1. VPN
1.1. Enable Single Sign On (SSO) for VPN Users

Applicable Version: 10.6.2 onwards

Overview

Cyberoam VPN provides remote workers secure access to Corporate Networks without the need for logging on to Cyberoam through Captive Portal or Authentication Client. 

Administrator can provide authorized access to Corporate Applications behind the Firewall from outside Corporate Network by simply enabling Single Sign On (SSO) for VPN users, making Cyberoam authentication completely transparent for them. As soon as the VPN tunnel is established, User automatically logs on to the Cyberoam and the moment tunnel is disconnected User automatically logs off from the Cyberoam. This eliminates the need of logging on multiple times before VPN users could access Corporate Applications. 

Single Sign on can be configured for Remote Users using following VPN Clients: 

-  SSL Client
-  IPSec client
-  L2TP
-  PPTP 

Note: 

In case of HA Failover, user will have to reconnect as VPN tunnel will be disconnected and user will be logged out of Cyberoam. 

Scenario

In this article, as an example, we have enabled SSO for SSL VPN users. SSO can be enabled for IPSec, PPTP and L2TP VPN users in a similar manner. 

Prerequisite

VPN Tunnel(s) should be configured. 

Configuration

You can enable SSO for VPN users by following the instructions below. 

1.  Log on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s). 

2.  Go to Identity > Authentication > VPN. 

3.  Under Single Sign On For VPN Users, check SSL VPN Users. 

 

 

4.  Click Apply to save settings. 

The above configuration enables SSO for SSL VPN users. This makes SSL VPN users automatically authenticate with Cyberoam when they log on to their SSL VPN Client. Similarly, SSO can be configured for PPTP, L2TP and IPSec users.

 

 

 

 

 

 

                                                                                                                                                Document Version: 1.0 – 12 January, 2015

1.2. Implement Split Tunnel in MAC OS X for PPTP and L2TP VPN


Applicable Version: 10.04.0 Build 214 onwards

Scenario

Configure MAC OS X system to implement split tunnel for PPTP or L2TP VPN.


Prerequisite
 
•   PPTP/L2TP VPN connection between Cyberoam and MAC system must be configured and active. To know how to configure PPTP/L2TP 
    connection(s), refer to the articles below:
 
    -    
Configure PPTP VPN Connection for MAC OS X client           

•   You must have “Superuser” level access privilege make configuration changes in the Terminal.
 

MAC OS X Configuration

You can implement the split tunnel configuration by following the steps below.

 

Step 1:Disable all traffic over VPN

•  
Go to System Preferences > Network and select the configured VPN(PPTP/L2TP) connection. The configuration details of the VPN
    connection are displayed. Click Advanced.                
 

•   The VPN settings window is displayed. Switch to Options tab and uncheck Send all traffic over VPN connection.          


Step 2
:Add new static route(s) to the VPN Interface
 
Adding Static Routes ensures that only desired traffic goes through the VPN connection while the rest goes directly through the Internet connection.
 
•   Once the VPN connection is established, go to Applications > Utilities > Terminal.
 
•   Execute the following command to view the interface used for the VPN connection:
 
   Macs-MacBook-Air: Macair$ ifconfig
St   
   

 

•   Execute the command to add a Static Route for your VPN traffic:
   route add -net <destination subnet>.  
    
 
This adds a Static Route on your VPN interface as displayed on the terminal.    


The above configuration ensures that only desired traffic goes through the VPN connection while the rest goes directly through the Internet connection.

 

The interface shown in the screens is a PP2P interface. However, the configuration steps remain the same for an L2TP interface.     

 






                                                                                                                                                                     Document Version: 1.0 – 03 Nov, 2014
1.3. Assign Static IP Address to L2TP/PPTP User

Applicable Version: 10.04.2 Build 527 onwards

Scenario

Assign Static IP Address to User connecting over L2TP or PPTP VPN. Here, we have assigned static IP Address to L2TP user. You can assign static IP Address to PPTP user in a similar manner.

Configuration

The entire configuration is to be done from Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).


Go to Identity > Users > Users and select the User to which static IP Address is to be assigned. Enable L2TP and mention the IP Address to be assigned, as shown below.
 
 
 
 
 

                                                                                       

                                                                                                                                                                                 Document Version: 1.0 - 06/11/2013

 

 

 

1.4. IPSec VPN
1.4.1. Set Default Idle Timeout for IPSec VPN Tunnels

Applicable Version: 10.6.1 onwards

Overview

Setting a default Idle Timeout for any IPSec VPN Connection enables administrator to define the maximum time for which the tunnel will stay connected even if no traffic passes through. This can be done by setting a default Idle session time interval while configuring an IPSec Tunnel.

This article describes how we can set default Idle Timeout for IPSec VPN tunnels in Cyberoam.

Scenario

Set the default Idle Timeout as 500 seconds for a Site to Site VPN Connection named Head_Branch. As a result, the VPN Tunnel will disconnect automatically if no traffic passes through the tunnel for the specified time interval.

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

•   Go to VPN > IPSec > Connections and select the required Connection, for example, Head_Branch.

   Expand the Advanced Settings section and enable Disconnect when tunnel is idle. Set Idle session time interval to 500.
 
 

   Click OK to save the IPSec VPN Tunnel. 

The above configuration disconnects the Head_Branch tunnel after 500 seconds of inactivity.

 

 

                                                                                                                               

                                                                                                                                Document Version: 1.0 – 13 May, 2015

1.4.2. Establish Site-to-Site IPSec Connection using Digital Certificates

Applicable Version: 10.00 onwards

Overview

A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure (PKI). A digital certificate may also be referred to as a public key certificate. 

Just like a passport, a digital certificate provides identifying information, is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.

Scenario

Exchange Certificate Authority (CA) and Digital Certificates between a Head Office (HO) and Branch Office (BO) and, then, configure and establish an IPSec connection between them. In this article, we have used the following parameters to create the VPN connection.
 

Network Parameters

HO Network details

WAN IP address – 10.206.1.173

LAN IP address – 172.17.17.17

BO Network details

WAN IP address – 10.206.1.213

LAN IP address – 172.16.16.16

 
 
 
 

Configuration

You must be logged on to the Web Admin Console of both HO and BO Cyberoam as an administrator with Read-Write permission for relevant feature(s).

Step 1: Upload HO Cyberoam’s Default CA to BO Cyberoam

Head Office

Go to System > Certificate > Certificate Authority and select Default CA. Specify the details of the CA, as shown below.
 
 
Once CA is generated, download the CA to your local computer by clicking the Download Icon against it.
 
 

A file named local_certificate_authority.tar.gz is downloaded. Store and uncompress the file. The file contains the CA Root Certificate in Two (2) Formats: 

-   Default.pem (PEM File)
-   Default.der (Security Certificate) 

Branch Office

Upload the CA Certificates (downloaded from HO) to BO Cyberoam. To upload CA, go to System > Certificate > Certificate Authority and click Add. Upload the CA Root Certificate in either PEM or DER format.
 
 

Click OK to save the HO Default CA in BO Cyberoam. 

Step 2: Upload BO Cyberoam’s Default CA to HO Cyberoam

Configure and download the Default CA in BO Cyberoam and upload it on HO Cyberoam using similar steps as shown in step 1. 

Step 3: Upload HO Cyberoam’s Digital Certificate to BO Cyberoam

Head Office

Create a Self-Signed Certificate in HO Cyberoam. Go to System > Certificate > Certificate and click Add to create a new certificate. Select Generate Self Signed Certificate and specify the details as shown below.
 
 

Click OK to save certificate. 

Once Certificate is generated, download it to your local computer by clicking the Download Icon against it.
 
 

A file named HO_Certificate.tar.gz is downloaded. Store and uncompress the file. The file contains the following certificate files: 

-   UserPrivateKey.key (KEY File)
-   UserCertificate.pem (PEM File)
-   RootCertificate (PEM File)
-   Password.txt (Passphrase if Key Encryption is enabled)
-   HO_Certificate.p12 (Personal Information Exchange) 

Branch Office

Upload the Certificate (downloaded from HO Cyberoam) to BO Cyberoam. To upload certificate, go to System > Certificate > Certificate and click Add. Select Certificate as UserCertificate.pem, Private Key as UserPrivateKey.pem and specify the Passphrase.
 
 

Click OK to save the certificate.

Step 4: Upload BO Cyberoam’s Digital Certificate to HO Cyberoam

Configure and download the Self-signed certificate in BO Cyberoam and upload it on HO Cyberoam using similar steps as shown in step 3.

Step 5: Configure IPsec Connection

Head office

Implement the following steps on HO Cyberoam. 

1.    To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.

 

Parameter

Value

Description

Name

HO_to_BO_IPSec

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.
 
Available Options:
-   Remote Access
-   Site to Site
-   Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

-    Respond Only
-    
Initiate
-    Disable

Authentication details

Authentication Type

Digital Certificate

Select Authentication Type. Authentication of user depends on the connection type. 

Local Certificate

HOCertificate

Select the local certificate that should be used for authentication by the appliance.

Remote Certificate

BOCertificate

Select the remote certificate that should be used for authentication by remote peer.

Endpoints Details

Local

PortB-10.206.1.173

Select local port which acts as end-point to the tunnel

Remote

10.206.1.213

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.17.17.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

172.16.16.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 

2.    Click OK to create IPSec connection. On clicking OK, the following screen is displayed showing the connection created above.


3.    Click   under Status (Active) to activate the connection.

 
Branch Office
 

Implement the following steps on BO Cyberoam


1.  To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 

Parameter

Value

Description

Name

BO_to_HO_IPSec

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Digital Certificate

Select Authentication Type. Authentication of user depends on the connection type. 

Local Certificate

BOCertificate

Select the local certificate that should be used for authentication by the appliance.

Remote Certificate

HOCertificate

Select the remote certificate that should be used for authentication by remote peer.

Endpoints Details

Local

PortB-10.206.1.213

Select local port which acts as end-point to the tunnel

Remote

10.206.1.173

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.16.16.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

172.17.17.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
       
 
2. Click OK to create IPSec connection. On clicking OK, the following screen is displayed showing the connection created above.
 
3. Click under Status (Active) and Status (Connection) to activate and establish the connection.
 
 

 

The above configuration establishes an IPSec connection between Two (2) sites.

 

 

 

 

 

                                                                                                                                                       Document Version: 1.0 – 11 July, 2014

1.4.3. Establish Site-to-Site VPN Connection using RSA Keys

Applicable Version: 10.00 onwards

Overview

IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). 

Cyberoam’s IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote connectivity, eliminating the need for expensive private remote access networks like leased lines, Asynchronous Transfer Mode (ATM) and Frame Relay. The mechanisms used to authenticate VPN peers are Preshared Key, Digital Certificate and RSA Keys. 

This article describes a detailed configuration example that demonstrates how to set up a site-to-site IPSec VPN connection between the two networks using RSA Keys to authenticate VPN peers.

Scenario

Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 
 

Network Parameters

Site A Network details

Local Server (WAN IP address) – 14.15.16.17

Local LAN address – 10.5.6.0/24

Local ID –john@cyberoam.com

Local RSA Key –

0sAQN/f/ADiKpDLUfnf2AzCbPEg+d3s33AioRGihWQyT2/xVYOPxHvXLwnVR6O9cGJVncYiwm
NgjKIzOBmU0M8xbfBQnBn/mPPc4FuWr8uoUII7WimZTzF70ecBqIRe0GJx1iWU62YzEmI4+e
dU2pYjhsgMvCXi+RdmD3I9xIjw5G1GKiEg7QAvhR36E03l4xWwCGw4xjWdgP1Y8N1sCZI8Lz
n6o1ujbjniNOyhF/1NvKqAP8DMOyU6kIbYFPSC+mZSNrfhJEqTXlsxhYhSxoR+1yheEhr3tOqlD
ECQdvPYx/J3j5jqtyShO6u45u3nX7pMe0+y+69e62rFZ6c8FRELME9

Site B Network details

Remote VPN server (WAN IP address) – 22.23.24.25

Remote LAN Network – 172.23.9.0/24

Remote ID –dean@cyberoam.com

Remote RSA Key –

0sAQNr9SGiXrkaYfnZDK+AfBcIADiI+R7/wJjMcA+1q7E815lOxmaO5KZhOUtNaDuYNaALaOCM
7EQ8Fy7ocC9b1X+eEUbd4IteRuvuX/O9r9pb9NXktYwv+6r2CXDHm481+LKDhXYRCNHkpb0
NReS3fW/ygaEp8n3EgjDNm9+YrZE8rPzFc+3aeSkr0iX6EcjOokGusrn2qWAJk28KeV5WLfIHn
kbYYw83Dc85ijpWXvGwF0fWXSVnTSpCN6oR2J26CbnP41FKEeZn0lOP9YMkINFCiODf1qIEk4
utoTUrzJyOnBP0hVQ6ZEA1Z4qmTrJRcooyv2IKG90qNCkOPwW5eyG1

 

 

Site A Configuration

The configuration is to be done from Site A’s Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s). 

Step 1: Create IPSec Connection 

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.

 Parameter Description  

Parameter

Value

Description

Name

SiteA_to_SiteB

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-     Remote Access
-     Site to Site
-     Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

-     Respond Only
-     
Initiate
-     Disable

Authentication details

Authentication Type

RSA Key

Select Authentication Type. Authentication of user depends on the connection type. 

Local RSA Key

<Site A Cyberoam RSA Key>

Mention the Local RSA Key.

Remote RSA Key

<Site B Cyberoam RSA Key>

Mention the Remote RSA Key.

Endpoints Details

Local

PortB-14.15.16.17

Select local port which acts as end-point to the tunnel

Remote

22.23.24.25

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

10.5.6.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

172.23.9.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 

Click
OK to create IPSec connection.

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above. 


Click  under Status (Active) to activate the connection.
 

Site B Configuration

The configuration is to be done from Site B’s Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 

Parameter Description

 

Parameter

Value

Description

Name

SiteB_to_SiteA

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:
-     Respond Only
-     Initiate
-     Disable

Authentication details

Authentication Type

RSA Key

Select Authentication Type. Authentication of user depends on the connection type. 

Local RSA Key

<Site B Cyberoam RSA Key>

Mention the Local RSA Key.

Remote RSA Key

<Site A Cyberoam RSA Key>

Mention the Remote RSA Key.

