HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Version 9.x
DrillDown Icon How To
DrillDown Icon Anti Spam
DrillDown Icon Anti Virus
DrillDown Icon Authentication
DrillDown Icon Blocking
DrillDown Icon Clients
DrillDown Icon Content filtering
DrillDown Icon Firewall
DrillDown Icon IPS
DrillDown Icon Logs & Reports
DrillDown Icon SNMP
DrillDown Icon System
DrillDown Icon Registration
DrillDown Icon User
DrillDown Icon VPN
DrillDown Icon Configure SSL VPN in Cyberoam
DrillDown Icon Configure MS Windows Vista Client for PPTP connection
DrillDown Icon VPN Interoperability
DrillDown Icon VPN Failover
DrillDown Icon Check VPN connection routes
DrillDown Icon Configure L2TP
DrillDown Icon Cyberoam to Cyberoam (Net-to-Net) IPSec VPN using Preshared key
DrillDown Icon Cyberoam to Cyberoam (Net-to-Net) IPSec VPN using Certificate
DrillDown Icon Cyberoam to Cyberoam (Net-to-Net) IPSec VPN when peers have Dynamic IP address
DrillDown Icon Cyberoam VPN Client to Cyberoam IPSec VPN for the remote access using preshared key
DrillDown Icon Cyberoam VPN Client to Cyberoam IPSec VPN for remote access using Digital Certificates
DrillDown Icon Configure MS Windows XP VPN Client for L2TP connection
DrillDown Icon Configure Cyberoam as a PPTP server
DrillDown Icon Configure Cyberoam to establish PPTP connection using MS Windows XP VPN Client
DrillDown Icon Configure MS Windows 2000 Client for PPTP connection
DrillDown Icon Create Hub and Spoke IPSec VPN Network
DrillDown Icon Intimation Regarding US New Daylight Saving Time Support
DrillDown Icon Verify the integrity check of Cyberoam Upgrade file using MD5 checksum
DrillDown Icon Troubleshooting
DrillDown Icon FAQ
DrillDown Icon Tech Notes
DrillDown Icon Visio Stencils
DrillDown Icon Product Technical Support
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
 
Setup Cyberoam VPN Client to connect to Cyberoam for remote access using Digital Certificates

Objective

This article will detail how to setup Cyberoam VPN Client to securely connect to a Cyberoam for the remote access using digital certificate. Following sections are included:

·     Case I – Peers using different Certificate Authority (CA)

·     Case II – Peers using Same CA

 

This is commonly called a "road warrior" configuration, because the client is typically a laptop being used from remote locations, and connected over the internet using service providers and dialup connections. The most common use of this scenario is when you are at home or on the road and want access to the corporate network.

 

Configuration Table

Configuration Parameters

Cyberoam

Cyberoam VPN Client

IPSec Connection

(Road warrior)

Local Network details

Local Network details

Cyberoam WAN IP address – 192.168.15.204

VPN Client IP address – *

Local Internal Network – 172.16.16.0/24

Local Internal Network – 0.0.0.0/0

 

 

Remote Network details

Remote Network details

Remote VPN server – IP address – *

Remote VPN server – IP address – 192.168.15.204

Remote Internal Network – 0.0.0.0/0

Remote Internal Network – 172.16.16.0/24

 

Cyberoam Configuration

Applicable to - Version 9.4.0 build 2 and higher

 

Task list

·     Define VPN policy - configure Phase 1 & Phase 2 parameters to authenticate the remote client and establish a secure connection

·     Define VPN connection parameters – configure source and destination network

·     Export VPN connection parameters

·     Import VPN connection parameters in VPN Client

 

Step 1: Create VPN Policy

To create VPN policy, go to VPN ® Policy ® Create Policy.  Use the values specified in the below given image for creating policy.

 

 

 

Case I: Peers are using different CAs i.e. Cyberoam and Remote User are using different CAs

 

Step 2: Generate CA

Go to VPN ® Certificate Authority ® Manage Certificate Authority and Click Default certificate authority. If you are generating CA for the first time, enter complete details as required else modify details as per your requirement.

Click Generate/Re-generate

 

Step 3: Download CA generated in step 2 from VPN ® Certificate Authority ® Manage Certificate Authority and forward to the Remote user. Remote user has to upload this CA.

 

Remote user has to unzip CA and upload. Use winzip or winrar to unzip CA.

