1. VPN
1.1. Assign Static IP Address to L2TP/PPTP User

Applicable Version: 10.04.2 Build 527 onwards

Scenario

Assign Static IP Address to User connecting over L2TP or PPTP VPN. Here, we have assigned static IP Address to L2TP user. You can assign static IP Address to PPTP user in a similar manner.

Configuration

The entire configuration is to be done from Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).


Go to Identity > Users > Users and select the User to which static IP Address is to be assigned. Enable L2TP and mention the IP Address to be assigned, as shown below.
 
 
 
 
 

                                                                                       

                                                                                                                                                                                 Document Version: 1.0 - 06/11/2013

 

 

 

1.2. IPSec VPN
1.2.1. Establish Site-to-Site IPSec Connection using Digital Certificates

Applicable Version: 10.00 onwards

Overview

A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure (PKI). A digital certificate may also be referred to as a public key certificate. 

Just like a passport, a digital certificate provides identifying information, is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.

Scenario

Exchange Certificate Authority (CA) and Digital Certificates between a Head Office (HO) and Branch Office (BO) and, then, configure and establish an IPSec connection between them. In this article, we have used the following parameters to create the VPN connection.
 

Network Parameters

HO Network details

WAN IP address – 10.206.1.173

LAN IP address – 172.17.17.17

BO Network details

WAN IP address – 10.206.1.213

LAN IP address – 172.16.16.16

 
 
 
 

Configuration

You must be logged on to the Web Admin Console of both HO and BO Cyberoam as an administrator with Read-Write permission for relevant feature(s).

Step 1: Upload HO Cyberoam’s Default CA to BO Cyberoam

Head Office

Go to System > Certificate > Certificate Authority and select Default CA. Specify the details of the CA, as shown below.
 
 
Once CA is generated, download the CA to your local computer by clicking the Download Icon against it.
 
 

A file named local_certificate_authority.tar.gz is downloaded. Store and uncompress the file. The file contains the CA Root Certificate in Two (2) Formats: 

-   Default.pem (PEM File)
-   Default.der (Security Certificate) 

Branch Office

Upload the CA Certificates (downloaded from HO) to BO Cyberoam. To upload CA, go to System > Certificate > Certificate Authority and click Add. Upload the CA Root Certificate in either PEM or DER format.
 
 

Click OK to save the HO Default CA in BO Cyberoam. 

Step 2: Upload BO Cyberoam’s Default CA to HO Cyberoam

Configure and download the Default CA in BO Cyberoam and upload it on HO Cyberoam using similar steps as shown in step 1. 

Step 3: Upload HO Cyberoam’s Digital Certificate to BO Cyberoam

Head Office

Create a Self-Signed Certificate in HO Cyberoam. Go to System > Certificate > Certificate and click Add to create a new certificate. Select Generate Self Signed Certificate and specify the details as shown below.
 
 

Click OK to save certificate. 

Once Certificate is generated, download it to your local computer by clicking the Download Icon against it.
 
 

A file named HO_Certificate.tar.gz is downloaded. Store and uncompress the file. The file contains the following certificate files: 

-   UserPrivateKey.key (KEY File)
-   UserCertificate.pem (PEM File)
-   RootCertificate (PEM File)
-   Password.txt (Passphrase if Key Encryption is enabled)
-   HO_Certificate.p12 (Personal Information Exchange) 

Branch Office

Upload the Certificate (downloaded from HO Cyberoam) to BO Cyberoam. To upload certificate, go to System > Certificate > Certificate and click Add. Select Certificate as UserCertificate.pem, Private Key as UserPrivateKey.pem and specify the Passphrase.
 
 

Click OK to save the certificate.

Step 4: Upload BO Cyberoam’s Digital Certificate to HO Cyberoam

Configure and download the Self-signed certificate in BO Cyberoam and upload it on HO Cyberoam using similar steps as shown in step 3.

Step 5: Configure IPsec Connection

Head office

Implement the following steps on HO Cyberoam. 

1.    To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.

 

Parameter

Value

Description

Name

HO_to_BO_IPSec

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.
 
Available Options:
-   Remote Access
-   Site to Site
-   Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

-    Respond Only
-    
Initiate
-    Disable

Authentication details

Authentication Type

Digital Certificate

Select Authentication Type. Authentication of user depends on the connection type. 

Local Certificate

HOCertificate

Select the local certificate that should be used for authentication by the appliance.

Remote Certificate

BOCertificate

Select the remote certificate that should be used for authentication by remote peer.

Endpoints Details

Local

PortB-10.206.1.173

Select local port which acts as end-point to the tunnel

Remote

10.206.1.213

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.17.17.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

172.16.16.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 

2.    Click OK to create IPSec connection. On clicking OK, the following screen is displayed showing the connection created above.


3.    Click   under Status (Active) to activate the connection.

 
Branch Office
 

Implement the following steps on BO Cyberoam


1.  To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 

Parameter

Value

Description

Name

BO_to_HO_IPSec

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Digital Certificate

Select Authentication Type. Authentication of user depends on the connection type. 

Local Certificate

BOCertificate

Select the local certificate that should be used for authentication by the appliance.

Remote Certificate

HOCertificate

Select the remote certificate that should be used for authentication by remote peer.

Endpoints Details

Local

PortB-10.206.1.213

Select local port which acts as end-point to the tunnel

Remote

10.206.1.173

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.16.16.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

172.17.17.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
       
 
2. Click OK to create IPSec connection. On clicking OK, the following screen is displayed showing the connection created above.
 
3. Click under Status (Active) and Status (Connection) to activate and establish the connection.
 
 

 

The above configuration establishes an IPSec connection between Two (2) sites.

 

 

 

 

 

                                                                                                                                                       Document Version: 1.0 – 11 July, 2014

1.2.2. Establish Site-to-Site VPN Connection using RSA Keys

Applicable Version: 10.00 onwards

Overview

IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). 

Cyberoam’s IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote connectivity, eliminating the need for expensive private remote access networks like leased lines, Asynchronous Transfer Mode (ATM) and Frame Relay. The mechanisms used to authenticate VPN peers are Preshared Key, Digital Certificate and RSA Keys. 

This article describes a detailed configuration example that demonstrates how to set up a site-to-site IPSec VPN connection between the two networks using RSA Keys to authenticate VPN peers.

Scenario

Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 
 

Network Parameters

Site A Network details

Local Server (WAN IP address) – 14.15.16.17

Local LAN address – 10.5.6.0/24

Local ID –john@cyberoam.com

Local RSA Key –

0sAQN/f/ADiKpDLUfnf2AzCbPEg+d3s33AioRGihWQyT2/xVYOPxHvXLwnVR6O9cGJVncYiwm
NgjKIzOBmU0M8xbfBQnBn/mPPc4FuWr8uoUII7WimZTzF70ecBqIRe0GJx1iWU62YzEmI4+e
dU2pYjhsgMvCXi+RdmD3I9xIjw5G1GKiEg7QAvhR36E03l4xWwCGw4xjWdgP1Y8N1sCZI8Lz
n6o1ujbjniNOyhF/1NvKqAP8DMOyU6kIbYFPSC+mZSNrfhJEqTXlsxhYhSxoR+1yheEhr3tOqlD
ECQdvPYx/J3j5jqtyShO6u45u3nX7pMe0+y+69e62rFZ6c8FRELME9

Site B Network details

Remote VPN server (WAN IP address) – 22.23.24.25

Remote LAN Network – 172.23.9.0/24

Remote ID –dean@cyberoam.com

Remote RSA Key –

0sAQNr9SGiXrkaYfnZDK+AfBcIADiI+R7/wJjMcA+1q7E815lOxmaO5KZhOUtNaDuYNaALaOCM
7EQ8Fy7ocC9b1X+eEUbd4IteRuvuX/O9r9pb9NXktYwv+6r2CXDHm481+LKDhXYRCNHkpb0
NReS3fW/ygaEp8n3EgjDNm9+YrZE8rPzFc+3aeSkr0iX6EcjOokGusrn2qWAJk28KeV5WLfIHn
kbYYw83Dc85ijpWXvGwF0fWXSVnTSpCN6oR2J26CbnP41FKEeZn0lOP9YMkINFCiODf1qIEk4
utoTUrzJyOnBP0hVQ6ZEA1Z4qmTrJRcooyv2IKG90qNCkOPwW5eyG1

 

 

Site A Configuration

The configuration is to be done from Site A’s Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s). 

Step 1: Create IPSec Connection 

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.