Endpoints Details

Local

PortB-22.23.24.25

Select local port which acts as end-point to the tunnel

Remote

14.15.16.17

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.23.9.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

10.5.6.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
           

Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 

Click  under Status (Active) and Status (Connection).

 

The above configuration establishes an IPSec connection between Two (2) sites. 


Note:
 
-   Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
-   In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head Office acts as a responder 
    due to following reasons:
    •   Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the connection.
       As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that Branch Offices retries the 
        connection instead of the Head Office retrying all the branch office connections.

 

 

 

 

                                                                                                                                                                        Document Version: 1.0 – 28/10/2013

 

1.4.4. Why am I not able to establish IPSec Connection when remote VPN peer is configured with a private/non-routable IP Address?

Applicable Version: 10.00 onwards

If a remote IPSec VPN peer is configured with a private/non-routable IP Address, i.e., a NATting device exists between both VPN endpoints, the peer remains inaccessible. To establish connection with this peer, you need to enable NAT Traversal while configuring the IPSec Connection. 

To enable NAT Traversal in your configured VPN connection, select the required IPSec connection under VPN > IPSec > Connection and enableAllow NAT Traversal, as shown below.
 
 


Note
:

By default, NAT Traversal is disabled for Site-to-Site IPSec Connection.
 
 
 
   

                                                                                                                                                                        Document Version: 1.1 - 28/10/2013
1.4.5. Apply NAT over Site-to-Site VPN connection
Applicable Version: 10.00 onwards

Scenario

Consider the following network wherein both the Head Office (HO) LAN and the Branch Office (BO) LAN have the same internal IP schema.
 
 
 

Network Parameters

HO Network details

Local Server (WAN IP address) – 192.168.20.105

Local LAN address – 172.16.16.0/24

Local NATted Address – 172.16.15.0/24

BO Network details

VPN server (WAN IP address) – 192.168.20.191

LAN Network – 172.16.16.0/24

NATted Address – 172.16.17.0/24

As a result, the VPN endpoints fail to differentiate between own network and remote network. Any request initiated from HO destined for BO would be served within HO itself and vice versa. For example, a host from HO initiates a request to host 172.16.16.10 in BO, but it is responded by Host 172.16.16.10 in the HO itself because the endpoint cannot differentiate between HO LAN and BO LAN. 

As a solution to this, Cyberoam provides NATting over VPN which allows Cyberoam to assign Dummy LAN IP address (NATted LAN) to differentiate between LANs at both ends. This article describes how you can configure an IPSec Connection using NATted LANs.  

HO Configuration

The configuration is to be done from HO Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s). 

Step 1: Create IPSec Connection 

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 
Parameter Description
 

Parameter

Value

Description

Name

HO_to_BO

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB-192.168.20.105

Select local port which acts as end-point to the tunnel

Remote

192.168.20.191

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.16.15.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

NATed LAN

172.16.16.0/24

If NAT Local LAN is configured, select IP Host or Network Host from the available list.IP Host can also be added by clicking on the “Add IP Host” link.

Remote Network Details

RemoteLAN Network

17.16.17.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click
OK to create IPSec connection. 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above. 

 

Click   under Status (Active) to activate the connection.

 BO Configuration

The configuration is to be done from BO Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters. 

 Parameter Description 

Parameter

Value

Description

Name

BO_to_HO

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB-192.168.20.191

Select local port which acts as end-point to the tunnel

Remote

192.168.20.105

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.16.17.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

NATed LAN

172.16.16.0/24

If NAT Local LAN is configured, select IP Host or Network Host from the available list. IP Host can also be added by clicking on the “Add IP Host” link.

Remote Network Details

Remote LAN Network

172.16.15.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
  


Click OK
to create IPSec connection. 


Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above. 

Click  under Status (Active) and Status (Connection).  

 

The above configuration establishes an IPSec connection between the HO and BO. 

Note: 

    Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured. 
    In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head Office acts as a 
     responder due to following reasons:
      -    Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the connection.
      -    As there can be many Branch Offices, to reduce the load on Head Office it is a good practice that Branch Offices retries the 
           connection instead of the Head Office retrying all the branch office connections.

 

 

                                                                                                                                                         Document Version 1.3 – 11 July, 2014

1.4.6. How to regenerate RSA Key?

Applicable Version: 10.00 onwards

RSA Key
Authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption of traffic over a VPN Connection. The sender encrypts the traffic using the Local RSA Key. The recipient can decrypt this data using only the corresponding Remote RSA Key. It is recommended to change the Keys at regular intervals as the longer the key life, the higher the risk of them being intercepted.

 

Cyberoam allows you to regenerate RSA Keys when required. To regenerate RSA Key, follow the steps given below.


1.    
Login to Cyberoam CLI using Administrator credentials.
 
2.    Choose Option 6. VPN Management.
 
 

 


3.    
Under the VPN Management Menu, choose Option1. Regenerate RSA Key.
 
 
 

 

 

 

The above steps regenerate the RSA Key. Once regenerated, the corresponding RSA Keys at remote locations also need to be changed.

 

 

 







                                                                                                                                                                           Document Version: 1.0 – 09/09/2013

 

 

1.4.7. Route all BO Internet Traffic through HO ISP Gateway

Applicable Version: 10.00 onwards
 
Scenario
 
Route all Branch Office (BO) Internet traffic through Head Office (HO) ISP link via IPSec VPN tunnel.
 

Configuration

You can route all BO traffic through HO by following the steps given below. Configuration is to be done from Cyberoam Web Admin Console using Administrator profile.

Step 1: Establish IPSec Connection between HO and BO

Configure an IPSec Connection between HO and BO with following parameters:

Head Office

Branch Office

Local Subnet: Any
Remote Subnet: BO LAN
Local Subnet: BO LAN
Remote Subnet: Any


Refer to the article
How To - Establish Site-to-Site IPSec Connection using Preshared key for detailed configuration of the IPSec connection.
 

Step 2: Create VPN-WAN Firewall Rule

Create VPN-WAN Firewall Rule to allow all traffic from VPN tunnel to route through the WAN port to the HO ISP Gateway. You can create the firewall rule by going to Firewall à Rule à Rule and click Add to add a new rule as shown below.
 
 
 
 
Click OK to save rule.
 





                                                                                                                                                                      Document Version: 1.0 – 27/04/2013
1.4.8. Configure a Virtual Host over VPN


Applicable Version: 10.00 onwards

Scenario

Configure a Virtual Host over VPN such that an RDP Server with a Private IP Address (172.16.16.10) situated at the Branch Office can be bound to a Head Office Public IP Address (192.168.2.1). Users over the Internet can access the BO RDP Server using HO’s Public IP Address.
 

 

Prerequisite

There should be Site-to-Site IPSec VPN Connectivity between Head Office and Branch Office. For details on how to configure a Site-to-Site IPSec connection, refer to the following articles: 

-   
Establish Site-to-Site IPSec Connection using Preshared key
-   
Establish Site-to-Site VPN Connection using RSA Keys

Configuration

You can configure a Virtual Host over VPN by following the steps given below on HO Cyberoam.You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Create Virtual Host

On HO Cyberoam, go to Firewall > Virtual Host > Virtual Host and click Add to create a virtual host with the following parameters.
 
 

Parameter Description  

Parameter

Value

Description

Name

BO_RDP_Server

Name to identify the Virtual Host.

IP Family

IPv4

Select the IP Family to create the Virtual Host

External IP

PortB –

192.168.2.1

The IP address through which Internet users access internal server/host.

Mapped IP

172.16.16.10

The IP address/IP Range of the internal server/host.

Physical Zone

VPN

LAN, WAN, DMZ, VPN or custom zone of the mapped IP address(s). For example, if mapped IP address represents any internal server then it is the zone in which server resides physically.

Port Forwarding

Enable Port Forwarding

Enabled

Click to enable service port forwarding. If Port Forwarding is enabled, following options are available.

Protocol

TCP

Select the protocol TCP or UDP that you want the forwarded packets to use.

External Port Type

Port

Click to specify whether port mapping should be single or range of ports.

External Port

3389

Specify public port number for which you want to configure port forwarding.

Mapped Port Type

Port

Click to specify whether port mapping should be single or range of ports.

Mapped Port

3389

Specify mapped port number on the destination network to which the public port number is mapped.

 
 

Click
OK to create the Virtual Host.
 

After clicking OK, the Add Firewall Rules For Virtual Host pop-up window opens. Click Cancel to close the window. For configuring firewall rules, refer Step 4.  

Step 2: Add IPSec Route

Add an IPSec Route to route all WAN traffic that is destined for the BO RDP Server to the IPSec tunnel. To add the IPSec route: 

•  Logon to CLI Console (Telnet or SSH)

• 
Choose option 4 –Cyberoam Console and press Enter

Execute the command

  console> Cyberoam ipsec_route add host 172.16.16.10 tunnelname HO_to_BO_IPSec
 
   

  Where ‘172.16.16.10’ is the BO RDP Server and ‘HO_to_BO_IPSec’ is the IPSec connection between the HO and BO.

Step 3: Configure NAT Policy

The RDP-server-destined traffic from the Internet carry public IP addresses as its source IPs, which do not form part of the IPSec tunnel. Hence, it is not forwarded over the tunnel. 

As a solution to this, configure a NAT Policy to nat the incoming RDP-server-destined traffic to a BO LAN IP Address. This is to ensure accessibility of the BO RDP Server. To create a NAT Policy, go to Firewall > NAT Policy > NAT Policy and click Add to create a NAT Policy using following parameters.
 
 

Parameter Description 

 

Parameter

Value

Description

Name

BO_RDP_Server

Name to identify the NAT Policy

IP Address

10.10.10.25

Specify IP address for source NATting. It should be an unused IP Address from the Head Office.

 
 

Step 4: Add Firewall Rule

Add a WAN-to-VPN Firewall Rule to allow RDP-server-destined traffic. To create Firewall Rule, go to Firewall> Rule > Rule > Rule and click Add to create a new firewall rule using following parameters.

Parameter Description 

 

Parameter

Value

Description

Name

BO_RDP_Server_Allow

Specify name to identify the Firewall Rule.

Zone

Source: WAN

Destination: VPN

Specify source and destination zone to which the rule applies.

Network/Zone

Source: Any IP Address

Destination: BO_RDP_Server

(Virtual Host created in Step 1)

Specify source and destination host or network address to which the rule applies.

Schedule

All the time

Select schedule for the rule

Action

Accept

Select rule action

Apply NAT

BO_RDP_Server

(NAT Policy created in Step 3)

Select the NAT policy to be applied

 
 
 




                                                                                                                                                                             Document Version: 1.3 – 9 July, 2014
1.4.9. Configure IPSec VPN Connection with Multiple End Points

Applicable Version: 10.04.00 Build 214 onwards
 
Overview 
Cyberoam facilitates VPN failover by allowing you to set multiple remote endpoints for a single IPSec connection. In other words, one IPSec connection can terminate on multiple remote servers/gateways and failover can be configured over those terminals. This configuration of multiple endpoints and failover condition is done in the same page as the standard IPSec connection configuration. This article describes how you can configure an IPSec VPN connection with Multiple Endpoints.  

Scenario

The diagram below shows the schema of the Branch Office (BO) and Head Office (HO) network.
 
 
 
 
 
Connect BO with HO via an IPSec VPN connection with Two (2) Endpoints, namely ISP1 (195.229.241.245) and ISP2 (213.42.25.20). Configure connection failover between both these endpoints such that if one goes down, traffic is automatically diverted to the other active endpoint.
 

Configuration

You can configure an IPSec VPN connection with multiple endpoints by following the steps given below. Configuration is to be done using Web Admin Console using Administrator profile.

Step 1: Create IPSec Connection on BO

Go to VPN > IPSec > Connection and click Add to create an IPSec connection using parameters given below.
 
Parameter
Value
Description
General Settings
BO_to_HO
Connection Type
Site to Site
Select the type of connection
Policy
DefaultBranchOffice
Action on VPN Restart
Initiate
Select action when VPN services are restarted.
Authentication Details
Authentication Type
Preshared Key
Select the type of authentication used while establishing a connection.
Preshared Key
hr5xb84l6aa9r6
Specify the Preshared Key to be used during authentication
Endpoint Details
Endpoint1
Local: PortB-203.88.135.105
Remote: 192.229.241.245
Name: BO_to_HO_ISP1
Mention details of first set of endpoints.
Endpoint2
Local: PortB-203.88.135.105
Remote: 213.42.25.20
Name: BO_to_HO_ISP2
Mention details of second set of endpoints.
Failover Group Name
Head_Office
Name to identify the Group of endpoints.
Failover Mail Notification
Enabled
Enable if you want Cyberoam to shoot emails to the configured email address if failover takes place.
Note:
 
Emails can be sent only if SMTP Server is configured from System > Configuration > Notification.
Failover Condition
IF...
Not able to Connect TCP Port 80
And
Not able to Connect PING
On Remote VPN Server
Then
‘SHIFT to next Active Connection’
Mention the condition based on which Cyberoam can decide that a connection has gone down and failover is needed.
Local Network Details
Local Subnet
172.16.16.0/24
Specify Local Subnet. Multiple Subnets can be added.
Remote Network Details
Allow NAT Traversal
Disable
Remote LAN Network
192.168.1.0/24
Select IP addresses and netmask of remote network(s) with which connection is to be made.

 
 
 
Click OK to create IPSec connection.  

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connections created above. 
 

  
Click    under Status (Active) to activate the connections.  
 
 
 

Step 3: Create Corresponding IPSec Connections at HO

Similarly, create corresponding IPSec connection at the HO. Refer to the article How To – Establish Site-to-Site IPSec Connection using Preshared key for instructions if Cyberoam appliances aredeployed at HO. Else, refer to the documentation of the respective vendor(s).

Step 4: Establish connections

Once all Cyberoam Appliances at Head and Branch Offices are configured, establish connection between them. Click    under Status (Connection) of the primary connection. Here the primary connection is BO_to_HO_ISP1. 
 
 
 
 




                                                                           
   Document Version: 2.0 - 6 February, 2015
1.4.10. Bypass IPSec VPN Traffic

Applicable Version: 10.00 onwards

Scenario

Cyberoam should bypass the IPSec VPN traffic between Site A and Site B, in other words, between Router A and Firewall B. The network schema is as given below. 