 

Step 4: Obtain and upload remote CA received from Remote user

Unzip CA received from the Remote user to extract two files: default.pem and default.der

Upload CA from VPN ® Certificate Authority ® Upload Certificate Authority

 

Step 5: Generate local Certificate

Go to VPN ® Certificate ® New Certificate and click Self Signed Certificate to create certificate. Create certificate with the following value:

 

Certificate name: local_cert

Certificate ID (Email): john@ddomain.com

 

Step 6: Download default CRL from VPN ® Certificate Authority ® Manage CRL and forward to Remote user

 

Step 7: Obtain and upload CRL received from Remote user from VPN ® Certificate Authority ® Upload CRL

 

Step 8: Create VPN IPSec connection

To create connection, go to VPN ® IPSec Connection ® Create Connection. Use the VPN policy created in step 1 and other values as specified below:

Connection name: road_warrior

Policy: RW_Policy (created in step 1)

Action on restart: Active

Mode: Tunnel

Connection Type: Road Warrior

 

Authentication Type: Digital Certificate

Local Certificate: local_cert (created in step 5)

Remote Certificate: Select ‘External Certificate’ or select the certificate forwarded by the remote user.

 

Local server IP address (WAN IP address): 192.168.15.204

Local Internal Network: 172.16.16.0/24

Local ID: Automatically displays ID specified in the Local certificate created in step 5 i.e. john@ddomain.com

 

Remote Host: *

Remote LAN Network: 0.0.0.0/24

Remote ID: As provided by the remote user

 

User Authentication Mode: Disabled

Protocol: All 

 

Step 9: Export IPSec connection parameters

 

Go to VPN ® IPSec Connection ® Manage Connection and click Export against the connection whose detail is to be exported and used for connection. Cyberoam will prompt to save the connection parameter in the tgb format. Save and mail the saved file to the remote user.

 

Step 10. Activate Connection and establish Tunnel

Go to VPN ® IPSec Connection ® Manage Connection

To activate the connection, click  under Connection Status against the road_warrior connection

 

  under Connection Status indicates that the connection is successfully activated

 

Note

At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

 

Case II: Peers are using trusted third party CA e.g. Verisign, Microsoft

Step 2. Obtain and upload third party CA from VPN ® Certificate Authority ® Upload Certificate Authority

 

Step 3. Obtain and Upload Certificate from third party CA from VPN ® Certificate ® New Certificate

 

Step 4. Obtain and Upload CRL from third party CA from VPN ® Certificate Authority ® Upload CRL

 

Step 5: Create VPN IPSec connection

To create connection, go to VPN ® IPSec Connection ® Create Connection. Use the VPN policy created in step 1 and other values as specified below:

Connection name: road_warrior

Policy: RW_Policy (created in step 1)

Action on restart: Active

Mode: Tunnel

Connection Type: Road Warrior

 

Authentication Type: Digital Certificate

Local Certificate: Select certificate uploaded in step 3

Remote Certificate: Select ‘External Certificate’ or select the certificate forwarded by the remote user.

 

Local server IP address (WAN IP address): 192.168.15.204

Local Internal Network: 172.16.16.0/24

Local ID: Automatically displays ID specified in the Local certificate created in step 3

 

Remote Host: *

Remote LAN Network: 0.0.0.0/24

Remote ID: As provided by the remote user

 

User Authentication Mode: Disabled

Protocol: All 

 

Step 6: Export IPSec connection parameters

 

Go to VPN ® IPSec Connection ® Manage Connection and click Export against the connection whose detail is to be exported and used for connection. Cyberoam will prompt to save the connection parameter in the tgb format. Save and mail the saved file to the remote user.

 

Step 7. Activate Connection and establish Tunnel from VPN ® IPSec Connection ® Manage Connection

To activate the connection, click  under Connection Status against the road_warrior connection

 

  under Connection Status indicates that the connection is successfully activated

 

Note

At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

VPN Client Configuration

Step 1. Launch Cyberoam VPN client and go to File>Import VPN Configuration to import connection parameter file (.tgb) received from the remote end

 

Note

·     Importing VPN configuration will over-write the existing VPN configuration.

·     VPN Client creates one phase 1 policy based on the VPN connection.

·     VPN Client creates phase 2 policy for each internal network specified in the VPN connection.

 

Case I: Private IP address assigned to Cyberoam WAN interface

 

This situation occurs when Cyberoam is deployed behind any firewall or ADSL device and ADSL device port forwards the request to the Cyberoam.

 

In this case, specify the public IP address of firewall or ADSL manually in the Remote Gateway field in Phase 1 of VPN Client as connection parameter file will forward private IP address to the VPN Client.

 

Case II: Dynamic IP address assigned to Cyberoam WAN interface

When Cyberoam WAN interface is assigned IP address dynamically via DHCP or PPPoE and Dynamic DNS is used to map dynamic IP address with a static FQDN, specify FQDN name manually in the Remote Gateway field in Phase 1 of VPN Client.

 

Step 6. Establish connection

VPN Client automatically opens tunnel on traffic detection. Status bar displays green light for “Tunnel” if connection is successfully established.

 

Document Version: 1.0-30/10/2007

Attachments
Article ID: 811