 Parameter Description  

Parameter

Value

Description

Name

SiteA_to_SiteB

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-     Remote Access
-     Site to Site
-     Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

-     Respond Only
-     
Initiate
-     Disable

Authentication details

Authentication Type

RSA Key

Select Authentication Type. Authentication of user depends on the connection type. 

Local RSA Key

<Site A Cyberoam RSA Key>

Mention the Local RSA Key.

Remote RSA Key

<Site B Cyberoam RSA Key>

Mention the Remote RSA Key.

Endpoints Details

Local

PortB-14.15.16.17

Select local port which acts as end-point to the tunnel

Remote

22.23.24.25

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

10.5.6.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

172.23.9.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 

Click
OK to create IPSec connection.

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above. 


Click  under Status (Active) to activate the connection.
 

Site B Configuration

The configuration is to be done from Site B’s Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 

Parameter Description

 

Parameter

Value

Description

Name

SiteB_to_SiteA

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:
-     Respond Only
-     Initiate
-     Disable

Authentication details

Authentication Type

RSA Key

Select Authentication Type. Authentication of user depends on the connection type. 

Local RSA Key

<Site B Cyberoam RSA Key>

Mention the Local RSA Key.

Remote RSA Key

<Site A Cyberoam RSA Key>

Mention the Remote RSA Key.

Endpoints Details

Local

PortB-22.23.24.25

Select local port which acts as end-point to the tunnel

Remote

14.15.16.17

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.23.9.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

10.5.6.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
           

Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 

Click  under Status (Active) and Status (Connection).

 

The above configuration establishes an IPSec connection between Two (2) sites. 


Note:
 
-   Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
-   In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head Office acts as a responder 
    due to following reasons:
    •   Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the connection.
       As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that Branch Offices retries the 
        connection instead of the Head Office retrying all the branch office connections.

 

 

 

 

                                                                                                                                                                        Document Version: 1.0 – 28/10/2013

 

1.2.3. Why am I not able to establish IPSec Connection when remote VPN peer is configured with a private/non-routable IP Address?

Applicable Version: 10.00 onwards

If a remote IPSec VPN peer is configured with a private/non-routable IP Address, i.e., a NATting device exists between both VPN endpoints, the peer remains inaccessible. To establish connection with this peer, you need to enable NAT Traversal while configuring the IPSec Connection. 

To enable NAT Traversal in your configured VPN connection, select the required IPSec connection under VPN > IPSec > Connection and enableAllow NAT Traversal, as shown below.
 
 


Note
:

By default, NAT Traversal is disabled for Site-to-Site IPSec Connection.
 
 
 
   

                                                                                                                                                                        Document Version: 1.1 - 28/10/2013
1.2.4. Apply NAT over Site-to-Site VPN connection
Applicable Version: 10.00 onwards

Scenario

Consider the following network wherein both the Head Office (HO) LAN and the Branch Office (BO) LAN have the same internal IP schema.
 
 
 

Network Parameters

HO Network details

Local Server (WAN IP address) – 192.168.20.105

Local LAN address – 172.16.16.0/24

Local NATted Address – 172.16.15.0/24

BO Network details

VPN server (WAN IP address) – 192.168.20.191

LAN Network – 172.16.16.0/24

NATted Address – 172.16.17.0/24

As a result, the VPN endpoints fail to differentiate between own network and remote network. Any request initiated from HO destined for BO would be served within HO itself and vice versa. For example, a host from HO initiates a request to host 172.16.16.10 in BO, but it is responded by Host 172.16.16.10 in the HO itself because the endpoint cannot differentiate between HO LAN and BO LAN. 

As a solution to this, Cyberoam provides NATting over VPN which allows Cyberoam to assign Dummy LAN IP address (NATted LAN) to differentiate between LANs at both ends. This article describes how you can configure an IPSec Connection using NATted LANs.  

HO Configuration

The configuration is to be done from HO Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s). 

Step 1: Create IPSec Connection 

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 
Parameter Description
 

Parameter

Value

Description

Name

HO_to_BO

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB-192.168.20.105

Select local port which acts as end-point to the tunnel

Remote

192.168.20.191

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.16.15.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

NATed LAN

172.16.16.0/24

If NAT Local LAN is configured, select IP Host or Network Host from the available list.IP Host can also be added by clicking on the “Add IP Host” link.

Remote Network Details

RemoteLAN Network

17.16.17.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click
OK to create IPSec connection. 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above. 

 

Click   under Status (Active) to activate the connection.

 BO Configuration

The configuration is to be done from BO Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters. 

 Parameter Description 

Parameter

Value

Description

Name

BO_to_HO

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB-192.168.20.191

Select local port which acts as end-point to the tunnel

Remote

192.168.20.105

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.16.17.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

NATed LAN

172.16.16.0/24

If NAT Local LAN is configured, select IP Host or Network Host from the available list. IP Host can also be added by clicking on the “Add IP Host” link.

Remote Network Details

Remote LAN Network

172.16.15.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
  


Click OK
to create IPSec connection. 


Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above. 

Click  under Status (Active) and Status (Connection).  

 

The above configuration establishes an IPSec connection between the HO and BO. 

Note: 

    Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured. 
    In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head Office acts as a 
     responder due to following reasons:
      -    Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the connection.
      -    As there can be many Branch Offices, to reduce the load on Head Office it is a good practice that Branch Offices retries the 
           connection instead of the Head Office retrying all the branch office connections.

 

 

                                                                                                                                                         Document Version 1.3 – 11 July, 2014

1.2.5. How to regenerate RSA Key?

Applicable Version: 10.00 onwards

RSA Key
Authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption of traffic over a VPN Connection. The sender encrypts the traffic using the Local RSA Key. The recipient can decrypt this data using only the corresponding Remote RSA Key. It is recommended to change the Keys at regular intervals as the longer the key life, the higher the risk of them being intercepted.

 

Cyberoam allows you to regenerate RSA Keys when required. To regenerate RSA Key, follow the steps given below.


1.    
Login to Cyberoam CLI using Administrator credentials.
 
2.    Choose Option 6. VPN Management.
 
 

 


3.    
Under the VPN Management Menu, choose Option1. Regenerate RSA Key.
 
 
 

 

 

 

The above steps regenerate the RSA Key. Once regenerated, the corresponding RSA Keys at remote locations also need to be changed.

 

 

 







                                                                                                                                                                           Document Version: 1.0 – 09/09/2013

 

 

1.2.6. Route all BO Internet Traffic through HO ISP Gateway

Applicable Version: 10.00 onwards
 
Scenario
 
Route all Branch Office (BO) Internet traffic through Head Office (HO) ISP link via IPSec VPN tunnel.
 

Configuration

You can route all BO traffic through HO by following the steps given below. Configuration is to be done from Cyberoam Web Admin Console using Administrator profile.

Step 1: Establish IPSec Connection between HO and BO

Configure an IPSec Connection between HO and BO with following parameters:

Head Office

Branch Office

Local Subnet: Any
Remote Subnet: BO LAN
Local Subnet: BO LAN
Remote Subnet: Any


Refer to the article
How To - Establish Site-to-Site IPSec Connection using Preshared key for detailed configuration of the IPSec connection.
 

Step 2: Create VPN-WAN Firewall Rule

Create VPN-WAN Firewall Rule to allow all traffic from VPN tunnel to route through the WAN port to the HO ISP Gateway. You can create the firewall rule by going to Firewall à Rule à Rule and click Add to add a new rule as shown below.
 
 
 
 
Click OK to save rule.
 





                                                                                                                                                                      Document Version: 1.0 – 27/04/2013
1.2.7. Configure a Virtual Host over VPN


Applicable Version: 10.00 onwards

Scenario

Configure a Virtual Host over VPN such that an RDP Server with a Private IP Address (172.16.16.10) situated at the Branch Office can be bound to a Head Office Public IP Address (192.168.2.1). Users over the Internet can access the BO RDP Server using HO’s Public IP Address.
 

 

Prerequisite

There should be Site-to-Site IPSec VPN Connectivity between Head Office and Branch Office. For details on how to configure a Site-to-Site IPSec connection, refer to the following articles: 

-   
Establish Site-to-Site IPSec Connection using Preshared key
-   
Establish Site-to-Site VPN Connection using RSA Keys

Configuration

You can configure a Virtual Host over VPN by following the steps given below on HO Cyberoam.You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Create Virtual Host

On HO Cyberoam, go to Firewall > Virtual Host > Virtual Host and click Add to create a virtual host with the following parameters.
 