 

Configuration

Cyberoam can bypass IPSec VPN traffic if it has its UDP ports 500 and 4500 open both from WAN and LAN sides. To open the ports, follow the steps given below.You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Create Virtual Host for UDP port 500

Go to Firewall > Virtual Host > Virtual Host and click Add to create a new virtual host accordingto parameters given below. 

Parameter

Value

Description

Basic Settings

Name

UDP_Port_500

Name to identify the Virtual Host.

IP Family

IPv4

Select the IP Family.

External IP

PortC –

10.10.1.1

The IP address through which Internet users access internal server/host.

Mapped IP

172.16.16.20

The IP address of the internal server/host.

Physical Zone

LAN

LAN, WAN, DMZ, VPN or custom zone of the mapped IP address(s). For example, if mapped IP address represents any internal server then it is the zone in which server resides physically.

Port Forwarding

Enable Port

Forwarding

Enabled

Click to enable service port forwarding. If Port Forwarding is enabled, following options are available.

Protocol

UDP

Select the protocol TCP or UDP that you want the forwarded packets to use.

External Port Type

Port

Select the type of external port from the available options: Port,Port Range and Port List

External Port

500

Specify public port number for which you want to configure port forwarding.

Mapped Port Type

Port

Select the type of mapped port from the available options: Port,Port Range and Port List

Mapped Port

500

Specify mapped port number on the destination network to which the public port number is mapped.

 

On clicking OK, you are asked to create Firewall Rules to allow access to the virtual host created.

Step 2: Add Firewall Rule

On clicking OK, the following screen is displayed prompting you to create Firewall Rules.
 
 

Enable Add Firewall Rule(s) For Virtual Host and specify parameters shown in the screen as required. Click Add Rule(s) to add the firewall rule. The above firewall rule forwards all traffic from port 500 on WAN side to port 500 on the LAN side.

Step 3: Create Virtual Host for UDP port 4500

Go to Firewall > Virtual Host > Virtual Host and click Add to create a new virtual host according to parameters given below.

Parameter

Value

Description

Basic Settings

Name

UDP_Port_4500

Name to identify the Virtual Host.

IP Family

IPv4

Select the IP Family.

External IP

PortC –

10.10.1.1

The IP address through which Internet users access internal server/host.

Mapped IP

172.16.16.20

The IP address of the internal server/host.

Physical Zone

LAN

LAN, WAN, DMZ, VPN or custom zone of the mapped IP address(s). For example, if mapped IP address represents any internal server then it is the zone in which server resides physically.

Port Forwarding

Enable Port

Forwarding

Enabled

Click to enable service port forwarding. If Port Forwarding is enabled, following options are available.

Protocol

UDP

Select the protocol TCP or UDP that you want the forwarded packets to use.

External Port Type

Port

Select the type of external port from the available options: Port,Port Range and Port List

External Port

4500

Specify public port number for which you want to configure port forwarding.

Mapped Port Type

Port

Select the type of mapped port from the available options: Port,Port Range and Port List

Mapped Port

4500

Specify mapped port number on the destination network to which the public port number is mapped.


 

On clicking OK, you are asked to create Firewall Rules to allow access to thevirtual host created.

Step 4: Add Firewall Rule

On clicking OK, the following screen is displayed prompting you to create Firewall Rules.
 
 

Enable Add Firewall Rule(s) For Virtual Host and specify parameters shown in the screen as required. Click Add Rule(s) to add the firewall rule. The above firewall rule forwards all traffic from port 4500 on WAN side to port 4500 on the LAN side.

Note: 

Ensure that there exists a similar Firewall Rules which forward all traffic from port 500 and 4500 on LAN side to port 500 and 4500 respectively on the WAN side.

 

 






                                                                                                                                                                     Document Version: 2.0 – 20 February, 2015

1.4.11. Allow Branch Office Users to Authenticate with Head Office Authentication Server

Applicable Version: 10.00 onwards

Scenario

This article describes how Cyberoam canbe configured to allow Users in the Branch Office (BO) to authenticate withHead Office (HO) AD Server. The network schema is as shown below.
 
 

In this example, we have shown Cyberoam connected with another Cyberoam Appliance. The traffic generated by Branch Office (BO) Cyberoam Appliance is to be routed to the Server 172.16.1.15 in Head Office (HO) network.

Prerequisites

-   IPSec connection is active and connected.
 
-   Both Head Office and Branch Office Cyberoam Appliances areintegrated with Head Office AD Server. To integrate Cyberoam 
    with AD, refer to thearticle HowTo – Integrate Cyberoam with Active Directory.
 

Configuration
 
You can route Cyberoam initiated traffic through the IPSec VPN tunnel in Two (2) Ways:
 
1. Update in IPSec Connection 
 
Branch Office
 

Include the WAN IP 192.168.20.178 as a Trusted Local Subnet in IPSec configuration of BO Cyberoam:
 

- Go to VPN > IPSec > Connection and select the required IPSec connection.
 

- Add WAN IP in Local Subnet under Local Network Details, as shown below.
 
 

Head Office
 

Include the WAN IP 192.168.20.178 as a Remote LAN Network in IPSec configuration of HO Cyberoam:
 

- Go to VPN > IPSec > Connection and select the required IPSec connection.
 

- Add WAN IP in Remote LAN Network under Remote Network Details, as shown below.
 

OR

2. Add IPSec Route at Branch Office

     Add an IPSec route and apply a Source NAT policy on BO Cyberoam initiated traffic such that its source IP address is an internal IP:

     -  Go to Cyberoam CLI Console.

     -  Choose option 4. Cyberoam Console.

     -  Executing the following command to add IPSec Route for destination Host.

      console> cyberoam ipsec_route add host <IP Address of host> tunnelname <tunnel>

       

     -  Execute the following command to NAT the Cyberoam traffic to desired public IP with the private LAN IP.

       console> set advanced-firewall cr-traffic-nat add destination <Destination IP/Network> snatip <NATed IP>
 
      

                                                                                                                                                        Document Version: 1.1 – 3 February, 2015

1.4.12. Forward GRE Traffic over IPSec VPN Tunnel

Applicable Version: 10.00 onwards
 
Overview
 
Generic Routing Encapsulation (GRE) is a simple IP packet encapsulation protocol, GRE tunnels are mainly used as a means to carry other routed protocols across a predominantly IP network. They remove the need of all protocols, except IP, for data transfer, thus reducing much overhead on the network administrator’s part. Non-IP protocols such as IPX and AppleTalk are tunnelled through the IP core via GRE.

Generally, GRE tunnels are used in the following scenarios:

-       To carry Multicast traffic just like real network interface traffic.
-       To carry non-routable protocol traffic like NetBIOS or non-IP traffic over IP network.
-       To link two similar networks which are connected with different IP addressing  

Scenario

Create an IPSec tunnel between a Head Office network and a Branch Office network. The clients at the Branch Office are to connect to the Head Office Media Server. So we have created GRE tunnel over the IPSec connection to allow transfer of multicast traffic between the Head Office and Branch Office. The network scenario is described in the diagram below. 
 
 
 
Network Schema
 

Branch Office

Head Office

Cyberoam WAN IP Address – 202.134.168.208

Cyberoam WAN IP Address – 202.134.168.202

LAN IP – 172.50.50.2

LAN IP – 172.16.16.10

LAN Subnet – 172.50.50.0/24

LAN Subnet – 172.16.16.0/24

GRE Tunnel Virtual IP – 5.5.5.1

GRE Tunnel Virtual IP – 5.5.5.2

Media Server :
Source IP – 172.16.16.2
Multicast IP – 225.0.0.1

Configuration
 
To forward GRE traffic over IPSec VPN connection, follow the steps given below. The configuration is to be done from the Web Admin Console using Administrator profile. 

Step 1: Create IPSec VPN Tunnel

Create an IPSec VPN tunnel between the Head Office and Branch Office. To know how to create an IPSec VPN connection, refer to the article How To - Establish Site-to-Site IPSec Connection using Preshared Key.
 
Note: 

In the IPSec configuration:

-       Make sure that WAN IP of Head Office Cyberoam is included in the Trusted Local Subnet at the Head Office side and Trusted
     Remote Subnet at the Branch Office side.
-       Similarly, Make sure that WAN IP of Branch Office Cyberoam is included in the Trusted Local Subnet at the Branch Office side
     and Trusted Remote Subnet at the Head Office side.  

Step 2: Create GRE Tunnel

Create a GRE Tunnel between the Head Office and the Branch Office. To know how to create a GRE tunnel, refer to the article How To – Configure a GRE Tunnel on Cyberoam. 

Step 3: Enable Multicast Forwarding in Cyberoam

Enable Multicast Forwarding on Cyberoam by going to Network > Static Route > Multicast and checking Enable Multicast Forwarding as shown below. 
 
 

Step 4: Add Static Multicast Routes

Add static multicast routes both at the Head Office and Branch Office. 

Head Office

Go to Network > Static Route > Multicast and click Add to add a new multicast route using the parameters given below. 
 
 
 
Parameter Description 
 

Parameter

Value

Description

Source IPv4 Address

172.16.16.2

Specify Source IP Address.

Source Interface

PortA – 172.16.16.10

Select Source Interface from the list.

Multicast IPv4 Address

225.0.0.1

Specify range of Multicast IP Address

Destination Interface

 gre_tunnel_ho – 5.5.5.2

Select Destination Interface from the list. You can select more than one destination interface.

 
 

Branch Office

Go to Network > Static Route > Multicast and click Add to add a new multicast route using the parameters given below. 
 
  

Parameter Description

Parameter

Value

Description

Source IPv4 Address

172.16.16.2

Specify Source IP Address.

Source Interface

gre_tunnel_bo – 5.5.5.1

Select Source Interface from the list.

Multicast IPv4 Address

225.0.0.1

Specify range of Multicast IP Address

Destination Interface

PortA-172.50.50.2

Select Destination Interface from the list. You can select more than one destination interface.

 
 

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.

The above configuration forwards all GRE traffic to the IPSec VPN connection between Head Office and Branch office.


                                                                                                                                                                           



                                                                                                                                                                  Document Version: 2.1 – 4 June, 2014
1.4.13. Create Hub and Spoke IPSec VPN Network with Super Net

Applicable Version: 10.00 onwards
 
Overview
 
A Hub and Spoke VPN Network is set up in organizations which desire centralized control over all its branch offices. In this network setup, the Head Office acts as the Hub and the Branch Offices act as Spokes. All VPN tunnels from Branch Offices terminate at this hub, which acts as a concentrator. Site-to-site connections between spokes do not exist. Traffic originating from one spoke and destined for another spoke has to go via the hub.

Scenario

Configure Cyberoam Appliances in a Hub and Spoke IPSec VPN Network between the Head Office in New York and Branch Offices in Houston and Dallas as shown below.
 
 
 
  

Network Schema

Office

LAN Network

WAN IP Address

New York HO

192.168.1.0/24

202.11.11.11

Houston BO

192.168.2.0/24

202.10.10.10

Dallas BO

192.168.3.0/24

202.12.12.12




Configuration

In this article, we have placed all the 3 networks, New York (192.168.1.0/24), Houston (192.168.2.0/24) and Dallas (192.168.3.0/24) under a single Super Net (192.168.0.0/16). This enables ease of maintenance of all the 3 networks.

The configuration of Cyberoam Appliances at New York, Houston and Dallas is given below. All configurations are to be done from Web Admin Console of respective appliances.


Houston Branch Office (Spoke)

Configure a site-to-site IPSec VPN connection between Houston (Spoke) and New York (Hub) by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 
 

Network Parameters

Local Network details

Local Server (WAN IP address) – 202.10.10.10

Local LAN address – 192.168.2.0/24

Local ID – john@elitecore.com

Remote Network details

Remote VPN server (Hub IP address) – 202.11.11.11

Remote LAN Network –

192.168.0.0/16 (Supernet of all the networks)

Remote ID – dean@elitecore.com



Step 1: Create IPSec Connection
 
Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

Houston_to_NY

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-   Remote Access
-   Site to Site
-   Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

-   Respond Only
-   
Initiate
-   Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.10.10.10

Select local port which acts as end-point to the tunnel

Remote

202.11.11.11

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.2.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

192.168.0.0/16 (Supernet of all 3 networks)

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.
 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.

 
 
 
Click     under Status (Active) to activate the connection.
 
 
  
 

Dallas Branch Office (Spoke)

Configure a site-to-site IPSec VPN connection between Dallas (Spoke) and New York (Hub) by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 
 

Network Parameters

Local Network details

Local Server (WAN IP address) – 202.12.12.12

Local LAN address – 192.168.3.0/24

Local ID – mathew@elitecore.com

Remote Network details

Remote VPN server (Hub IP address) – 202.11.11.11

Remote LAN Network –

192.168.0.0/16 (Supernet of all the networks)

Remote ID – dean@elitecore.com




Step 1: Create IPSec Connection

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

Dallas_to_NY

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.12.12.12

Select local port which acts as end-point to the tunnel

Remote

202.11.11.11

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.3.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.0.0/16 (Supernet of all 3 networks)

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.
 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
 

Note:

If there is more than one connection between 2 gateways, where each connection uses a different authentication mode, at a time only one connection can remain active.
 

New York Head Office (Hub)

Configure site-to-site IPSec VPN connections between New York (Hub) and Dallas (Spoke), and New York (Hub) and Houston (Spoke) by following the steps given below.
 

Step 1: Create IPSec VPN Connection with Houston BO 

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
  
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

NY_to_Houston

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.11.11.11

Select local port which acts as end-point to the tunnel

Remote

202.10.10.10

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.0.0/16 (Supernet of all 3 networks)

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.2.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.

Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
 

Step 2: Create IPSec VPN Connection with Dallas BO 

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

NY_to_Dallas

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.11.11.11

Select local port which acts as end-point to the tunnel

Remote

202.12.12.12

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.0.0/16 (Supernet of all 3 networks)

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.3.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
  

Step 3: Add Firewall Rule to allow VPN Traffic

To create the firewall rule, go to Firewall > Rule > Rule and click Add. Create the rule using following parameters.
 
 
 

Parameter Description

 
 
 

Click OK to create the firewall rule.

Step 4: Establish connections

Once all Cyberoam Appliances at Head and Branch Offices are configured, establish connection between them. Click    under Status (Connection) to establish the connection.
 
 
 

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.
 
                                                                                                                                                                                                                                       
                                                                                                                                                                                Document Version: 3.1 - 18 February, 2015
1.4.14. Configure Syslog over VPN

Applicable Version: 10.00 onwards
 
Overview
 
Cyberoam provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.

Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards logs to syslog server in a specific format. Cyberoam UTM provides reporting module to clients via external syslog server as well via i-view software or any other third party Syslog Server. 

Syslog over VPN gives you the flexibility to have centralized reporting for all the branch offices at head office. It offers you the architecture for centralized reporting in a secure manner via VPN.

Scenario  

Below given network diagram shows how Cyberoam is deployed in the network.
 

The table below shows configuration parameters where the Syslog Server at the Head Office would receive syslogs from LAN of Branch Office:

Branch Office

Head Office

Cyberoam WAN IP address- 192.168.20.178

Cyberoam WAN IP address- 192.168.20.111

LAN - 172.16.2.0

LAN - 172.16.1.0

 

Syslog Server - 172.16.1.5


Pre-requisites

A Site-to-Site VPN Tunnel, for exampleSyslogoverVPN, needs to be configured between Head office and Branch office.

Configuration 

Follow the steps mentioned below to configure Syslog over VPN in Cyberoam. You must be logged on to the Web Admin Console of Head Office (HO) Cyberoam as an administrator with Read-Write permission for relevant feature(s).

Step 1:Configure Syslog Server

Go to Logs & Reports > Configuration > Syslog Servers and click Add to add Syslog Server as per parameters below. 

Parameters

Value

Description

Name

Syslog

Specify Unique name for syslog server

IP Address

172.16.1.5

Specify IP address of the syslog server. Messages from theappliance will be sent to the server

Port

514

Specify the port number for communication with the syslog server.Appliance will send messages using the configured port

 

Default: 514

Facility

DAEMON

Select syslog facility for log messages to be send to the syslog server.

 

Available Options:

 

DAEMON- Daemon logs (Information of Services running in appliance as daemon)

KERNEL– Kernel log

LOCAL0 – LOCAL7– Log level information

USER- Logging on the basis of users who are connected to Server

 

Severity Level

Debug

Specify severity levels of logged messages.

 

Severity level is the severity of the message that has been generated.

 

Available Options:

 

EMERGENCY- System is not usable

ALERT- Action must be taken immediately

CRITICAL- Critical condition

ERROR- Error condition

WARNING - Warning condition

NOTICE- Normal but significant condition

INFORMATION- Informational

DEBUG- Debug - level messages

Format

CyberoamStandardFormat

Applianceproduces logs in the specified format. Appliance currently produces logs in its own standard format.

 

Click OK to save syslog server.


Step 2: Enable Syslog

Once you add the server, configure logs to be sent to the syslog sever.


Go to Logs & Reports > Configuration > Log Settings to configure logs to be sent to the syslog server. Multiple servers are configured and various logs can be send on different servers.

To record logs you must enable the respective log and specify logging location. 


1.    Logon to CLI Console via Telnetor SSH. You can also access the CLI Console by clicking Console on the upper right corner ofthe Web Admin Console screen.

       Note: 

       From firmware version 10.6.1 onwards, the Consolebutton is visible to the Super Administrator ONLY.

2.    Choose option 4. Cyberoam Console.

3.    Execute the following commands to route traffic over IPSec tunnel: 

      console> cyberoam ipsec_route add host 172.16.1.5 tunnelname syslogoverVPN 

       Where:

       Syslog ServerIP – 172.16.1.5

       VPN Tunnel name– SyslogoverVPN


4.    Execute the following commandto NAT Cyberoam generated traffic:

       console> set advanced-firewall cr-traffic-nat add destination 172.16.1.5 snatip 172.16.2.1     

       Where:

       Syslog ServerIP – 172.16.1.5

       Interface (LANInterface of Branch Office) – 172.16.2.1

 

 

The configuration above sends Syslogtraffic from the Head Office to Branch Office.
 
 
 
 
 
 
 
                                                                                                                              Document version: 2.0 - 20 February, 2015

 

 
1.4.15. Configure GRE Tunnel on Cyberoam


Applicable Version: 10.00 onwards

Overview

Generic Routing Encapsulation (GRE) is a simple IP packet encapsulation protocol. GRE tunnels are mainly used as a means to carry other routed protocols across a predominantly IP network. They remove the need of all protocols, except IP, for data transfer, thus reducing much overhead on the network administrator’s part. As such, non-IP protocols such as IPX and AppleTalk are tunnelled through the IP core via GRE.
Generally, GRE tunnels are used in the following scenarios:
 
·         To carry Multicast traffic just like real network interface traffic.
·         To carry non-routable protocol traffic like NetBIOS or non-IP traffic over IP network.
·         To link two similar networks which are connected with different IP addressing. 

Scenario

Create a GRE tunnel between a Head Office network and a Branch Office network. The clients at the Branch Office are to connect with the WINS Server at the Head Office over NETBIOS traffic, essentially for name registration and resolution. The network scenario is described in the diagram below.
 

Note:

 

GRE tunnel cannot be configured on Dynamic WAN interfaces such as PPPoE and DHCP. 
 
 
 
Configuration

To create the GRE Tunnel between the Head Office Network and the Branch Office Network, follow the steps given below. Configuration is to be done from Cyberoam CLI using administrative access both in the Head Office and the Branch Office.
 

Step 1: Create GRE Tunnel 

·         Login to CLI using Telnet/SSH.

·         Select Option 4. Cyberoam Console to access CLI.

·         Create GRE Tunnel between the two sites by executing the following command. 

     Head Office:
 
    console> cyberoam gre tunnel add name Cyberoam_GRE local-gw PortB remote-gw 202.134.168.208 
    local-ip 5.5.5.2 remote-ip 5.5.5.1
 
 
 
 
     Branch Office:
 
    console> cyberoam gre tunnel add name Cyberoam_GRE local-gw PortB remote-gw 202.134.168.202 
    local-ip 5.5.5.1 remote-ip 5.5.5.2 
 
 
 
 
Step 2: Configure GRE Route
 
Configure GRE route to define traffic between the two sites.

Head Office:
 
console> cyberoam gre route add net 172.50.50.0/255.255.255.0 tunnelname Cyberoam_GRE 
 
 
 
Branch Office:
 
console> cyberoam gre route add host 172.16.16.2 tunnelname Cyberoam_GRE 
 
 
 
You can view the GRE Tunnel Configuration by firing the following command

console> cyberoam gre tunnel show
 
 
 
 
Step 3: Add Firewall Rules
 
Add VPN-LAN and LAN-VPN Firewall Rules on both HO and BO Cyberoam to allow GRE traffic. To create Firewall Rule, go to Firewall > Rule > Rule and create new firewall rules as shown below.
 
  
 
The above configuration creates a GRE Tunnel between the HO Cyberoam and the BO Cyberoam.





                                                                                                                                                            Document Version: 2.2 – 3 July, 2014
 
 
 
 
1.4.16. Configure VPN Failover and Failback in Cyberoam

Applicable Version: 10.00 onwards

Overview

Cyberoam VPN Connection Failover is a feature that enables to provide an automatic backup connection for VPN traffic and provideAlways ONVPN connectivity for IPSec and L2TP connections.

 

A VPN tunnel allows you to access remote servers and applications with total security. With VPN auto failover, a VPN connection to be re-established when one of the two WAN connections drops. Solution also achieves failover latency of a few seconds by constantly monitoring the link and instantaneously switching over in the event of a failure.

 

VPN Failover and Failback advantages:

 

·        Reduce the possibility of a single point of failure.

·        Reduce the reliance on manual intervention to establish new connection.

·        Reduce the failover time of a VPN connection with redundant VPN tunnels and VPN monitoring.

 

Cyberoam implements failover using VPN connection Group.

 

A VPN group is a set of VPN tunnel configurations. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the Group defines fail over priority of the connection.

 

Connection included in the Group must be activated and manually connected for the first time before participating in the failover.Connection will not failover to the subsequent Connection if it is manually disconnected.

 

When the primary connection fails, the subsequent active connection in the Group takes over without manual intervention and keeps traffic moving. The entire process is transparent to users.

 

Cyberoam considers connection as failed connection if:

 

·        Remote peer does not reply - for Net to Net and Host to Host connection.

·        Local Gateway fails – for Road warrior connection.

Prerequisites

1.    Packets of the protocol specified in failover condition must be allowed from local server to remote server and its reply on both Local and Remote server.

2.    One connection can be included in one Group only.

3.    Connection must be ACTIVE to participate in failover.

 

Cyberoam VPN failover can be deployed in any number of possible configurations and support remote/branch offices to seamlessly establish a VPN connection to a secondary gateway, should the connection to the primary gateway be terminated, allowing for continuous uptime.

 

Scenario

 

Set up VPN redundant tunnel in network with multiple gateways


Article features a detailed configuration example that demonstrates how to set up a redundant IPSec VPN tunnel that uses preshared keys for authentication purposes.

 

The following sections are included:

 

·        Configuring Connections at Head office

·        Configuring Connections at Branch office

·        Configuring failover group at Branch office

·        Failover conditions

 

In the example and throughout the article, below given IP addresses are assigned to Cyberoam deployed at headquarter and branch. Follow the steps for setting up the redundant VPN tunnel (failover) configuration to create a VPN tunnel among Houston branch (Cyberoam_BO) and the New York Head office (Cyberoam_HO) network. 


IP addressing scheme

 

New York office (Cyberoam_HO)

LAN IP address

10.10.10.0/24

WAN IP address

192.168.1.1 (Gateway 1)

WAN IP address

192.168.2.1 (Gateway 2)

Spoke 1 – Huston Branch (Cyberoam_BR)

LAN IP address

10.10.20.0/24

WAN IP address

192.168.3.1 (Gateway 3)

WAN IP address

192.168.4.1 (Gateway 4)

  

 

 

Configuration

 

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Configure Connection at New York

Create IPSec connection on New York (Cyberoam_HO).

 

As Cyberoam is configured with 2 gateways, we will create total 4 tunnels/connections i.e. 2 tunnels per gateway. 

 

·        Connection 1: Establishing tunnel between Gateway 1 and Gateway 3 of Houston branch 

·        Connection 2: Establishing tunnel between Gateway 1 and Gateway 4 of Houston branch 

·        Connection 3: Establishing tunnel between Gateway 2 and Gateway 3 of Houston branch 

·        Connection 4: Establishing tunnel between Gateway 2 and Gateway 4 of Houston branch


Refer the article Establish Site-to-Site IPSec Connection using Preshared key to create Site-to-Site IPSec Connection

 

Step 2: Configure Connection at Houston branch

Create IPSec connection on Houston branch (Houston_BO).

 

Similarly, create the following tunnels/connections. 

 

·        Connection 1: Establishing tunnel between Gateway 3 and Gateway 1 of New York  

·        Connection 2: Establishing tunnel between Gateway 3 and Gateway 2 of New York 

·        Connection 3: Establishing tunnel between Gateway 4 and Gateway 1 of New York  

·        Connection 4: Establishing tunnel between Gateway 4 and Gateway 2 of New York  


Step 3: Configure VPN failover group

 

Go to VPN > IPSec > Connection to add failover groups for New York – Houston Group and failover conditions. Click Add Failover Group to add a new group.

 

Parameters

Value

Description

Connection Group Details

Name

NY_HOU_grp

Specify a name to identify the failover group.

Select Connections

Member Connections

 

Gateway3_Gateway2

Gateway3_Gateway1

Gateway4_Gateway1

Gateway4_Gateway2

 

Available Connections list displays the list of connections that can be added to the failover group. Click on the connections to be added to Member connections list. Appliance will select the subsequent active connection from Member Connections list if primary connection fails.

Top down order of connections in the Member Connections list specifies the failover preference i.e. if primary connection fails, the very next connection in the list will be used by Appliance to keep the VPN traffic moving.

Once the connection is included in any Group, it will not be displayed in ‘Available Connection’ list.

Remote Access connections will not be listed in ‘Available Connections’ list.

You need to define minimum 2 member connections in a Group.

 

 
Failover Conditions

 

Initially, only one tunnel is active and established between the peers over Gateway 3 and Gateway 2. All other tunnels are in standby mode.

 

Example: WAN link on Gateway 2 at New York office goes down

 

As defined in the failover group, the second connection – Gateway 3 – Gateway 1 gets connected and traffic is send through this new tunnel.

 

There will be no disruption but failover to standby connection takes anytime between 10 – 15 seconds.
 

 

 

 

 

                                                                                                                                      Document Version: 1.1 – 19 February, 2015

1.4.17. Use VPN/MPLS as a Backup(MPLS Scenario)

Applicable Version:  10.00 onwards
 
Overview
 
Most of the companies have multiple branches and more often than not, a good network connectivity (Wide Area Network) across these branches is a must to accelerate the speed of business. Some of the popular options available for such geographically spread enterprises to connect with other branches and head office are Managed Leased Lines, MPLS (Multi Protocol Label Switching) VPN connectivity, VPN Over Internet Leased Lines, Satellite based VSAT systems and many more.
 
In order to safeguard against network connectivity outage, which entails business loss, organizations must ensure that they have alternative cost effective connectivity options that provide secure access.


Network Schema
 
Consider a hypothetical network where a VPN Link and an MPLS Link connects a Head Office (HO) and Branch Office (BO).

Head Office:

The Head Office Cyberoam has been configured with Port A as LAN, Port B as WAN and Port D as DMZ. The MPLS link has been terminated on DMZ (Port D).

Cyberoam LAN IP: 192.168.1.254
Cyberoam WAN IP: 202.134.168.202
Cyberoam DMZ IP: 10.10.10.2 (Connected to HO MPLS Router)

Branch Office:

The Branch Office Firewall configured as follows:

LAN IP: 192.168.2.254
WAN IP: 202.134.168.206
DMZ IP: 5.5.5.2 (Connected to BO MPLS Router) 
 
MPLS Link

The MPLS Link has been configured as follows:

HO Router WAN IP: 12.12.12.1
HO Router DMZ IP: 10.10.10.1 (Connected to Cyberoam)
BO Router WAN IP: 11.11.11.1
BO Router DMZ IP: 5.5.5.1 (Connected to BO Firewall)
 
 
 
 
 
Scenario 1: VPN Link as a Backup for MPLS Link
 
Configure Cyberoam to failover to an IPSec VPN Link when the MPLS link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the MPLS link comes up again, the status quo is restored.
 
 
Configuration
 
You can configure the failover to an IPSec link when the MPLS link fails by following the steps mentioned below.
 
