® Certificate Authority ® Upload Certificate Authority
Step 3. Obtain and Upload Certificate from third party CA from VPN ® Certificate ® New Certificate
Step 4. Obtain and Upload CRL from third party CA from VPN ® Certificate Authority ® Upload CRL
Step 5: Create VPN IPSec connection
To create connection, go to VPN ® IPSec Connection ® Create Connection. Use the VPN policy created in step 1 and other values as specified below:
Connection name: road_warrior
Policy: RW_Policy (created in step 1)
Action on restart: Active
Mode: Tunnel
Connection Type: Road Warrior
Authentication Type: Digital Certificate
Local Certificate: Select certificate uploaded in step 3
Remote Certificate: Select ‘External Certificate’ or select the certificate forwarded by the remote user.
Local server IP address (WAN IP address): 192.168.15.204
Local Internal Network: 172.16.16.0/24
Local ID: Automatically displays ID specified in the Local certificate created in step 3
Remote Host: *
Remote LAN Network: 0.0.0.0/24
Remote ID: As provided by the remote user
User Authentication Mode: Disabled
Protocol: All
Step 6: Export IPSec connection parameters
Go to VPN ® IPSec Connection ® Manage Connection and click Export against the connection whose detail is to be exported and used for connection. Cyberoam will prompt to save the connection parameter in the tgb format. Save and mail the saved file to the remote user.
Step 7. Activate Connection and establish Tunnel from VPN ® IPSec Connection ® Manage Connection
To activate the connection, click under Connection Status against the road_warrior connection
under Connection Status indicates that the connection is successfully activated
Note
At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.
VPN Client Configuration
Step 1. Launch Cyberoam VPN client and go to File>Import VPN Configuration to import connection parameter file (.tgb) received from the remote end
Note
· Importing VPN configuration will over-write the existing VPN configuration.
· VPN Client creates one phase 1 policy based on the VPN connection.
· VPN Client creates phase 2 policy for each internal network specified in the VPN connection.
Case I: Private IP address assigned to Cyberoam WAN interface
This situation occurs when Cyberoam is deployed behind any firewall or ADSL device and ADSL device port forwards the request to the Cyberoam.
In this case, specify the public IP address of firewall or ADSL manually in the Remote Gateway field in Phase 1 of VPN Client as connection parameter file will forward private IP address to the VPN Client.
Case II: Dynamic IP address assigned to Cyberoam WAN interface
When Cyberoam WAN interface is assigned IP address dynamically via DHCP or PPPoE and Dynamic DNS is used to map dynamic IP address with a static FQDN, specify FQDN name manually in the Remote Gateway field in Phase 1 of VPN Client.
Step 6. Establish connection
VPN Client automatically opens tunnel on traffic detection. Status bar displays green light for “Tunnel” if connection is successfully established.
Document Version: 1.0-30/10/2007
| 