 

Parameter Description  

Parameter

Value

Description

Name

BO_RDP_Server

Name to identify the Virtual Host.

IP Family

IPv4

Select the IP Family to create the Virtual Host

External IP

PortB –

192.168.2.1

The IP address through which Internet users access internal server/host.

Mapped IP

172.16.16.10

The IP address/IP Range of the internal server/host.

Physical Zone

VPN

LAN, WAN, DMZ, VPN or custom zone of the mapped IP address(s). For example, if mapped IP address represents any internal server then it is the zone in which server resides physically.

Port Forwarding

Enable Port Forwarding

Enabled

Click to enable service port forwarding. If Port Forwarding is enabled, following options are available.

Protocol

TCP

Select the protocol TCP or UDP that you want the forwarded packets to use.

External Port Type

Port

Click to specify whether port mapping should be single or range of ports.

External Port

3389

Specify public port number for which you want to configure port forwarding.

Mapped Port Type

Port

Click to specify whether port mapping should be single or range of ports.

Mapped Port

3389

Specify mapped port number on the destination network to which the public port number is mapped.

 
 

Click
OK to create the Virtual Host.
 

After clicking OK, the Add Firewall Rules For Virtual Host pop-up window opens. Click Cancel to close the window. For configuring firewall rules, refer Step 4.  

Step 2: Add IPSec Route

Add an IPSec Route to route all WAN traffic that is destined for the BO RDP Server to the IPSec tunnel. To add the IPSec route: 

•  Logon to CLI Console (Telnet or SSH)

• 
Choose option 4 –Cyberoam Console and press Enter

Execute the command

  console> Cyberoam ipsec_route add host 172.16.16.10 tunnelname HO_to_BO_IPSec
 
   

  Where ‘172.16.16.10’ is the BO RDP Server and ‘HO_to_BO_IPSec’ is the IPSec connection between the HO and BO.

Step 3: Configure NAT Policy

The RDP-server-destined traffic from the Internet carry public IP addresses as its source IPs, which do not form part of the IPSec tunnel. Hence, it is not forwarded over the tunnel. 

As a solution to this, configure a NAT Policy to nat the incoming RDP-server-destined traffic to a BO LAN IP Address. This is to ensure accessibility of the BO RDP Server. To create a NAT Policy, go to Firewall > NAT Policy > NAT Policy and click Add to create a NAT Policy using following parameters.
 
 

Parameter Description 

 

Parameter

Value

Description

Name

BO_RDP_Server

Name to identify the NAT Policy

IP Address

10.10.10.25

Specify IP address for source NATting. It should be an unused IP Address from the Head Office.

 
 

Step 4: Add Firewall Rule

Add a WAN-to-VPN Firewall Rule to allow RDP-server-destined traffic. To create Firewall Rule, go to Firewall> Rule > Rule > Rule and click Add to create a new firewall rule using following parameters.

Parameter Description 

 

Parameter

Value

Description

Name

BO_RDP_Server_Allow

Specify name to identify the Firewall Rule.

Zone

Source: WAN

Destination: VPN

Specify source and destination zone to which the rule applies.

Network/Zone

Source: Any IP Address

Destination: BO_RDP_Server

(Virtual Host created in Step 1)

Specify source and destination host or network address to which the rule applies.

Schedule

All the time

Select schedule for the rule

Action

Accept

Select rule action

Apply NAT

BO_RDP_Server

(NAT Policy created in Step 3)

Select the NAT policy to be applied

 
 
 




                                                                                                                                                                             Document Version: 1.3 – 9 July, 2014
1.2.8. Configure IPSec VPN Connection with Multiple End Points

Applicable Version: 10.04.00 Build 214 onwards
 
Overview
 
Cyberoam facilitates VPN failover by allowing you to set multiple remote endpoints for a single IPSec connection. In other words, one IPSec connection can terminate on multiple remote servers/gateways and failover can be configured over those terminals. This configuration of multiple endpoints and failover condition is done in the same page as the standard IPSec connection configuration. This article describes how you can configure an IPSec VPN connection with Multiple Endpoints.
 

Scenario

The diagram below shows the schema of the Branch Office (BO) and Head Office (HO) network.
 
 
 
 
 
Connect BO with HO via an IPSec VPN connection with Two (2) Endpoints, namely ISP1 (195.229.241.245) and ISP2 (213.42.25.20). Configure connection failover between both these endpoints such that if one goes down, traffic is automatically diverted to the other active endpoint.
 

Configuration

You can configure an IPSec VPN connection with multiple endpoints by following the steps given below. Configuration is to be done using Web Admin Console using Administrator profile.

Step 1: Create IPSec Connection on BO

Go to VPN à IPSec à Connection and click Add to create an IPSec connection using parameters given below.
 
 
 
 

Parameter Description
 
 
Parameter
Value
Description
General Settings
BO_to_HO
Connection Type
Site to Site
Select the type of connection
Policy
DefaultBranchOffice
Action on VPN Restart
Initiate
Select action when VPN services are restarted.
Authentication Details
Authentication Type
Preshared Key
Select the type of authentication used while establishing a connection.
Preshared Key
hr5xb84l6aa9r6
Specify the Preshared Key to be used during authentication
Endpoint Details
Endpoint1
Local: PortB-203.88.135.105
Remote: 192.229.241.245
Name: BO_to_HO_ISP1
Mention details of first set of endpoints.
Endpoint2
Local: PortB-203.88.135.105
Remote: 213.42.25.20
Name: BO_to_HO_ISP2
Mention details of second set of endpoints.
Failover Group Name
Head_Office
Name to identify the Group of endpoints.
Failover Mail Notification
Enabled
Enable if you want Cyberoam to shoot emails to the configured email address if failover takes place.
Note:
 
Emails can be sent only if SMTP Server is configured from System à Configuration à Notification.
Failover Condition
IF...
Not able to Connect TCP Port 80
And
Not able to Connect PING
On Remote VPN Server
Then
‘SHIFT to next Active Connection’
Mention the condition based on which Cyberoam can decide that a connection has gone down and failover is needed.
Local Network Details
Local Subnet
172.16.16.0/24
Specify Local Subnet. Multiple Subnets can be added.
Remote Network Details
Allow NAT Traversal
Disable
Remote LAN Network
192.168.1.0/24
Select IP addresses and netmask of remote network(s) with which connection is to be made.

 
 
 
Click OK to create IPSec connection.
 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connections created above.
 
 

  

Click    under Status (Active) to activate the connections.
 
 
 

Step 3: Create Corresponding IPSec Connections at HO

Similarly, create corresponding IPSec connection at the HO. Refer to the article How To – Establish Site-to-Site IPSec Connection using Preshared key for details.

Step 4: Establish connections

Once all Cyberoam Appliances at Head and Branch Offices are configured, establish connection between them. Click    under Status (Connection) of the primary connection. Here the primary connection is BO_to_HO_ISP1.
 
 
 
 
 




                                                                              Document Version: 1.0 – 30/11/2012
1.2.9. Bypass IPSec VPN Traffic

Applicable Version: 10.00 onwards
 
Scenario
 
Cyberoam should bypass the IPSec VPN traffic between Site A and Site B, in other words, between Router A and Firewall B. The network schema is as given below.
 
 
 
 

Configuration

Cyberoam can bypass IPSec VPN traffic if it has its UDP ports 500 and 4500 open both from WAN and LAN sides. To open the ports, follow the steps given below. The configuration is to be done from Web Admin Console using Administrator profile. 

Step 1: Create Virtual Host for UDP port 500

Go to Firewall à Virtual Host à Virtual Host and click Add to create a new virtual host according to parameters given below.
 
 
 
 
Parameter Description

 
 
 
On clicking OK, you are asked to create Firewall Rules to allow access to the virtual host created.
 

Step 2: Add Firewall Rule

On clicking OK, the following screen is displayed prompting you to create Firewall Rules.
 
 
 

Enable Add Firewall Rule(s) For Virtual Host and specify parameters shown in the screen as required. Click Add Rule(s) to add the firewall rule. The above firewall rule forwards all traffic from port 500 on WAN side to port 500 on the LAN side.


Step 3: Create Virtual Host for UDP port 4500

Go to Firewall à Virtual Host à Virtual Host and click Add to create a new virtual host according to parameters given below.
 