Step 1: Configure IPSec Connection between HO and BO
 
Refer to the article How To - Establish Site-to-Site IPSec Connection using Preshared key for details on how to establish an IPSec VPN connection between HO and BO.
 
 
Step 2: Set IPSec Link as Backup to the MPLS Link
 
  Login to Cyberoam CLI Console.

  Go to Option 4. Cyberoam Console and execute the following command.

    custom> cyberoam link_failover add primarylink PortD backuplink vpn tunnel IPSec_Link 
    monitor PING host 11.11.11.1
 
    Syntax:
 
     cyberoam link_failover add primarylink <Port on which MPLS is connected> backuplink vpn tunnel <Failover VPN link name on which traffic needs to be forwarded> 
    monitor PING host <IP address of the remote device which needs to be monitored for failover>
 
     Note:
 
      -    Make sure that the IPSec connection is active and connected before configuring it as a backup link.
      -    You can also use TCP for monitoring the remote device. The Syntax is:

           cyberoam link_failover add primarylink <Port on which MPLS is connected> backuplink <VPN link name on which traffic needs to be forwarded> 
         monitor TCP host <IP address of the remote device which needs to be monitored for failover> port <port of the remote device which needs 
         to be 
monitored for failover>
 

Step 3: Configure Static Route
 
Configure static routes to redirect all BO destined traffic from MPLS Link.
 
1.   Configure Interface-based Routes which points to the remote network (192.168.2.0).
2.   Configure Gateway-based Route for monitoring IP (11.11.11.1). This route is necessary to monitor MPLS Link status and send monitoring packets over MPLS Link only. 
 
 
Configure Interface-based Route for Remote Network:
 
    Login to Cyberoam Web Admin Console using Administrator profile.

    Go to Network > Static Route > Unicast and click Add to add a static route using following parameters.


      Parameter Description
 

Parameter

Value

Description

Destination IP

192.168.2.0

Specify Destination IP Address

Netmask

/24 (255.255.255.0)

Specify Subnet Mask

Gateway

10.10.10.1

Specify Gateway IP Address

Interface

PortD – 10.10.10.2

Select Interface from the list including Physical Interfaces, Virtual Sub-interfaces and Aliases.


 
 
 
 
      Click OK to save the route.
 
 
Configure Gateway-based Route for Monitored MPLS Device
 
     Login to Cyberoam Web Admin Console using Administrator profile.

     Go to Network > Static Route > Unicast and click Add to add a static route using following parameters.

       Parameter Description
 

Parameter

Value

Description

Destination IP

11.11.11.1

Specify Destination IP Address

Netmask

/32 (255.255.255.255)

Specify Subnet Mask

Gateway

10.10.10.1

Specify Gateway IP Address


 
 
 
 

       Click OK to save the route.


Step 4: Set Highest Priority for Static Routes

By default, VPN routes have the highest priority (Route Precedence) in Cyberoam. To set highest priority for Static Routes:

•      Login to Cyberoam CLI Console. 

     Go to Option 4. Cyberoam Console and execute the following command. 

      cyberoam route_precedence set static vpn   

The above configuration sets the VPN Link as a backup if the primary MPLS Link fails.


Scenario 2: MPLS Link as a Backup for VPN Link

Configure Cyberoam to failover to an MPLS Link when the primary VPN link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the MPLS link comes up again, the status quo is restored.

By default, Cyberoam gives higher precedence to VPN Routes over Static Routes. In other words, when a VPN Link is established, Cyberoam gives first preference to the VPN routes. If the VPN Link fails, the traffic is automatically redirected via the static routes for MPLS link. Hence, Cyberoam’s default behaviour favours this deployment and no additional configuration is required.

Note:

If the MPLS Link is configured on Non-WAN port, for example, between the LAN Port on HO and DMZ Port on BO, add the following IPSec Route from Cyberoam CLI.

console> cyberoam ipsec_route add net 192.168.2.0/255.255.255.0 tunnelname IPSec_Link

Re-establish the VPN tunnel after adding the IPSec Route.
 



                                                

                                                                                                                                                                                       Document Version: 2.2 – 7 May, 2015
 
 
1.4.18. Establish Site-to-Site IPSec Connection using Preshared key
Applicable Version: 10.00 onwards

Overview

IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

 

Cyberoam’s IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote connectivity, eliminating the need for expensive private remote access networks like leased lines, Asynchronous Transfer Mode (ATM) and Frame Relay. This article describes a detailed configuration example that demonstrates how to set up a site-to-site IPSec VPN connection between the two networks using preshared key to authenticate VPN peers.

Scenario

Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 

 

Network Parameters

Local Network details

Local Server (WAN IP address) – 14.15.16.17

Local LAN address – 10.5.6.0/24

Remote Network details

Remote VPN server (WAN IP address) – 22.23.24.25

Remote LAN Network – 172.23.9.0/24

 

 

Site A Configuration

The configuration is to be done from Site A’s Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 

 

Parameter Description

 

Parameter

Value

Description

Name

SiteA_to_SiteB

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB-14.15.16.17

Select local port which acts as end-point to the tunnel

Remote

22.23.24.25

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

10.5.6.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

172.23.9.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

                                                 

 

 

Click OK to create IPSec connection. 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 

 

 

Click    under Status (Active) to activate the connection.
 
 
 

Site B Configuration
 

The configuration is to be done from Site B’s Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 

 

Parameter Description

 

Parameter

Value

Description

Name

SiteB_to_SiteA

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB-22.23.24.25

Select local port which acts as end-point to the tunnel

Remote

14.15.16.17

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.23.9.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

10.5.6.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

        

Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above.

 

 
 
Click    under Status (Active) and Status (Connection).
 
 
 

The above configuration establishes an IPSec connection between Two (2) sites.

 

Note:


•   Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
 
•   In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head Office acts as a responder due to 
    following reasons:
    -   Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the connection.
   -    As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that Branch Offices retries the connection 
        instead of the Head Office retrying all the branch office connections.

 

 

 

 

      

                                                                                                                                                                 Document Version: 2.1 – 22 February, 2014
1.4.19. Same IPSec VPN Key is not getting registered in the Client after I formatted my laptop. How to resolve this?
Applicable Version: 10.00 onwards

In cases where the system is formatted, the IPSec VPN client settings are flushed.

 

To resolve this, you must send an email to support@cyberoam.com with the VPN Key to reset the IPSec VPN Key.

 

  

 

                                                             Document Version: 1.1 – 19 February, 2015

1.4.20. Even though IPSec Connection is active and connected, why is there no traffic passing through the tunnel?

Applicable Version: 10.00 onwards
 
This may happen due to a number of reasons. Given below are steps to troubleshoot the IPSec connection.
 
Step 1: Check IPSec Configuration
 
Go to VPN > IPSec > Connection and select the connection to check its configuration. In particular, check if the Local and Remote networks are configured correctly.
 
 
Step 2: Check if Firewall Rules are created to allow VPN Traffic
 
Go to Firewall > Rule > IPv4/IPv6 Rule and ensure that there are Firewall Rules that allow traffic from LAN to VPN and VPN to LAN, as shown below. 
 
 
 
If rules are not present, create the same.

Step 3: Check Priority of VPN and Static Routes

Check the priority of routes in Cyberoam. By default, VPN routes have higher priority than static routes in Cyberoam. In case, static routes have been configured to have higher priority, either delete those routes, or re-configure the priority of routes.

You can check the priority of routes in Cyberoam by following the steps below.

1.    Logon to CLI Console via Telnetor SSH. You can also access the CLI Console by clicking  on the upper right corner of the Web Admin Console screen.

 

Note:

 

From firmware version 10.6.1 onwards, the Consolebutton is visible to the Super Administrator ONLY. 

2. Choose option 4. Cyberoam Console.
 
3. Execute the following command to view the route precedence.
 
      console> cyberoam route-precedence show    
      
 
      If Static routes have higher priority than VPN routes, change the route precedence by executing the following command.
 
      console> cyberoam route-precedence set vpn static 
 
      
 
 
Step 4: Ensure that Traffic from LAN Hosts passes through Cyberoam
 
Make sure that VPN-destined traffic from LAN Hosts reaches Cyberoam such that it can be forwarded over the VPN Tunnel.
 
Step 5: Ensure that there is No Routing Loop in the LAN network
 
Check the routing in the network and make sure that there are no Routing Loops.
 




                                                                                                                                                              
       Document Version: 1.1 – 2 February, 2015
1.4.21. How to configure Email Notifications for IPSec VPN up/down event?

Applicable Version: 10.04.0 Build 214 onwards

Cyberoam can be configured to notify the administrator via Email if any IPSec tunnel(s) get disconnected, or re-connected after going down.
You can configure email notifications for IPSec VPN up/down event by following the steps given below.
 
1.     Login to Cyberoam Web Admin Console using Administrator profile.
 
2.     Go to System > Configuration > Notification and enable IPSec Tunnel UP/Down. 
 
  
 
3.     Click Apply to save configuration.




                                                                                                                                                                      Document Version: 1.2 – 22 October, 2014
1.4.22. Why does my site-to-site VPN connection status display Yellow instead of Green?

Applicable Version: 10.00 onwards
 

The site-to-site VPN connection status is displayed as Yellow in Two (2) cases:


1.    While VPN peers negotiate SA proposals. Once negotiation is complete and the connection is established, the status turns
       to Green. If negotiation fails, status remains Red.

2.    In the IPSec connection, if more than One (1) local or remote subnets are configured, and connection cannot be established
       with any one or more of these subnets.
 
 

 

From version 10.6.1 onwards, you can view the status of individual connections by clicking on the    Connection Detail symbol against the connection status.
 
 
 
 
                                                                                                            
                                                                                                                                                                 







                                                                                                                                                                  Document Version: 1.1 – 16 September, 2014
1.4.23. How to route Cyberoam initiated traffic through an IPSec VPN tunnel?

Applicable Version: 10.00 onwards

Scenario

The network schema is as shown below. Administrator can route traffic originating from Cyberoam through an IPSec VPN Tunnel. The Cyberoam is to be connected via IPSec VPN with either another Cyberoam Appliance or another third party solution.
 
 

In this example, we have shown Cyberoam connected with another Cyberoam Appliance. The traffic generated by Branch Office (BO) Cyberoam Appliance is to be routed to the Server 172.16.1.15 in Head Office (HO) network.

Configuration

You can route Cyberoam initiated traffic through the IPSec VPN tunnel in Two (2) Ways: 

1.   Update in IPSec Connection

Branch Office

 

Include the WAN IP 192.168.20.178 as a Trusted Local Subnet in IPSec configuration of Cyberoam whose traffic is to be routed in tunnel:

 

-        Go to VPN > IPSec > Connection and select the required IPSec connection.

                                                                                            

-        Add WAN IP in Local Subnet under Local Network Details, as shown below.
 

 

 

Head Office

 

Include the WAN IP 192.168.20.178 as a Remote LAN Network in IPSec configuration of Cyberoam whose traffic is to be routed in tunnel:

 

-        Go to VPN > IPSec > Connection and select the required IPSec connection.

                                                                                            

-        Add WAN IP in Remote LAN Network under Remote Network Details, as shown below.
 

 

OR

2.   Add IPSec Route at Branch Office

     Add an IPSec route and apply a Source NAT policy on BO Cyberoam initiated traffic such that its source IP address is an internal IP:   

-     Go to Cyberoam CLI Console.

-     Choose option 4. Cyberoam Console.

-     Executing the following command to add IPSec Route for destination Host.  

      cyberoam ipsec_route add host <IP Address of host> tunnelname <tunnel>
 
     

-     Execute the following command to NAT the Cyberoam traffic to desired public IP with the private LAN IP. 

      console> set advanced-firewall cr-traffic-nat add destination <Destination IP/Network>  snatip <NATed IP>
 
    

 

 

                                                                                                                         

 

 

 

 

 

 

                                                                                                                                                                   Document Version: 1.1 – 06 June, 2014

 

1.4.24. Is it possible to authenticate Branch Office users with the Head Office Authentication Server?

Applicable Version: 10.00 onwards 

Yes. Although, you must keep the following points in mind while configuring the IPSec VPN connection between the HO and BO:

-       In the Branch Office Cyberoam, include the Cyberoam WAN IP as a Trusted Local Subnet in IPSec configuration.

-       In the Head Office Cyberoam, include the Branch Office Cyberoam WAN IP as a Trusted Remote Subnet in IPSec configuration.

-       Make sure that IPSec connection is active and connected.

-       Configure the Head office Authentication Server in the Branch Office Cyberoam.
 
     

 

For details on the configuration, referto the article Allow Branch Office Users to Authenticate with Head Office Authentication Server.

 

 

 

                                                                                                                                                          Document Version: 1.1 – 3 February, 2015

1.4.25. How to view Preshared Key applied on IPSec/L2TP connection?

Applicable to Version: 10.01.1 build 023 onwards

Administrator may need to view the Preshared Key used in IPSec or L2TP connections while troubleshooting existing connections or during the configuration of the remote end of a new connection.

Follow the steps mentioned below to view Preshared Key.

1.    Log on to the Web Admin Consoleas an administrator with Read-Write permission for relevant feature(s). 

2.    Go to VPN > IPSec > Connection OR VPN > L2TP > Connection and select the required connection.

3.    Under Authentication Details, click Show Preshared Key to view Preshared Key applied on IPSec/L2TP Connection.
 
 

 







                                                          
Document Version: 1.1 - 31 January,2015 
1.5. SSL VPN
1.5.1. Establish SSL VPN Connection with Cyberoam having Private IP on WAN Interface

Applicable Version: 10.00 onwards

Scenario

Configure and establish SSL VPN connection between an SSL VPN user and Cyberoam which is placed behind and upstream router, as shown below.
 
 
 

Cyberoam is placed behind an upstream, Internet-facing ISP Router. Cyberoam WAN Interface is configured with a Private IP. The ISP Router acts as the gateway for all incoming and outgoing Internet traffic for the network.

Prerequisite

   The upstream router must have the SSL VPN port (default port 8443 or any custom port as configured in Cyberoam) open.
•   The upstream router must be configured to perform port forwarding of the required SSL VPN port.

Configuration

To configure SSL VPN, follow the steps given below. 

Step 1: Configure SSL VPN in Cyberoam

Refer to the article How To - Configure SSL VPN in Cyberoam. 