 
 
 
Parameter Description
Parameter
Value
Description
Name
UDP_Port_4500
Name to identify the Virtual Host.
External IP
#PortC – 10.10.1.1
External IP address is the IP address through which Internet users access internal server/host.
Mapped IP
172.16.16.20
Mapped IP address is the IP address of the internal server/host.
Physical Zone
LAN
LAN, WAN, DMZ, VPN or custom zone of the mapped IP addresses. For example, if mapped IP address represents any internal server then the zone in which server resides physically.
Port Forwarding
Enable Port Forwarding
Enabled
Click to enable service port forwarding.
Protocol
UDP
Select the protocol TCP or UDP that you want the forwarded packets to use.
Port Type
Port
Click to specify whether port mapping should be single or range of ports.
External Port
4500
Specify public port number for which you want to configure port forwarding.
Mapped Port
4500
Specify mapped port number on the destination network to which the public port number is mapped.

 
 
 
On clicking OK, you are asked to create Firewall Rules to allow access to the virtual host created.
 

Step 4: Add Firewall Rule

On clicking OK, the following screen is displayed prompting you to create Firewall Rules.
 
 
 
 
Enable Add Firewall Rule(s) For Virtual Host and specify parameters shown in the screen as required. Click Add Rule(s) to add the firewall rule. The above firewall rule forwards all traffic from port 4500 on WAN side to port 4500 on the LAN side.
 

Note:

Ensure that there exists a similar Firewall Rules which forward all traffic from port 500 and 4500 on LAN side to port 500 and 4500 respectively on the WAN side.
 
 


                                                                                                                                                                                           Document Version: 1.0 – 28/06/2012
1.2.10. Allow Branch Office Users to Authenticate with Head Office Authentication Server

Applicable Version:  10.00 onwards
 
Scenario
 
This article describes how Cyberoam can be configured to allow Users in the Branch Office (BO) to authenticate with Head Office (HO) AD Server. The network schema is as shown below.
 
 
 
 

Prerequisites

-         IPSec connection is active and connected.
-         Both Head Office and Branch Office Cyberoam Appliances are integrated with Head Office AD Server. To integrate Cyberoam with AD, refer to the article How To – Integrate Cyberoam with Active Directory.
 
 
Configuration

To allow BO users to authenticate with HO AD server, configure the BO Cyberoam according to steps given below. The configuration is to be done on Cyberoam CLI using Administrator profile.

Step 1: Add IPSec Route

By default, Cyberoam initiated traffic is forwarded to the WAN interface. To ensure that traffic destined for the HO AD Server is forwarded to the IPSec tunnel, we add an IPSec route. To add the route, follow the steps below.

·         Login to Cyberoam CLI

·         Select option 4. Cyberoam Console to access CLI

·         Execute the following command to add an IPSec route
 
     cyberoam ipsec_route add host 172.16.16.2 tunnelname Branch_to_Head
 
 
 
 
 
Step 2: Add Source NAT Policy for Cyberoam Initiated Traffic

By default, the source IP address of Cyberoam initiated traffic is its WAN Interface IP. We need to apply a Source NAT policy on this traffic such that its source IP address is part of the VPN local network. This ensures that it is accepted by the AD Server. This can be done by executing the following command 

console> set advanced-firewall cr-traffic-nat add destination 172.16.16.0 netmask 255.255.255.0 snatip 172.50.50.1
 
 
 
 
 

                                                                                                                                          Document Version: 1.0 – 08/06/2012
1.2.11. Forward GRE Traffic over IPSec VPN Tunnel

Applicable Version: 10.00 onwards
 
Overview
 
Generic Routing Encapsulation (GRE) is a simple IP packet encapsulation protocol, GRE tunnels are mainly used as a means to carry other routed protocols across a predominantly IP network. They remove the need of all protocols, except IP, for data transfer, thus reducing much overhead on the network administrator’s part. Non-IP protocols such as IPX and AppleTalk are tunnelled through the IP core via GRE.

Generally, GRE tunnels are used in the following scenarios:

-       To carry Multicast traffic just like real network interface traffic.
-       To carry non-routable protocol traffic like NetBIOS or non-IP traffic over IP network.
-       To link two similar networks which are connected with different IP addressing  

Scenario

Create an IPSec tunnel between a Head Office network and a Branch Office network. The clients at the Branch Office are to connect to the Head Office Media Server. So we have created GRE tunnel over the IPSec connection to allow transfer of multicast traffic between the Head Office and Branch Office. The network scenario is described in the diagram below. 
 
 
 
Network Schema
 

Branch Office

Head Office

Cyberoam WAN IP Address – 202.134.168.208

Cyberoam WAN IP Address – 202.134.168.202

LAN IP – 172.50.50.2

LAN IP – 172.16.16.10

LAN Subnet – 172.50.50.0/24

LAN Subnet – 172.16.16.0/24

GRE Tunnel Virtual IP – 5.5.5.1

GRE Tunnel Virtual IP – 5.5.5.2

Media Server :
Source IP – 172.16.16.2
Multicast IP – 225.0.0.1

Configuration
 
To forward GRE traffic over IPSec VPN connection, follow the steps given below. The configuration is to be done from the Web Admin Console using Administrator profile. 

Step 1: Create IPSec VPN Tunnel

Create an IPSec VPN tunnel between the Head Office and Branch Office. To know how to create an IPSec VPN connection, refer to the article How To - Establish Site-to-Site IPSec Connection using Preshared Key.
 
Note: 

In the IPSec configuration:

-       Make sure that WAN IP of Head Office Cyberoam is included in the Trusted Local Subnet at the Head Office side and Trusted
     Remote Subnet at the Branch Office side.
-       Similarly, Make sure that WAN IP of Branch Office Cyberoam is included in the Trusted Local Subnet at the Branch Office side
     and Trusted Remote Subnet at the Head Office side.  

Step 2: Create GRE Tunnel

Create a GRE Tunnel between the Head Office and the Branch Office. To know how to create a GRE tunnel, refer to the article How To – Configure a GRE Tunnel on Cyberoam. 

Step 3: Enable Multicast Forwarding in Cyberoam

Enable Multicast Forwarding on Cyberoam by going to Network > Static Route > Multicast and checking Enable Multicast Forwarding as shown below. 
 
 

Step 4: Add Static Multicast Routes

Add static multicast routes both at the Head Office and Branch Office. 

Head Office

Go to Network > Static Route > Multicast and click Add to add a new multicast route using the parameters given below. 
 
 
 
Parameter Description 
 

Parameter

Value

Description

Source IPv4 Address

172.16.16.2

Specify Source IP Address.

Source Interface

PortA – 172.16.16.10

Select Source Interface from the list.

Multicast IPv4 Address

225.0.0.1

Specify range of Multicast IP Address

Destination Interface

 gre_tunnel_ho – 5.5.5.2

Select Destination Interface from the list. You can select more than one destination interface.

 
 

Branch Office

Go to Network > Static Route > Multicast and click Add to add a new multicast route using the parameters given below. 
 
  

Parameter Description

Parameter

Value

Description

Source IPv4 Address

172.16.16.2

Specify Source IP Address.

Source Interface

gre_tunnel_bo – 5.5.5.1

Select Source Interface from the list.

Multicast IPv4 Address

225.0.0.1

Specify range of Multicast IP Address

Destination Interface

PortA-172.50.50.2

Select Destination Interface from the list. You can select more than one destination interface.

 
 

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.

The above configuration forwards all GRE traffic to the IPSec VPN connection between Head Office and Branch office.


                                                                                                                                                                           



                                                                                                                                                                  Document Version: 2.1 – 4 June, 2014
1.2.12. Create Hub and Spoke IPSec VPN Network with Super Net

Applicable Version: 10.00 onwards
 
Overview
 
A Hub and Spoke VPN Network is set up in organizations which desire centralized control over all its branch offices. In this network setup, the Head Office acts as the Hub and the Branch Offices act as Spokes. All VPN tunnels from Branch Offices terminate at this hub, which acts as a concentrator. Site-to-site connections between spokes do not exist. Traffic originating from one spoke and destined for another spoke has to go via the hub.

Scenario

Configure Cyberoam Appliances in a Hub and Spoke IPSec VPN Network between the Head Office in New York and Branch Offices in Houston and Dallas as shown below.
 
 
 
  

Network Schema

Office

LAN Network

WAN IP Address

New York HO

192.168.1.0/24

202.11.11.11

Houston BO

192.168.2.0/24

202.10.10.10

Dallas BO

192.168.3.0/24

202.12.12.12




Configuration

In this article, we have placed all the 3 networks, New York (192.168.1.0/24), Houston (192.168.2.0/24) and Dallas (192.168.3.0/24) under a single Super Net (192.168.0.0/16). This enables ease of maintenance of all the 3 networks.

The configuration of Cyberoam Appliances at New York, Houston and Dallas is given below. All configurations are to be done from Web Admin Console of respective appliances.


Houston Branch Office (Spoke)

Configure a site-to-site IPSec VPN connection between Houston (Spoke) and New York (Hub) by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 
 

Network Parameters

Local Network details

Local Server (WAN IP address) – 202.10.10.10

Local LAN address – 192.168.2.0/24

Local ID – john@elitecore.com

Remote Network details

Remote VPN server (Hub IP address) – 202.11.11.11

Remote LAN Network –

192.168.0.0/16 (Supernet of all the networks)

Remote ID – dean@elitecore.com



Step 1: Create IPSec Connection
 
Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

Houston_to_NY

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-   Remote Access
-   Site to Site
-   Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

-   Respond Only
-   
Initiate
-   Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.10.10.10

Select local port which acts as end-point to the tunnel

Remote

202.11.11.11

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.2.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

192.168.0.0/16 (Supernet of all 3 networks)

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.
 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.

 
 
 
Click     under Status (Active) to activate the connection.
 
 
  
 

Dallas Branch Office (Spoke)

Configure a site-to-site IPSec VPN connection between Dallas (Spoke) and New York (Hub) by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 
 

Network Parameters

Local Network details

Local Server (WAN IP address) – 202.12.12.12

Local LAN address – 192.168.3.0/24

Local ID – mathew@elitecore.com

Remote Network details

Remote VPN server (Hub IP address) – 202.11.11.11

Remote LAN Network –

192.168.0.0/16 (Supernet of all the networks)

Remote ID – dean@elitecore.com




Step 1: Create IPSec Connection

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

Dallas_to_NY

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.12.12.12

Select local port which acts as end-point to the tunnel

Remote

202.11.11.11

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.3.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.0.0/16 (Supernet of all 3 networks)

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.
 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
 

Note:

If there is more than one connection between 2 gateways, where each connection uses a different authentication mode, at a time only one connection can remain active.
 

New York Head Office (Hub)

Configure site-to-site IPSec VPN connections between New York (Hub) and Dallas (Spoke), and New York (Hub) and Houston (Spoke) by following the steps given below.
 

Step 1: Create IPSec VPN Connection with Houston BO 

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
  
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

NY_to_Houston

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.11.11.11

Select local port which acts as end-point to the tunnel

Remote

202.10.10.10

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.0.0/16 (Supernet of all 3 networks)

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.2.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.

Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
 

Step 2: Create IPSec VPN Connection with Dallas BO 

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

NY_to_Dallas

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.11.11.11

Select local port which acts as end-point to the tunnel

Remote

202.12.12.12

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.0.0/16 (Supernet of all 3 networks)

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.3.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
  

Step 3: Add Firewall Rule to allow VPN Traffic

To create the firewall rule, go to Firewall > Rule > Rule and click Add. Create the rule using following parameters.
 
 
 

Parameter Description

 
 
 

Click OK to create the firewall rule.

Step 4: Establish connections

Once all Cyberoam Appliances at Head and Branch Offices are configured, establish connection between them. Click    under Status (Connection) to establish the connection.
 
 
 

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.
 
                                                                                                                                                                                                                                       
                                                                                                                                                                                    Document Version: 3.0 – 16/09/2012
1.2.13. Configure Syslog over VPN in Cyberoam
 
Applicable Version: 10.00 onwards

Overview

Cyberoam provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.
 
Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards logs to syslog server in a specific format. Cyberoam UTM provides reporting module to clients via external syslog server as well via i-view software or any other third party Syslog Server.
 

Syslog over VPN gives you the flexibility to have centralized reporting for all the branch offices at head office. It offers you the architecture for centralized reporting in a secure manner via VPN.

 

Scenario
 

Below given network diagram shows how Cyberoam is deployed in the network.
 
 
Below table shows configuration parameters where the Syslog Server at the Head Office would receive syslogs from LAN of Branch Office:
 

Branch Office

Head Office

Cyberoam WAN IP address- 192.168.20.178

Cyberoam WAN IP address- 192.168.20.111

LAN - 172.16.2.1

LAN - 172.16.1.1

Syslog Server - 172.16.1.10

 
Pre-requisites

A Site-to-Site VPN Tunnel needs to be configured between Head office and Branch office.

Assumption

Both Branch Office and Head Office are connected with a Site-to-Site VPN Tunnel named “SyslogoverVPN”.

Configuration

Follow the below mentioned steps to configure Syslog over VPN in Cyberoam:

This document consists of two (2) sections: 
Web Admin Console
 

The entire configuration is to be done from Web Admin Console and at Branch Office site. Access Web Admin Console with user having “Administrator” profile.

Step 1: Add Syslog Servers

Add Server

Go to Logs & Reports à Configuration à Syslog Servers and click “Add” to add Syslog Server.
 
 
Parameters Description 
 

Parameters

Value

Description

Name

Syslog

Specify Unique name for syslog server

IP Address

172.16.1.10

Specify IP address of the syslog server. Messages from the appliance will be sent to the server

Port

514

Specify the port number for communication with the syslog server. Appliance will send messages using the configured port

 Default: 514

Facility

DAEMON

Select syslog facility for log messages to be send to the syslog server.

 Available Options: 

  • DAEMON - Daemon logs (Information of Services running in appliance as daemon)
  • KERNEL – Kernel log
  • LOCAL0 – LOCAL7 – Log level information
  • USER - Logging on the basis of users who are connected to Server

Severity Level

Debug

Specify severity levels of logged messages.  

Severity level is the severity of the message that has been generated. 

Available Options: 

  • EMERGENCY - System is not usable
  • ALERT - Action must be taken immediately
  • CRITICAL - Critical condition
  • ERROR - Error condition
  • WARNING - Warning condition
  • NOTICE - Normal but significant condition
  • INFORMATION - Informational
  • DEBUG - Debug - level messages

Format

CyberoamStandardFormat

Appliance produces logs in the specified format. Appliance currently produces logs in its own standard format.

 
 
Click OK and the Syslog Server ‘Syslog’ will be created successfully.
 

Step 2: Enable Syslog


Go to Logs & Reports à Configuration à Log Settings to configure logs to be sent to the syslog server. Multiple servers are configured and various logs can be send on different servers.

 

 
 
Click Apply and the Configuration will be updated successfully.
 
The entire configuration is to be done from CLI Console.
 
1.  Login to CLI Console.

2.  Go to Option 4 - Cyberoam Console and press Enter

 
3.  To route the Syslog generate traffic over a particular tunnel, Configure the below mentioned commands:
 
      console> cyberoam ipsec_route add host 172.16.1.10 tunnelname SyslogoverVPN
 
      where Syslog Server IP – 172.16.1.10
      VPN Tunnel name – SyslogoverVPN
 
 
        console> set advanced-firewall cr-traffic-nat add destination 172.16.1.10 snatip 172.16.2.1
 
        where Syslog Server IP – 172.16.1.10
        Interface (LAN Interface of Branch Office) – 172.16.2.1
 
 
Note: 
 
The CLI configuration is required to configure logs to be sent to the syslog sever over Site-to-Site VPN tunnel.
 
                                                                                                                    Document version – 1.0-06/02/2012
 
 
 
 
 
1.2.14. Configure GRE Tunnel on Cyberoam


Applicable Version: 10.00 onwards

Overview

Generic Routing Encapsulation (GRE) is a simple IP packet encapsulation protocol. GRE tunnels are mainly used as a means to carry other routed protocols across a predominantly IP network. They remove the need of all protocols, except IP, for data transfer, thus reducing much overhead on the network administrator’s part. As such, non-IP protocols such as IPX and AppleTalk are tunnelled through the IP core via GRE.
Generally, GRE tunnels are used in the following scenarios:
 
·         To carry Multicast traffic just like real network interface traffic.
·         To carry non-routable protocol traffic like NetBIOS or non-IP traffic over IP network.
·         To link two similar networks which are connected with different IP addressing. 

Scenario

Create a GRE tunnel between a Head Office network and a Branch Office network. The clients at the Branch Office are to connect with the WINS Server at the Head Office over NETBIOS traffic, essentially for name registration and resolution. The network scenario is described in the diagram below.
 

Note:

 

GRE tunnel cannot be configured on Dynamic WAN interfaces such as PPPoE and DHCP. 
 
 
 
Configuration

To create the GRE Tunnel between the Head Office Network and the Branch Office Network, follow the steps given below. Configuration is to be done from Cyberoam CLI using administrative access both in the Head Office and the Branch Office.
 