Step 2: Re-configure SSL VPN Client Settings

•   After the SSL VPN Client is installed and running on user machine, on the Notification Area at the bottom right 
    corner of your screen, right-click on the CrSSL Client icon  and click
Server Settings.


   Set Connect to Server as the Public IP Address of the upstream router (202.88.135.164) and Port as the configured port on Cyberoam (8443)

•   Click OK to save the settings. 

Once the above configuration is done, logon to the client by clicking on the CrSSL Client icon  and providing your user credentials.

 

 



                                                                                                                                                                        Document Version: 1.0 – 20 November, 2014
 
1.5.2. Error <SSL VPN Client Installation Failure in Windows 8/8.1>

Applicable Version: 10.00 onwards

Error

On installing SSL VPN client on a Windows 8/8.1 machine, the following error may occur.
 

Solution

To resolve this error, follow the steps given below. 

1.  Uninstall the existing SSL VPN Client in the machine.

2.  Go to the Device Manager and, under Other Devices, uninstall the “Unknown Device” driver.

 
 

Note: 

If you do not find Unknown Device driver under Other Devices, look under Network adapters. Right-click the Unknown Device driver under Network adapters, disable it and then re-enable it. On enabling, the driver shifts to “Other Devices”. Then, follow the step given above.
 
3.  Reboot the machine to ensure that all files related to the Unknown Device driver are removed.

4. Re-download and install the latest version of Cyberoam SSL VPN Client from http://www.cyberoam.com/cyberoamclients.html

The Client is installed successfully. You can verify successful installation by going to the Device Manager and checking under Network Adapters if the TAP-Windows Adapter is installed.

 





                                                                                                                                                                  Document Version: 1.1 – 3 September, 2014
1.5.3. Obtain the Passphrase for SSL VPN Authentication

Applicable Version: 10.04.0 Build 433 onwards
 
Overview
 
Cyberoam allows administrators to configure a passphrase in Self-Signed Certificates used in SSL VPN Authentication. This passphrase is used as a second level of authentication for SSL VPN users. Users can obtain this passphrase during authentication via Three (3) modes: In Client Bundle, as an On-Screen Link, in Email.

Passphrase can be configured in any one of the following ways:
 
-   While generating Self-Signed Certificate from System > Certificate > Certificate. Check Enable against Key Encryption and specify the 
    Passphrase which is to be used for second level authentication.
-   When you check Enable against Per User Certificate from VPN > SSL > Tunnel Access. This Passphrase is system generated.
 

Scenario

This article demonstrates how the Administrator can configure the Three (3) Modes of Passphrase Reception and how the user can obtain the passphrase while authenticating according to the mode configured. The modes are:

-    Client Bundle
-    
On-Screen Link
-    Email


Client Bundle
 
Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select Client Bundle in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as Client Bundle, the passphrase is received in a text file included the SSL VPN Client configuration. Follow the steps given below to obtain passphrase in Client Bundle.

   Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 
 

•   
Download the Client Configuration by clicking Download SSL VPN Client Configuration – Windows OR 
     Download SSL VPN Client Configuration – MAC Tunnelblick, depending upon your system.
 
 


The downloaded file contains a text file named Passphrase which contains the passphrase.
 
 



On-Screen Link
 
Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select On-Screen Link in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as On-Screen Link, a link appears on the Portal screen clicking which the user receives the passphrase. Follow the steps given below to obtain passphrase via On-Screen Link.

•    Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 


•   
Click the Show Link against Receive Passphrase to view the passphrase.
 
 
 
 
 

Email

Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select Email in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as Email, a link appears on the Portal screen clicking which the user receives an Email that contains the passphrase. Follow the steps given below to obtain passphrase via Email.

•    Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 


•   
Click on the Send Email Link against Receive Passphrase to receive an Email containing the passphrase.
 
 
 
 

Note:

-    The Email is sent to the User’s Email Address, as configured in Cyberoam (Identity > Users).

-    Make sure that Mail Server is configured in Cyberoam. You can configure Mail Server from System > Configuration > Notification.
 



                                                                                                                                                                      Document Version: 1.0 – 18/06/2013
1.5.4. Configure SSL VPN for Android Devices using OpenVPN Connect


Applicable Cyberoam Version: 10.04.02 Build 527 onwards

Overview  

OpenVPN Connect is the official full-featured Android client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between any Android Device and Cyberoam.


Scenario
 
Configure SSL VPN for Android Device using OpenVPN Connect.   

Cyberoam Configuration

Configure SSL VPN from Cyberoam Web Admin Console. Configuration requires read-write permission for the relevant features.

Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.

Android Configuration

Configure OpenVPN Connect in your Android Device by following the steps below.

Step 1: Download and Install OpenVPN Connect

Download OpenVPN Connect and install it on your Android Device.

Step 2: Download Cyberoam SSL VPN Client Configuration in Local System

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

·         Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal.  If Two Factor Authentication 
is enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
·         Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.
 
 
 

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh, iOS and Android platforms. 

Step 3: Extract ClientBundle.tgz to your local system
Extract ClientBundle.tgz to your local system. The following files are obtained.
 
-       UserPrivateKey.key
-       UserCertificate.pem
-       RootCertificate.pem
-       Client.ovpn
 

Step 4: Configure client.ovpn file

You need to edit the configuration of the client.ovpn file ONLY IF any or both of the following criteria are applicable:
 
·   If your OpenVPN Connect version is below 1.1.11 Build 44.
If your network has Two Factor Authentication configured.
 

 
OpenVPN Connect Version below 1.1.11 Build 44

If your OpenVPN Connect version is 1.1.11 Build 44 or above, skip to step 5.

Double click client.ovpn to open it in a text editor. 

·    If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto asTCP. If the Protocol is configured as UDP, no change required.
·   Set the parameter reneg-sec to 3600.
 
 

 

 

Note:

 

For OpenVPN Connect version 1.1.11 Build 44 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:
 
-    Sourceforge
-    
OpenVPN

 

 

Two Factor Authentication Configured

 

If Two Factor Authentication is not configured in your network, skip to Step 5.

 

Double click client.ovpn to open it in a text editor and add the parameter:

 

ping-restart 65

 

 
 
 
Step 5: Transfer SSL VPN Configuration files to Android Device
 
Transfer the files mentioned above (UserPrivateKey.key, UserCertificate.pem, RootCertificate.pem, Client.ovpn) from your local system to your Android Device.
 

Step 6: Import SSL VPN Configuration to OpenVPN Connect in Android Device

·         Launch OpenVPN Connect and click Settings.
 
 
 
 
·         Click Import to import the client.ovpn file included in the SSL VPN Configuration files.
 
 
 
 
 
 

Step 7: Connect to Cyberoam

Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn. Enter Password and click Connect to
establish connection with Cyberoam.If Two Factor Authentication is enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
 
 
 
 
 
The above configuration establishes an SSL VPN connection between Cyberoam and Android Device using OpenVPN Connect.
 






                                                                                                                                                                                 Document Version: 1.3 – 13/09/2013
1.5.5. Configure SSL VPN for iPhone/iPad using OpenVPN Connect

Applicable Version: 10.04.02 Build 527 onwards
 
Overview
 
OpenVPN Connect is the official full-featured iPhone/iPad client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between iPhone/iPad and Cyberoam.
 

Scenario

Configure SSL VPN for iPhone using OpenVPN Connect.
 

Configuration

You can configure SSL VPN for iPhone using OpenVPN Connect by following the steps below.  

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.
 

Step 2: Download and Install OpenVPN Connect
 
Download OpenVPN Connect and install it on your iPhone.
 

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

·         Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal. If Two Factor Authentication is 
enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
·         Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.
 
 
 

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh as well as iOS.

Step 4: Extract ClientBundle.tgz to your local system

Extract ClientBundle.tgz to your local system. The following files are obtained.

-       UserPrivateKey.key
-       UserCertificate.pem
-       RootCertificate.pem
-       Client.ovpn 

Step 5: Configure client.ovpn file

You need to edit the configuration of the client.ovpn file ONLY IF any or both of the following criteria are applicable:
 

 

If your OpenVPN Connect version is 1.0.1 Build 88 or above, skip to step 6.

 

Double click client.ovpn to open it in a text editor. 


·    If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto as TCP. If the Protocol is configured as UDP, no change required.
·    Set the parameter reneg-sec to 3600.
 
 

 

 

Note:

 

For OpenVPN Connect version 1.0.1 Build 88 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:
 
-        Sourceforge
-        
OpenVPN

 

 

Two Factor Authentication Configured

 

If Two Factor Authentication is not configured in your network, skip to Step 6.

 

Double click client.ovpn to open it in a text editor and add the parameter:

 

ping-restart 65

 

 

Step 6: Import all files to OpenVPN Connect

Import the files mentioned above into OpenVPN Connect using iTunes. Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn.
 

Step 7: Connect to Cyberoam

·         Select the newly created profile to connect to Cyberoam.
 
 
 
 
·         Enter user credentials and connect to Cyberoam. If Two Factor Authentication is enabled, refer to the article How to Login in a Two Factor Authentication Environment? 
  
 
 
 
 
 
 
 
 
                                                                                                  Document Version: 1.2 – 12/09/2013
1.5.6. Allow an SSL VPN User Access to an Application Hosted at Remote Side of an IPSec Connection

Applicable Version: 10.00 onwards

Scenario

Allow any SSL VPN user, connected to Head Office Network, access to the RDP Server hosted in the Branch Office network as shown below. The Head Office and Branch Office are connected via an IPSec VPN tunnel.
 

Prerequisite

The Head Office and Branch Office should be connected via an IPSec VPN connection. For details on how to configure an IPSec VPN tunnel refer to the following articles: 

Configuration

In IPSec Configuration, you can allow the SSL VPN user access to the RDP server by adding the Head Office WAN IP in the trusted Local Networks at the Head Office side and trusted Remote Networks at the Branch office side.

Head Office Configuration

To configure the Head Office Cyberoam, follow the steps given below.

Step 1: Create Bookmark for RDP Service

Go to VPN > SSL > Bookmark and click Add to add a bookmark using the following parameters.

Parameter
Value
Description
RDP
Type
RDP
Select type of Bookmark.
 
Available options:
HTTP
HTTPS
RDP
Telnet
SSH
FTP
URL
172.16.16.17
Screen Resolution
1024 × 768
Select from the available options.
Port
3389
Specify the port number on which the RDP service is running.
 
Default - 3389

Step 2: Create SSL VPN Policy

Create an SSL VPN policy to allow access to the RDP server. Go to VPN > SSL > Policy and click Add to add an SSL VPN policy using the following parameters.
 
 

Parameter

Value

Description

Add SSL VPN Policy

Name

Access_RDP

Name to identify the SSL VPN policy

Access Mode

Application Access

Mode

Select the access mode by clicking the appropriate option.

Application Access Settings

 

Accessible Resources

RDP

Select Bookmarks/Bookmarks Group that remote user can access.

 
 

Step 3: Include Head Office WAN IP in Trusted Local Subnet in IPSecConnection

Go to VPN > IPSec > Connection and select the Head_to_Branch IPSec connection. Add Head Office Wan IP, i.e.,192.168.20.182, in Trusted Local Subnet, as shown below.
 
 

Click OK to save changes.

Branch Office Configuration

To configure the Branch Office Cyberoam, follow the steps given below.

Step 1: Include Head Office WAN IP in Trusted Remote Subnet in IPSecConnection

Go to VPN > IPSec > Connection and select the Branch_to_Head IPSec connection. Add Head Office Wan IP, i.e.,192.168.20.182, in Trusted Remote Subnet, as shown below.
 
 

Once the above configuration is done at the Head Office and the Branch Office side, the SSL VPN user is able to access RDP server located at the Branch Office.
 















                                                                                                                                                            Document Version: 2.0 – 24 February, 2015

1.5.7. Configure SSL VPN for Macintosh OS X using Tunnelblick VPN client

Applicable Version: 10.00 onwards

Overview

Tunnelblick is an open source graphic user interface for SSL VPN on Macintosh (Mac) OS X. It comes as a ready-to-use application with all necessary binaries and drivers.It does not require any additional installation. You just need to add the VPN tunnel configuration and encryption information.

 

Tunnelblick Client can be used to establish SSL VPN connection between Mac OS and Cyberoam. 

Scenario

Configure SSL VPN for Mac OS X using Tunnelblick VPN client. 

Configuration

You can configure SSL VPN for Mac OS X using Tunnelblick VPN client by following the steps below. Configuration is to be done in Cyberoam and Mac OS using profile having read-write administrative rights for relevant features. 

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam

Step 2: Download and Install Tunnelblick Client

Download Tunnelblick Client from http://code.google.com/p/tunnelblick/ and install it on your Mac workstation.  

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.


   Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal. 

 


    
Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration specific for Mac OS and save it in your system.

 

 

A compressed file called clientbundle.tar is downloaded and saved in your system.  

Step 4: Extract clientbundle.tar

Double-click clientbundle.tar to extract it.

 

 

 

A folder named ‘clientbundle’ is extracted, which contains Two (2) files: CRSSLconfig.tblk and Passphrase.txt.

 

CRSSLconfig.tblk: This is a Tunnelblick configuration file containing information about the VPN configuration with Cyberoam and CA Certificate.

Passphrase.txt: This file contains the passphrase to be used by user during SSL VPN Authentication.
 
 

 

Note:

 

Passphrase.txt is present in the clientbundle ONLY IF configured in Cyberoam. For more details refer to article How To - Obtain the Passphrase for SSL VPN Authentication

Step 5: Install Configuration in Tunnelblick

Double-click CRSSLconfig.tblk to install the Cyberoam SSL configuration in Tunnelblick. The following screen appears.

 

 

If you want to install the configuration for all users of the system, click All Users. Else, click Only Me. The VPN configuration for Cyberoam gets installed in Tunnelblick.


Step 6: Establish SSL VPN Connection with Cyberoam

•    Launch Tunnelblick Client from Finder > Applications > Tunnelblick.app. Click the Tunnelblick icon that appears on the top left corner of the screen and click Connect CRSSLconfig

 

•    Login to establish an SSL VPN connection with Cyberoam at remote site.
 

 

 

 

 

The above configuration applies Cyberoam SSL VPN Client Configuration to Tunnelblick client in Mac OS X and establishes an SSL VPN connection with Cyberoam at a remote site.