Step 1: Create GRE Tunnel 

·         Login to CLI using Telnet/SSH.

·         Select Option 4. Cyberoam Console to access CLI.

·         Create GRE Tunnel between the two sites by executing the following command. 

     Head Office:
 
    console> cyberoam gre tunnel add name Cyberoam_GRE local-gw PortB remote-gw 202.134.168.208 
    local-ip 5.5.5.2 remote-ip 5.5.5.1
 
 
 
 
     Branch Office:
 
    console> cyberoam gre tunnel add name Cyberoam_GRE local-gw PortB remote-gw 202.134.168.202 
    local-ip 5.5.5.1 remote-ip 5.5.5.2 
 
 
 
 
Step 2: Configure GRE Route
 
Configure GRE route to define traffic between the two sites.

Head Office:
 
console> cyberoam gre route add net 172.50.50.0/255.255.255.0 tunnelname Cyberoam_GRE 
 
 
 
Branch Office:
 
console> cyberoam gre route add host 172.16.16.2 tunnelname Cyberoam_GRE 
 
 
 
You can view the GRE Tunnel Configuration by firing the following command

console> cyberoam gre tunnel show
 
 
 
 
Step 3: Add Firewall Rules
 
Add VPN-LAN and LAN-VPN Firewall Rules on both HO and BO Cyberoam to allow GRE traffic. To create Firewall Rule, go to Firewall > Rule > Rule and create new firewall rules as shown below.
 
  
 
The above configuration creates a GRE Tunnel between the HO Cyberoam and the BO Cyberoam.





                                                                                                                                                            Document Version: 2.2 – 3 July, 2014
 
 
 
 
1.2.15. Configure VPN Failover and Failback in Cyberoam

Applicable to Version: 10.00 onwards
 
Cyberoam VPN Connection Failover is a feature that enables to provide an automatic backup connection for VPN traffic and provide “Always ON” VPN connectivity for IPSec and L2TP connections.
 
A VPN tunnel allows you to access remote servers and applications with total security. With VPN auto failover, a VPN connection to be re-established when one of the two WAN connections drops. Solution also achieves failover latency of a few seconds by constantly monitoring the link and instantaneously switching over in the event of a failure.
 
Advantages
 

·         Reduce the possibility of a single point of failure.

·         Reduce the reliance on manual intervention to establish new connection.

·         Reduce the failover time of a VPN connection with redundant VPN tunnels and VPN monitoring.

Cyberoam implements failover using VPN connection Group.
 
A VPN group is a set of VPN tunnel configurations. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the Group defines fail over priority of the connection.
 
Connection included in the Group must be activated and manually connected for the first time before participating in the failover. Connection will not failover to the subsequent Connection if it is manually disconnected.
 
When the primary connection fails, the subsequent active connection in the Group takes over without manual intervention and keeps traffic moving. The entire process is transparent to users.
 

·         Remote peer does not reply - for Net to Net and Host to Host connection.

        ·         Local Gateway fails – for Road warrior connection.

Prerequisites
 

·         Packets of the protocol specified in failover condition must be allowed from local server to remote server and its reply on both Local and Remote server.

·         One connection can be included in one Group only.

·         Connection must be ACTIVE to participate in failover.

 

Cyberoam VPN failover can be deployed in any number of possible configurations and support remote/branch offices to seamlessly establish a VPN connection to a secondary gateway, should the connection to the primary gateway be terminated, allowing for continuous uptime.
 

Scenario 1: Set up VPN redundant tunnel in network with multiple gateways


Article features a detailed configuration example that demonstrates how to set up a redundant IPSec VPN tunnel that uses preshared keys for authentication purposes.
 
The following sections are included:
 

·         Configuring Connections at Head office

·         Configuring Connections at Branch office

·         Configuring failover group at Branch office

·         Failover conditions
 
In the example and throughout the article, below given IP addresses are assigned to Cyberoam deployed at headquarter and branch. Follow the steps for setting up the redundant VPN tunnel (failover) configuration to create a VPN tunnel among Houston branch (Cyberoam_br) and the New York Head office (Cyberoam_ho) network. 

IP addressing scheme
 
New York office (Cyberoam_ho)
 

LAN IP address – 10.10.10.0/24

WAN IP address – Gateway 1 – 192.168.1.1

WAN IP address – Gateway 2 - 192.168.2.1
 
Spoke 1 – Huston Branch (Cyberoam_br)
 

LAN IP address – 10.10.20.0/24

WAN IP address - Gateway 3 – 192.168.3.1

WAN IP address – Gateway 4 - 192.168.4.1
 
As each Cyberoam is configured with 2 gateways, we will create total 4 connections for each side i.e. 2 tunnels per gateway.
 
 
 

Configuring Connection at New York

 
Create IPSec connection on New York (Cyberoam_ho).
 
As Cyberoam is configured with 2 gateways, we will create total 4 tunnels/connections i.e. 2 tunnels per gateway. 
 

·         Connection 1: Establishing tunnel between Gateway 1 and Gateway 3 of Houston branch 

·         Connection 2: Establishing tunnel between Gateway 1 and Gateway 4 of Houston branch 

·         Connection 3: Establishing tunnel between Gateway 2 and Gateway 3 of Houston branch 

·         Connection 4: Establishing tunnel between Gateway 2 and Gateway 4 of Houston branch


Refer the below Related Article "Establish Site-to-Site IPSec Connection using Preshared key" to Establish Site-to-Site IPSec Connection
 
 

Configuring Connection at Houston branch

 

Create IPSec connection on Houston branch (Houston_bo).
 
As Cyberoam is configured with 2 gateways, we will create total 4 tunnels/connections i.e. 2 tunnels per gateway. 
 

·         Connection 1: Establishing tunnel between Gateway 3 and Gateway 1 of New York  

·         Connection 2: Establishing tunnel between Gateway 3 and Gateway 2 of New York 

·         Connection 3: Establishing tunnel between Gateway 4 and Gateway 1 of New York  

·         Connection 4: Establishing tunnel between Gateway 4 and Gateway 2 of New York  

 

Refer the below Related Article "Establish Site-to-Site IPSec Connection using Preshared key" to Establish Site-to-Site IPSec Connection


Configure VPN failover group

 
Go to VPN --> IPSec --> Connection to add failover groups for New York – Houston Group and failover conditions. Click Add Failover Group button to add a new group.
 
 

Parameters

Value

Connection Group Details

Name

NY_HOU_grp

Select Connections

Member Connections

  • Gateway3_Gateway2
  • Gateway3_Gateway1
  • Gateway4_Gateway1
  • Gateway4_Gateway2

‘Available Connections’ list displays the list of connections that can be added to the failover group. Click on the connections to be added to Member connections list. Appliance will select the subsequent active connection from Member Connections list if primary connection fails.

Top down order of connections in the Member Connections list specifies the failover preference i.e. if primary connection fails, the very next connection in the list will be used by Appliance to keep the VPN traffic moving.

Once the connection is included in any Group, it will not be displayed in ‘Available Connection’ list.

Remote Access connections will not be listed in ‘Available Connections’ list.

You need to define minimum 2 member connections in a Group.

 
 
 

Failover Conditions

 
Initially, only one tunnel is active and established between the peers over Gateway 3 and Gateway 2. All other tunnels are in standby mode.
 
 
E.g. WAN link on Gateway 2 at New York office goes down
 
As defined in the failover group, the second connection – Gateway 3 – Gateway 1 gets connected and traffic is send through this new tunnel.
 
There will be no disruption but failover to standby connection takes anytime between 10 – 15 seconds.
 
 
 
                                                                                                   Document Version – 1.0 – 05/09/2011
 
 

 
 
 
 
 
 
 
 
1.2.16. Use VPN/MPLS as a Backup(MPLS Scenario)

Applicable Version:  10.00 onwards
 
Overview
 
Most of the companies have multiple branches and more often than not, a good network connectivity (Wide Area Network) across these branches is a must to accelerate the speed of business. Some of the popular options available for such geographically spread enterprises to connect with other branches and head office are Managed Leased Lines, MPLS (Multi Protocol Label Switching) VPN connectivity, VPN Over Internet Leased Lines, Satellite based VSAT systems and many more.
 
In order to safeguard against network connectivity outage, which entails business loss, organizations must ensure that they have alternative cost effective connectivity options that provide secure access.


Network Schema
 
Consider a hypothetical network where a VPN Link and an MPLS Link connects a Head Office (HO) and Branch Office (BO).

Head Office:

The Head Office Cyberoam has been configured with Port A as LAN, Port B as WAN and Port D as DMZ. The MPLS link has been terminated on DMZ (Port D).

Cyberoam LAN IP: 192.168.1.254
Cyberoam WAN IP: 202.134.168.202
Cyberoam DMZ IP: 10.10.10.2 (Connected to HO MPLS Router)

Branch Office:

The Branch Office Firewall configured as follows:

LAN IP: 192.168.2.254
WAN IP: 202.134.168.206
DMZ IP: 5.5.5.2 (Connected to BO MPLS Router) 
 
MPLS Link

The MPLS Link has been configured as follows:

HO Router WAN IP: 12.12.12.1
HO Router DMZ IP: 10.10.10.1 (Connected to Cyberoam)
BO Router WAN IP: 11.11.11.1
BO Router DMZ IP: 5.5.5.1 (Connected to BO Firewall)
 
 
 
 
 
Scenario 1: VPN Link as a Backup for MPLS Link
 
Configure Cyberoam to failover to an IPSec VPN Link when the MPLS link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the MPLS link comes up again, the status quo is restored.
 
 
Configuration
 
You can configure the failover to an IPSec link when the MPLS link fails by following the steps mentioned below.
 
Step 1: Configure IPSec Connection between HO and BO
 
Refer to the article How To - Establish Site-to-Site IPSec Connection using Preshared key for details on how to establish an IPSec VPN connection between HO and BO.
 
 
Step 2: Set IPSec Link as Backup to the MPLS Link
 
  Login to Cyberoam CLI Console.

  Go to Option 4. Cyberoam Console and execute the following command.

    cyberoam link_failover add primarylink PortD backuplink IPSec_Link monitor PING host 11.11.11.1
 
    
 
    Syntax:
 
     cyberoam link_failover add primarylink <Port on which MPLS is connected> backuplink <Failover VPN link name on which traffic needs to be forwarded> 
    monitor PING host <IP address of the remote device which needs to be monitored for failover>
 
     Note:
 
      -    Make sure that the IPSec connection is active and connected before configuring it as a backup link.
      -    You can also use TCP for monitoring the remote device. The Syntax is:

           cyberoam link_failover add primarylink <Port on which MPLS is connected> backuplink <VPN link name on which traffic needs to be forwarded> 
         monitor TCP host <IP address of the remote device which needs to be monitored for failover> port <port of the remote device which needs 
         to be 
monitored for failover>
 

Step 3: Configure Static Route
 
Configure static routes to redirect all BO destined traffic from MPLS Link.
 
1.   Configure Interface-based Routes which points to the remote network (192.168.2.0).
2.   Configure Gateway-based Route for monitoring IP (11.11.11.1). This route is necessary to monitor MPLS Link status and send monitoring packets over MPLS Link only. 
 
 
Configure Interface-based Route for Remote Network:
 
    Login to Cyberoam Web Admin Console using Administrator profile.

    Go to Network ® Static Route ® Unicast and click Add to add a static route using following parameters.


      Parameter Description
 

Parameter

Value

Description

Destination IP

192.168.2.0

Specify Destination IP Address

Netmask

/24 (255.255.255.0)

Specify Subnet Mask

Gateway

10.10.10.1

Specify Gateway IP Address

Interface

PortD – 10.10.10.2

Select Interface from the list including Physical Interfaces, Virtual Sub-interfaces and Aliases.


 
 
 
 
      Click OK to save the route.
 
 
Configure Gateway-based Route for Monitored MPLS Device
 
     Login to Cyberoam Web Admin Console using Administrator profile.

     Go to Network ® Static Route ® Unicast and click Add to add a static route using following parameters.

       Parameter Description
 

Parameter

Value

Description

Destination IP

11.11.11.1

Specify Destination IP Address

Netmask

/32 (255.255.255.255)

Specify Subnet Mask

Gateway

10.10.10.1

Specify Gateway IP Address


 
 
 
 

       Click OK to save the route.


Step 4: Set Highest Priority for Static Routes

By default, VPN routes have the highest priority (Route Precedence) in Cyberoam. To set highest priority for Static Routes:

•      Login to Cyberoam CLI Console. 

     Go to Option 4. Cyberoam Console and execute the following command. 

      cyberoam route_precedence set static vpn 

     
  

The above configuration sets the VPN Link as a backup if the primary MPLS Link fails.


Scenario 2: MPLS Link as a Backup for VPN Link

Configure Cyberoam to failover to an MPLS Link when the primary VPN link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the MPLS link comes up again, the status quo is restored.

By default, Cyberoam gives higher precedence to VPN Routes over Static Routes. In other words, when a VPN Link is established, Cyberoam gives first preference to the VPN routes. If the VPN Link fails, the traffic is automatically redirected via the static routes for MPLS link. Hence, Cyberoam’s default behaviour favours this deployment and no additional configuration is required.

Note:

If the MPLS Link is configured on Non-WAN port, for example, between the LAN Port on HO and DMZ Port on BO, add the following IPSec Route from Cyberoam CLI.

console>cyberoam ipsec_route add net 192.168.2.0/255.255.255.0 tunnelname IPSec_Link

Re-establish the VPN tunnel after adding the IPSec Route.
 



                                                

                                                                                                                                                                                       Document Version: 2.1 – 06/06/2013
 
 
1.2.17. Establish Site-to-Site IPSec Connection using Preshared key
Applicable Version: 10.00 onwards

Overview

IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

 

Cyberoam’s IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote connectivity, eliminating the need for expensive private remote access networks like leased lines, Asynchronous Transfer Mode (ATM) and Frame Relay. This article describes a detailed configuration example that demonstrates how to set up a site-to-site IPSec VPN connection between the two networks using preshared key to authenticate VPN peers.

Scenario

Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 

 

Network Parameters

Local Network details

Local Server (WAN IP address) – 14.15.16.17

Local LAN address – 10.5.6.0/24

Remote Network details

Remote VPN server (WAN IP address) – 22.23.24.25

Remote LAN Network – 172.23.9.0/24

 

 

Site A Configuration

The configuration is to be done from Site A’s Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 

 

Parameter Description

 

Parameter

Value

Description

Name

SiteA_to_SiteB

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB-14.15.16.17

Select local port which acts as end-point to the tunnel

Remote

22.23.24.25

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

10.5.6.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

172.23.9.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

                                                 

 

 

Click OK to create IPSec connection. 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 

 

 

Click    under Status (Active) to activate the connection.
 
 
 

Site B Configuration
 

The configuration is to be done from Site B’s Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 

 

Parameter Description

 

Parameter

Value

Description

Name

SiteB_to_SiteA

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-        Remote Access

-        Site to Site

-        Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:

-        Respond Only

-        Initiate

-        Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB-22.23.24.25

Select local port which acts as end-point to the tunnel

Remote

14.15.16.17

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

172.23.9.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

10.5.6.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

        

Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above.

 

 
 
Click    under Status (Active) and Status (Connection).
 
 
 

The above configuration establishes an IPSec connection between Two (2) sites.

 

Note:


•   Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
 
•   In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head Office acts as a responder due to 
    following reasons:
    -   Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the connection.
   -    As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that Branch Offices retries the connection 
        instead of the Head Office retrying all the branch office connections.

 

 

 

 

      

                                                                                                                                                                 Document Version: 2.1 – 22 February, 2014
1.2.18. Same IPSec VPN Key is not getting registered in the Client after I formatted my laptop. What can be the reason for the same?

You need to send an email to support@cyberoam.com with the VPN Key to reset the IPSec VPN Key.
 
                                                                                                                    Document Version: 1.0 - 31/10/2011
1.2.19. Although IPSec tunnel is active and connected, no traffic is passing through the tunnel. What to do?

Applicable Version: 10.00 onwards
 
This may happen due to a number of reasons. Given below are steps to troubleshoot the IPSec connection.
 

Step 1: Check IPSec Configuration

Go to VPN à IPSec and select the connection to check its configuration. In particular, check if the Local and Remote networks are configured correctly.
 

Step 2: Check if Firewall Rules are created to allow VPN Traffic

Go to Firewall à Rule à Rule and ensure that there are Firewall Rules that allow traffic from LAN to VPN and VPN to LAN, as shown below.
 
 
 
 
If rules are not present, create the same.

Step 3: Check for Bad Static Routes

Check the priority of routes in Cyberoam. By default, VPN routes have higher priority than static routes in Cyberoam. In case, static routes have been configured to have higher priority, either delete those routes, or re-configure the priority of routes.