 






                                                                                                                                                Document Version: 2.0 – 25 February, 2014

1.5.8. Configure SSL VPN in Cyberoam
 
Applicable Version: 10.00 onwards

Overview
 
SSL (Secure Socket Layer) VPN provides simple-to-use, secure access for remote users to the corporate network from anywhere, anytime. It enables creation of point-to-point encrypted tunnels between remote user and company’s internal network, requiring combination of SSL certificates and a username/password for authentication.

Cyberoam allows remote users access to the corporate network in 3 Modes:

-       Tunnel Access Mode: User gains access through a remote SSL VPN Client.

-       Web Access Mode: Remote users can access SSL VPN using a web browser only, i.e., clientless access.

-       Application Access Mode: users can access web applications as well as certain enterprise applications through a web browser, i.e., clientless access.
 

Scenario

Configure SSL VPN in Cyberoam such that the remote user shown in the diagram below is able to access the Web and Intranet Servers in the company’s internal network. The user is to have Full Access, i.e., Tunnel, Web and Application Access. The network particulars given below are used as an example throughout this article.
 
 
 
 

Network Parameters

Configuration Parameter

Value

Cyberoam WAN IP

203.10.10.100

LAN Network

172.16.16.0/24

Intranet Server IP

172.16.16.1

Web Server IP

172.16.16.2

IP Range Leased to user after successful connection through SSL VPN

10.10.10.1 to 10.10.10.254



Configuration

Configure SSL VPN in Cyberoam by following the steps given below. You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Generate Default Certificate Authority

To generate the default Certificate Authority, go to System > Certificate > Certificate Authority and click Default CA.

Update the Default CA as shown below. 
 
 

Click OK to generate Default Certificate Authority. 

Note:

If you are using an external certificate authority, you can upload the same by following steps mentioned in the article Add an External Certificate Authority (CA) in Cyberoam.

Step 2: Create self-signed Certificate

To create a self-signed Certificate, go to System > Certificate > Certificate and click Add. Generate a Self Signed Certificate as shown below. 

 

Click OK to create the certificate.

Step 3: Configure SSL Global Parameters

To set global parameters for tunnel access, go to VPN > SSL > Tunnel Access and configure tunnel access settings with following values:
 
 

Parameter

Value

Description

Protocol

TCP

Select default protocol for all the SSL VPN clients.

SSL Server Certificate

SSLVPN_SelfSigned

Select SSL Server certificate from the dropdown list to be used for authentication

Per User Certificate

Disabled

SSL server uses certificate to authenticate the remote client. One can use the common certificate for all the users or create individual certificate for each user

SSL Client Certificate

SSLVPN_SelfSigned

Select the SSL Client certificate from the dropdown list if you want to use common certificate for authentication

IP Lease Range

10.10.10.1 to 10.10.10.45

Specify the range of IP addresses reserved for the SSL Clients

Subnet Mask

255.255.255.0

Specify Subnet mask

Primary DNS

4.2.2.2

Specify IP address of Primary DNS

Secondary DNS

8.8.8.8

Specify IP address of Secondary DNS

Enable DPD

Enabled

Click to enable Dead Peer Detection.

Check Peer after every

60

Specify time interval in the range of 60 to 3600 seconds after which the peer should be checked for its status.

Disconnect after

300

Specify time interval in the range of 300 to 1800 seconds after which the connection should be disconnected if peer is not live.

Idle Time Out

15

Specify idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login.

Data Transfer Threshold

250

Once the idle timeout is reached, before dropping the connection, appliance will check the data transfer. If data transfer is more than the configured threshold, connection will be dropped.

 
 
 
To set global Idle Time for Web Access Mode, go to VPN > SSL > Web Access and set Idle Time as shown below. 
 
 

Step 4: Create Bookmarks (Applicable for Web and Application Access Mode Only)

Bookmarks are the resources whose access is available through SSL VPN Web portal. You can also create a group of bookmarks that can be configured in SSL VPN Policy. These resources are available in Web and Application Access mode only.

To create Bookmark, go to VPN > SSL > Bookmark and click Add. Create Bookmark using following parameters. 
 

Parameter

Value

Description

Name

Telnet

Name to identify Bookmark.

Type

TELNET

Specify type of bookmark.

URL

192.168.1.120

Specify URL at which telnet sessions are allowed to remote users.

 
  

Click OK to create Bookmark.

Similarly, create a bookmark Intranet of type HTTP to allow access to the internal Intranet server.
Note:
 
Intranet is accessible in Web as well as Application Access Mode, while Telnet is accessible in Application Access Mode.

Step 5: Configure SSL VPN Policy

To configure SSL VPN policy, go to VPN > SSL > Policy and click Add. Create policy using parameters given below.

Parameter Description
 
 

Parameter

Value

Description

Add SSL VPN Policy

Name

Full_Access

Name to identify the SSL VPN policy

Access Mode

Tunnel Access Mode
Web Access Mode
Application Access Mode

Select the access mode by clicking the appropriate option.

Tunnel Access Settings

Tunnel Type

Split Tunnel

Select tunnel type. Tunnel type determines how the remote user’s traffic will be routed.

Accessible Resources

<As required>

Select Hosts or Networks that remote user can access.

DPD Settings

Use Global Settings

You can customize and override the global Dead Peer Detection setting.

Idle Time out

Use Global Settings

You can use the global settings or customize the idle timeout.

Web Access Settings

Enable Arbitary URL Access

Enabled

Enable to access custom URLs not defined as Bookmarks.

Accessible Resources

Intranet

Select Bookmarks/Bookmarks Group that remote user can access.

Idle Time out

Use Global Settings

You can use the global settings or customize the idle timeout.

Application Access Settings

Accessible Resources

Intranet

Telnet

Select Bookmarks/Bookmarks Group that remote user can access.

 
 
 

Step 6: Apply SSL VPN Policy on User

To apply SSL VPN policy on user, follow the steps given below.

Go to Identity > Users > User and select the user to which policy is to be applied. Here we have applied it on user John Smith. Under Policies section, select Full_Access for SSL VPN as shown below. 
 
 
 
Click OK to update the user’s SSL VPN Policy.

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.
 

Step 7: Download and Install SSL VPN Client at Remote End

Remote users can login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.

Note:

Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy. 
 
 
 
User is directed to the Main Page which displays Tunnel, Web or Application Access Mode section according to policy applied on user. 
 
 

For Tunnel Access, user needs to access internal resources through an SSL VPN Client.

-       Download the SSL VPN client by clicking “Download Clientand follow the on-screen instructions.

-       Install the client on the remote user’s system.

-       On complete installation, the CrSSL Client icon   appears in the system tray. Login to the Client and access the company’s internal network through SSL VPN.

For Web and Application Access, user can access internal resources using web browser, i.e., clientless access. In this, user needs to browse to https://<WAN IP address of Cyberoam:port> and login.

                                                                                                                                                                              









                                                                                                                                                               Document Version: 3.0 – 10 July, 2014
1.5.9. Configure SSL VPN Client in Ubuntu

Applicable Version: 10.04.0 Build 214 onwards
 
Applicable Ubuntu Version: 14.04 onwards

Scenario

Configure the SSL VPN Client (OpenVPN) on Ubuntu 14.04.
 

Prerequisite

OpenVPN should be installed. 

You can install OpenVPN by executing thefollowing command:

# sudo apt-get install openvpn
 

Configuration

Follow the below mentioned steps to configure SSL VPN Client in Ubuntu.

Step 1: Configure SSL VPN on Cyberoam

Refer to the article How To -Configure SSL VPN in Cyberoam for details.

Step 2: Downloadand Install SSL VPN Client at User's End

   Login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and log in. 

    Note: 

    Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy.
 

  
User is directed to the MainPage. Click
Download SSL VPN ClientConfiguration - MAC Tunnelblick to download the Client configuration for OpenVPN.
 

    A compressed file named clientbundle.tgz is downloaded.

   Go to the downloaded directory and extract the clientbundle.tgz using the following command.
     #tar -xvf clientbundle.tgz
 
   
 

   A file named Passphrase.txt and folder named CRSSLconfig.tblk are extracted. The folder contains the following files: 

   -      client.ovpn
   -      UserPrivateKey.key
   -      UserCertificate.pem
   -      RootCertificate.pem
 

Step 3: Connect to Cyberoam

Go to the CRSSLconfig.tblk directory and execute the following command as a ROOT user. 

# openvpn --configclient.ovpn
 

The Username and Password prompt appears. Enter the password to connect.

 

 

 

 

 

 

 

 

                                                                                                                                        Document Version: 2.0 – 25 February, 2015

1.5.10. Allow Access to Custom URLs through SSL VPN Portal

Applicable Version: 10.00 onwards

Overview

Cyberoam SSL VPN allows users to access Internal/External URLs using bookmarks. However, you cannot provide access to certain custom URLs using bookmarks. For example, URLs of internal resources hosted on cloud. 

This article describes how you can provide access to such custom or arbitrary URLs from the SSL VPN Portal. 

Scenario

Enable access to Arbitrary URLs from the SSL VPN Portal so that SSL users can access the URL https://example.com:9090/forms/frmservlet?config=PROD.
 

Prerequisite

The network has appropriate DNS configuration to resolve the URL given above.
 

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s). 

Step 1: Enable Access to Arbitrary URL

Go to VPN > SSL > Policy and select the applied SSL VPN Policy. Select Enable Arbitrary URL Access and click Apply to save settings.
 


Step 2: Access the custom URL
    

Login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address ofCyberoam:port> and logging in.

Note: 

Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy.
 
 

Under Web Access Mode, the Enter URL field is displayed from where user can access custom URLs. 

The above configuration allows user access to https://example.com:9090/forms/frmservlet?config=PROD.

 













                                                                                                                                          Document Version: 2.0 – 26 February, 2015
1.5.11. Provide Access to ActiveX Applications through SSL VPN Portal

Applicable Version: 10.00 onwards

Overview

This article describes how administrator can provide SSL VPN Users access to ActiveX Applications like RDP and SSH.

Scenario

An SSL VPN User needs Remote Desktop(RDP) access to the Active Directory (AD) Server 172.16.16.5 in the LAN. Also he needs to have SSH access of a Cyberoam deployed in Bridge Mode 172.16.16.10 at an internal network point. 

This is done by publishing bookmarks of the applications to the User.

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Create Bookmark for RDP

Go to VPN > SSL > Bookmark and click Add to create a new Bookmark as per parameters given below. 

Parameter

Value

Description

Name

RDPtoADS

Name to identify the Bookmark.

Type

RDP

Select type of Bookmark.

 

Available options:

HTTP

HTTPS

RDP

Telnet

SSH

FTP

URL

172.16.16.5

Specify the URL of the website/host for which the bookmark is to be created.

Screen Resolution

1024 × 768

Select from the available options.

Port

3389

Specify the port number on which the RDP service is running.

 

Default - 3389

 

 

Click OK to save the bookmark. 

Step 2: Create Bookmark for SSH

Go to VPN > SSL > Bookmark and click Add to create a new Bookmark as per parameters given below. 

Parameter

Value

Description

Name

SSHtoCR

Name to identify the Bookmark.

Type

SSH

Select type of Bookmark.

 

Available options:

HTTP

HTTPS

RDP

Telnet

SSH

FTP

URL

172.16.16.5

Specify the URL of the website/host for which the bookmark is to be created.

 

 

Click OK to save the bookmark. 

Step 3: Create SSL VPN Policy

Go to VPN > SSL > Policy and click Add to create a policy. 

In the policy,select the Access Mode as Application Mode. Under the Application Access Settings, select thebookmarks created in step 1 and 2.
 


Step 4: Assign VPN Policy to User

Go to
Identity > Users > Users, select the user on whom the policy is to be applied. Apply the policy as shown below.
 
 

Click OK to save user settings. 

The above configuration allows user John Smith to access the Active Directory Server over RDP and internal Cyberoam over SSH via an SSL Connection.

 

 

 

 

 

                                                                                                                                                             Document Version: 2.0 – 26 February, 2015

1.5.12. Configure access to SSL VPN User Portal using a Custom Port

Applicable Version: 10.00 onwards

Overview

The default port through which the SSL VPNUser Portal can be accessed is port 8443. Hence, to access the SSL VPN Userportal using the default port, user can browse to https://<Cyberoam WAN IPAddress>:8443. 

However, Cyberoam provides the flexibilityof changing the default SSL VPN Portal ports to custom ports,to enhance security while accessing the portalfrom the non-trusted publicinterface like WAN. 

Note 

   SSL VPN Port configuration is not available for Cyberoam ModelCR15i because SSL VPN feature is not available in CR15i.

   Make sure that the custom ports you configure are not alreadyused by other services. Avoid using ports below 1024, because those are oftenreserved by the operating system for other uses. 


Scenario

Change the default SSL VPN ports to 8446.


Configuration

You must be logged on to theWeb Admin Console as an administrator with Read-Write permission for relevantfeature(s).

Step 1: Take Backup of Appliance Configuration

It is recommended totake backup of the Appliance configuration. Refer to the article How To – Backup and Restore CyberoamConfiguration for details. 

Step 2: Change Default Ports

Go to System > Administration > Settings. Under Web Admin Settings,mention the SSL VPN Port as 8446, as shown below.
 
 

Click Apply to save settings. 

On clicking Apply, the Web Service is reinitialized due to which access to the Appliance is temporarily lost. You need to relogin to Cyberoam. 

In the above example: 

SSL VPN users can access the SSL VPNPortal from https://172.16.16.2:8446. 

Note: 

If, in case, access to Web Admin Consoleand Telnet Console is lost, refer Article to resolve the issue. 

 

 

 

                                                                                                                                                                                    Document Version: 2.0 – 4 February, 2015

 

1.5.13. How to check SSL VPN Logs from CLI?

Applicable Version: 10.00 onwards

Follow the steps mentioned below to check SSL VPN Logs from CLI:
 
1.    Logon to CLI Console via Telnetor SSH. You can also access the CLI Console by clicking  on the upper right corner of the 
       Web Admin Console screen.
 

       Note: 

       From firmware version 10.6.1 onwards, the Console button is visible to the Super Administrator ONLY. 

2.    Choose option 4. Cyberoam Console. 

3.    Execute the command:

      console> show sslvpn log <tunnel-access/web-access/application-access>

 
      











                                                                                                                                                                     Document Version: 1.1 – 3 February, 2015

 

1.5.14. Why am I NOT able to access internal network resources even after successful SSL VPN connection between Cyberoam and Windows 7/Vista?

Applicable CyberoamVersion: 10.00 onwards

Applicable SSL VPN Client Version: 1.0 onwards

By default, the User Account Control(UAC) in Windows 7 or Vista is enabled which helps to prevent unauthorizedchanges to user's machine. This hampers the working of SSL VPN Client installedon user machines in which the users do not have administrative rights. The UACprevents the SSL VPN Client to add routes to the remote network in the usermachine's routing table. 

View Error 

In this case, after the SSL VPNconnection is established, the error "route addition failed: Access Denied" is displayed. To view the logs,right-click on the SSL VPN icon in the System Tray and click Show Status.
 

Solution 

To resolve this, follow the steps givenbelow: 

1.  Right click the SSL VPN Client shortcuton the desktop and click Properties. 

2.  Switch to Compatibility tab and select Run this program as an administrator and apply the settings.
 

3.  Go to Start > Run and run msconfig.The System Configuration Window opens. Uncheck the crssl-client from the Startup Item list.
 
 

This ensures that the next time onwards, when you start the CR SSL VPN Client, it will launch with the administrative rightsand you will get the following prompt.
 
 

On clicking Yes, SSL VPN Client will be allowed to add routes local machine andyou will have no issues accessing remote network resources on successfulconnection of SSL VPN.

 

 







                                                                                                                                                                                 Document Version: 1.1 – 6 February, 2015
1.5.15. Can I use Cyberoam as an SSL VPN Gateway when it is deployed in Bridge Mode?

Applicable Version: 10.02.00 Build 224 onwards
 
Yes. From Cyberoam firmware version 10.02.00 Build 224 onwards, you can configure Cyberoam as an SSL VPN Gateway by using Bridge Pair Configuration.
 
 
 
 
                                                                                                                                 
1.6. VPN Interoperability
1.6.1. Establish IPSec VPN Connection between Cyberoam and a Web Service Provider using an Assigned IP Address

Applicable Version: 10.00 onwards

Overview

Nowadays, organizations prefer to have cloud infrastructures with services hosted on Data Centres of Service Providers(SP) like Amazon, Microsoft Azure, etc. These SPs allow networks to connect to them via IPSec VPN connections with pre-configured remote network settings.They provide a single IP Address which acts as the Remote Network for them.   

This article describes how to create an IPSec connection between Cyberoam and any SP using a single IP Address as the local subnet.

Scenario

Connect to an SP using IPSec VPN as per following Network Schema.
 
 

Prerequisite

-  You should be registered with the Service Provider.
-  You should have the IP Address assigned to you by the Service Provider.

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s). 

Step 1: Create IPSec Connection
 
Go to VPN > IPSec > Connection and create an IPSec connection as per parameters below.
 
Parameter

Value

Description

Name

CRtoSP

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortC – 1.1.1.1

Select local port which acts as end-point to the tunnel

Remote

1.1.1.2

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.16.25.1

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

192.168.2.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 

Click OK to create IPSec Connection.

Step 2: Create NAT Policy

Create a NAT policy that NATs traffic from the Local Network to the IP Address assigned to the network by the Service Provider. To create NAT Policy, go to Firewall > NAT Policy > NAT Policy and specify parameters as shown below.
 
 

Step 3: Create Firewall Rule to Apply NAT Policy

Go to Firewall > Rule > Rule and create a rule with following parameters. 

Parameters

Value

Description

Name

CRtoSP_FWRule

Specify a name to identify theFirewall Rule.

Zone

Source: LAN

Destination: VPN

Specify source and destination zone to which the rule applies.

Network/Host

Source: 192.168.1.0/24

Destination: 192.168.2.0/24

Specify source and destination host or network address to which the rule applies.

Action

Accept

Select rule action.

Apply NAT

Enabled

Policy: LocalNetworktoSP

Select the NAT policy to be applied.

 
 

Click
OK to create rule.

Step 4: Set IPSec Route to push Local Network Traffic to IPSec Tunnel

•   Logon to CLI Console via Telnet or SSH. You can also access the CLI Console by clicking Console on the upper right corner of the Web Admin Console screen. 

    Note: 

    From firmware version 10.6.1 onwards, the Console button is visible to the Super Administrator ONLY. 

•   Choose option 4. Cyberoam Console. 

•   Execute the following command: 

    console> cyberoam ipsec_route add net 192.168.2.0/255.255.255.0 tunnelname CRtoSP

 

The above configurationinstructs how to configure IPSec connection with a Service Provider.

 

 

 

 


                                                                                                                                                                  Document Version: 1.0 – 20 March, 2015

1.6.2. Establish IPSec VPN connection between Cyberoam and Mikrotik router

Applicable Version: 10.00 onwards

Scenario

Establish IPSec VPN connection between Cyberoam and Mikrotik router using Preshared Key authentication.

Microtik Configuration

Administrator access required to add or modify configuration in Mikrotik.

Step 1: Configure IPSec Proposal

Go to IP > IPSec > Proposal and click Add New to create an IPSec proposal for the VPN tunnel as shown below.

Parameters

Value

Enabled

Checked

Name

proposal1

Auth. Algorithms

sha1

Encr. Algorithms

3des

Lifetime

00:30:00

PFS Group

modp1024

 
                                                                                                                                                                                


Click Apply and then OK to create the IPSec Proposal.

Step 2: Configure Peer

Navigate to IP > IPSec > Peer and click Add New to configure Peer/ Remote Device (here, Cyberoam) as shown in the image.

 

Parameters

Value

Enabled

Checked

Address

1.1.1.1

Port

sha1

Auth. Method

pre shared key

Secret

cyberoam

Policy Group

default

Exchange Mode

main

Send Initial Contact

Checked

Proposal Check

Obey

Hash Algorithm

sha1

Encryption Algorithm

3des

DH Group

modp1024

Generate Policy

no

Lifetime

04:00:00

DPD Interval

disable DPD

DPD Maximum Failures

5                                                                        
 



Step 3: Configure IPSec Policy

Navigate to IP > IPSec > Policy and click Add New to create IPSec policy as shown in the table below.

Parameters

Value

Enabled

Checked

Src. Address

172.16.1.0/24

Dst. Address

192.168.110.0/24

Protocol

255(All)

Action

encrypt

Level

require

IPSec protocols

esp

Tunnel

Checked

SA Src. Address

2.2.2.2

SA Dst. Address

1.1.1.1

Proposal

proposal1

Priority

0

 



Step 4: Configure NAT policy

Navigate to Firewall > NAT and click Add New to create NAT policy. Specify the following parameters:

Parameters

Value

Source Address

172.16.1.0 (Mikrotik’s LAN IP Address)

Destination Address

192.168.110.0/24 (Cyberoam’s LAN IP Address)

Action

Accept

 

Click Apply and OK to save. The following screen will be displayed.

Cyberoam Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

To configure IPSec Connection in Cyberoam, follow the steps given below.

Step 1: Configure IPSec Connection

Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below.

Parameter

Value

Description

Name

IPSec_CR_Mikrotik

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

·         Remote Access

·         Site to Site

·         Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:

·         Respond Only

·         Initiate

·         Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

Cyberoam

Specify the Preshared Key

Endpoints Details

Local

PortB-1.1.1.1

Select local port which acts as end-point to the tunnel

Remote

2.2.2.2

Specify Gateway IP Address assigned to Cradle Point router.

Local Network Details

Local Subnet

192.168.1.0/24

 

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

172.16.1.0.0/24

Select/specify IP address of Cradle Point local network.

 

 

Click OK to create the connection.

Step 3: Activate IPSec Connection

Go to VPN > IPSec > Connection and click   under Active and Connection heads against IPSec_CR_Mikrotik connection, created in Step 1.

 

 
 Under the Active status indicates that the connection is successfully activated.

 Under the Connection status indicates that the connection is successfully established.

                                                                                               

                                                                Document Version 1.0 – 03 November, 2014

1.6.3. Establish Site-to-Site IPSec Connection between Cyberoam and Cisco Router (through Command Line) using Preshared key

Applicable Version: 10.00 onwards

Scenario

Set up a Site-to-Site IPSec VPN connection between Cyberoam and Cisco Router using Preshared Key to authenticate VPN peers. Throughout the article we have used network parameters as shown in the diagram below.
 
 

This article has Two (2) sections: 

-  Cisco Configuration
Cyberoam Configuration

Cisco Configuration

Configure Cisco Router by following the steps given below.

Step 1: Logon to the CLI of Cisco Router with Enable privilege

Cisco> en

Password: ****** 

Cisco# conf t
 

Step 2: Configuring IKE Parameters

crypto isakmp policy 10

encryption 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key 12abcde34 address 223.255.246.212 

 
You can verify the IKE Parameters you configured by executing the following command:

show crypto isakmp policy
 

Step 3: Define Access-list to allow IPSec tunnel traffic

access-list 100 permit ip 172.50.50.0 0.0.0.255 172.16.16.0 0.0.0.255
 

Step 4: Configuring IPSec Parameters

crypto ipsec transform-set dlhtransform ESP-3des ESP-md5-hmac 

crypto map dhhmap 10 ipsec-isakmp 

match address 100 

set peer 202.134.168.202 

set transform-set dlhtransform

set pfs group2

set security-association lifetime seconds 86400 


Note

This new crypto map will remain disabled until a peer and a valid access-list has been configured. 


You can view the crypto map by executing the following command: 

show crypto map
 
 

Step 5: Apply cryptomap on WAN interface

cisco(config)# interface fastethernet 0/1 

Cisco (config-if) #crypto map dhhmap
 

Once the configuration is done, the following message is displayed 

%crypto-6-ISAKMP_ON_OFF: ISAKMP is ON
 

You can check the IPSec negotiation by executing the following commands: 

debug crypto isakmp 

debug crypto ipsec
 

Cyberoam Configuration

After configuration of VPN connection on Cisco Router, configure IPSec connection in Cyberoam. You can configure IPSec in Cyberoam by following the steps given below. Logon to Cyberoam Web Admin Console as an administrator having read-write permission for relevant features.

Step 1: Configure IPSec Connection

Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below.
 

Parameter Description 

Parameter

Value

Description

Name

CR_to_Cisco

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-   Remote Access
-   Site to Site
-   Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:
-   Respond Only
-   
Initiate
-   Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

<Same as mentioned in Cisco Router>

Preshared key should be the same as that configured in WatchGuard Appliance.

Endpoints Details

Local

PortB-202.134.168.202

Select local port which acts as end-point to the tunnel

Remote

202.134.168.208

Specify IP address of WatchGuard’s Gateway.

Local Network Details

Local Subnet

172.16.16.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

172.50.50.0/24

Select IP addresses and netmaskbehind WatchGuard Appliance.

 
 

Click OK to create the connection. 

Step 2: Activate IPSec Connection

Go to VPN > IPSec > Connection and click   under Active and Connection headsagainst CR_to_Cisco connection, created in step 1.
 
 

   Under the Active status indicates that the connection is successfully activated.

   Under the Connection status indicates that the connection is successfully established.

 

 

 

 

 

 

 

 

 

                                                                                                                                                                      Document Version: 1.0 – 5 August, 2014

1.6.4. Establish IPSec VPN connection between Cyberoam and Cradle Point router
Applicable Version: 10.00 onwards
 
Scenario                                                                 
Establish IPSec VPN connection between Cyberoam and Cradle Point router using Preshared Key authentication.
 
 
 
Cradle Point Configuration

Administrator privileges for Cradle Point Administration Page are required to add or modify configuration.

Create IPSec VPN Policy

Navigate to Tools > IPSec VPN > Add IPSEC Policy and specify the parameters as shown in the table below. Click Advanced for advanced configuration. 

Parameters

Value

Policy Name

cyberoam

Remote Gateway

1.1.1.1

Remote Network

10.10.1.0

Remote Subnet

255.255.255.0

Local Network

10.1.1.0

Local Submask

255.255.255.0

Hash Algorithm

SHA-1

Cipher Algorithm

AES 128

DH Group

Group 2

Phase 1 Key Lifetime

28800

Phase 2 Key Lifetime

3600

Preshared Key

cyberoam

Aggressive Mode

Enabled

Perfect Forward Secrecy (PFS)

Enabled

Dead Peer Detection

Disable

 

Click Save Policy and then Save Settings to create the IPSec Policy.
 
 
Cyberoam Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

To configure IPSec Connection in Cyberoam, follow the steps given below.
 
Step 1: Create VPN Policy

Go to VPN > Policy > Policy and click Add to add a new policy. Specify the parameters as shown in the table below.


Parameter

Value

Description

Name

Policy_Cradle_Point

Specify a name to identify the VPN Policy.

Keying Method

Automatic

Keying Method defines how the keys for the connection are to be managed. Select Keying Method from the available options.

Available Options:

·         Automatic

·         Manual

Allow Re-Keying

Enabled

Enable Re-Keying to start the negotiation process automatically before key expiry.

Key Negotiation Tries

3

Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.

Authentication Mode

Aggressive Mode

Select Authentication Mode. Authentication Mode is used for exchanging authentication information.

Available Options:

·         Main Mode

·         Aggressive Mode

Pass Data in Compressed Format

Enabled

Enable to pass data in compressed format to increase throughput.

Perfect Forward Secrecy (PFS)

Enabled

Enable to generate new key for every negotiation on key expiry and disable to use same key for every negotiation.

Phase 1

Encryption Algorithm

AES 128

Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

Authentication Algorithm

SHA1

Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

DH Group (Key Group)

2(DH1024)

Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.

Key Life

28800

Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

Re-Key Margin

120

Specify Re-Key Margin. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.

Randomize Re-Keying Margin By

0

Specify Randomize Re-Keying time.

Dead Peer Detection

Disabled

Enable to check at regular interval whether peer is live or not.

Check Peer After every

30

Specify time after which the peer should be checked for its status. Once the connection is established, peer which initiated the connection checks whether another peer is live or not.

Wait For Response Upto

120

Specify till what time (seconds) initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive.

Action When Peer Unreachable

Re-initiate

Specify what action should be taken if peer is not active.

Available Options:

Hold – Holds the connection.

Disconnect – Closes the connection.

Re-initiate – Re-establishes the connection.

Phase 2

Encryption Algorithm

AES 128

Select Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

Authentication Algorithm

SHA1

Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

PFS Group (DH Group)

Same as Phase-1

Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.

Key Life

3600

Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

 


 

Click OK to save policy.

Step 2: Configure IPSec Connection

Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below. Specify the parameters according to the table given below.