You can check the priority of routes in Cyberoam by following the steps below.
 
1.     Logon to CLI Console (Telnet or SSH)
 
2.     Choose option 4 – Cyberoam Console and press Enter
 
3.     Execute the following command to view the route precedence.
 
      console> cyberoam route-precedence show
   
      
 
If Static routes have higher priority than VPN routes, change the route precedence by executing the following command.
 
      console> cyberoam route-precedence set vpn static
 
 
      
 
 
Step 4: Ensure that Traffic from LAN Hosts passes through Cyberoam
 
Make sure that VPN-destined traffic from LAN Hosts reaches Cyberoam such that it can be forwarded over the VPN Tunnel.
 

Step 5: Ensure that there is No Routing Loop in the LAN network

Check the routing in the network and make sure that there are no Routing Loops.
 




                                                                                                                                                                     Document Version: 1.0 – 30/11/2012
1.2.20. How to configure Email Notifications for IPSec VPN up/down event?

Applicable Version: 10.04.0 Build 214 onwards
 
You can configure email notifications for IPSec VPN up/down event by following the steps given below.
 
1.     Login to Cyberoam Web Admin Console using Administrator profile.
 
2.     Go to System > Configuration > Notification and enable IPSec Tunnel UP/Down.
 
 
 
 
 
3.     Click Apply to save configuration.




                                                                                                                                                                                         Document Version: 1.1 – 21/06/2013
1.2.21. Why does my site-to-site VPN connection status display Yellow instead of Green?

Applicable Version: 10.00 onwards
 
The site-to-site VPN connection status is displayed as Yellow while VPN peers negotiate SA proposals. Once negotiation is complete and the connection is established, the status turns to Green. If negotiation fails, status remains Red.
 
 
 
                                                                                                            
                                                                                                                                                                 Document Version: 1.0 – 28/07/2012
1.2.22. How to route Cyberoam initiated traffic through an IPSec VPN tunnel?

Applicable Version: 10.00 onwards

Scenario

The network schema is as shown below. Administrator can route traffic originating from Cyberoam through an IPSec VPN Tunnel. The Cyberoam is to be connected via IPSec VPN with either another Cyberoam Appliance or another third party solution.
 
 

In this example, we have shown Cyberoam connected with another Cyberoam Appliance. The traffic generated by Branch Office (BO) Cyberoam Appliance is to be routed to the Server 172.16.1.15 in Head Office (HO) network.

Configuration

You can route Cyberoam initiated traffic through the IPSec VPN tunnel in Two (2) Ways: 

1.   Update in IPSec Connection

Branch Office

 

Include the WAN IP 192.168.20.178 as a Trusted Local Subnet in IPSec configuration of Cyberoam whose traffic is to be routed in tunnel:

 

-        Go to VPN > IPSec > Connection and select the required IPSec connection.

                                                                                            

-        Add WAN IP in Local Subnet under Local Network Details, as shown below.
 

 

 

Head Office

 

Include the WAN IP 192.168.20.178 as a Remote LAN Network in IPSec configuration of Cyberoam whose traffic is to be routed in tunnel:

 

-        Go to VPN > IPSec > Connection and select the required IPSec connection.

                                                                                            

-        Add WAN IP in Remote LAN Network under Remote Network Details, as shown below.
 

 

OR

2.   Add IPSec Route at Branch Office

     Add an IPSec route and apply a Source NAT policy on BO Cyberoam initiated traffic such that its source IP address is an internal IP:   

-     Go to Cyberoam CLI Console.

-     Choose option 4. Cyberoam Console.

-     Executing the following command to add IPSec Route for destination Host.  

      cyberoam ipsec_route add host <IP Address of host> tunnelname <tunnel>
 
     

-     Execute the following command to NAT the Cyberoam traffic to desired public IP with the private LAN IP. 

      console> set advanced-firewall cr-traffic-nat add destination <Destination IP/Network>  snatip <NATed IP>
 
    

 

 

                                                                                                                         

 

 

 

 

 

 

                                                                                                                                                                   Document Version: 1.1 – 06 June, 2014

 

1.2.23. Is it possible to authenticate Site-to-Site VPN users at the Branch office with the Head Office Authentication Server?

Applicable Version: 10.00 onwards 

Yes. Although, you must keep the following points in mind while configuring the IPSec VPN connection between the HO and BO:

-       In the Branch Office Cyberoam, include the Cyberoam WAN IP as a Trusted Local Subnet in IPSec configuration.

-       In the Head Office Cyberoam, include the Branch Office Cyberoam WAN IP as a Trusted Remote Subnet in IPSec configuration.

-       Make sure that IPSec connection is active and connected.

-       Configure the Head office Authentication Server in the Branch Office Cyberoam.
 
     
                                                                                                                     
                                                                                                   
                                                                                                                     Document Version: 1.0 – 28/04/2012
1.2.24. How to view preshared key applied on IPSec connection?

Applicable to Version: 10.01.1 build 023 onwards

Follow the below mentioned steps to view preshared Key for IPSec Connection.

1.  Login to Web Admin Console with user having “Administrator” profile.

2.  Go to VPN --> IPSec --> Connection to add or edit VPN Connections.

3.  Under Authentication Details, click on Show Preshared Key to view Preshared Key applied on IPSec Connection.
 
 
 
                                                                                       Document Version: 1.0 - 03/01/2012 
1.3. SSL VPN
1.3.1. Error <SSL VPN Client Installation Failure in Windows 8/8.1>

Applicable Version: 10.00 onwards

Error

On installing SSL VPN client on a Windows 8/8.1 machine, the following error may occur.
 

Solution

To resolve this error, follow the steps given below. 

1.  Uninstall the existing SSL VPN Client in the machine.

2.  Go to the Device Manager and, under Other Devices,uninstall the “Unknown Device” driver.

 
 

Note:

 

If you do not find Unknown Device driver under Other Devices, look under Network adapters. Right-click the Unknown Device driver under Network adapters, disable it and then re-enable it. On enabling, the driver shifts to “Other Devices”. Then, follow the step given above.

3. Re-download and install the Cyberoam SSL VPN Client from

http://www.cyberoam.com/cyberoamclients.html

The Client is installed successfully. You can verify successful installation by going to the Device Manager and checking under Network Adapters if the TAP-Windows Adapter is installed.

 





                                                                                                                                                                  Document Version: 1.0 – 15 July, 2014
1.3.2. Obtain the Passphrase for SSL VPN Authentication

Applicable Version: 10.04.0 Build 433 onwards
 
Overview
 
Cyberoam allows administrators to configure a passphrase in Self-Signed Certificates used in SSL VPN Authentication. This passphrase is used as a second level of authentication for SSL VPN users. Users can obtain this passphrase during authentication via Three (3) modes: In Client Bundle, as an On-Screen Link, in Email.

Passphrase can be configured in any one of the following ways:
 
-   While generating Self-Signed Certificate from System > Certificate > Certificate. Check Enable against Key Encryption and specify the 
    Passphrase which is to be used for second level authentication.
-   When you check Enable against Per User Certificate from VPN > SSL > Tunnel Access. This Passphrase is system generated.
 

Scenario

This article demonstrates how the Administrator can configure the Three (3) Modes of Passphrase Reception and how the user can obtain the passphrase while authenticating according to the mode configured. The modes are:

-    Client Bundle
-    
On-Screen Link
-    Email


Client Bundle
 
Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select Client Bundle in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as Client Bundle, the passphrase is received in a text file included the SSL VPN Client configuration. Follow the steps given below to obtain passphrase in Client Bundle.

   Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 
 

•   
Download the Client Configuration by clicking Download SSL VPN Client Configuration – Windows OR 
     Download SSL VPN Client Configuration – MAC Tunnelblick, depending upon your system.
 
 


The downloaded file contains a text file named Passphrase which contains the passphrase.
 
 



On-Screen Link
 
Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select On-Screen Link in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as On-Screen Link, a link appears on the Portal screen clicking which the user receives the passphrase. Follow the steps given below to obtain passphrase via On-Screen Link.

•    Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 


•   
Click the Show Link against Receive Passphrase to view the passphrase.
 
 
 
 
 

Email

Configuration of Mode

Login to Cyberoam Web Admin Console using profile having read-write permission of the relevant features. Go to System > Administration > Settings. Under SSL VPN Settings, select Email in Receive Passphrase via parameter.
 
 


Obtaining Passphrase

When Administrator configures Passphrase Reception Mode as Email, a link appears on the Portal screen clicking which the user receives an Email that contains the passphrase. Follow the steps given below to obtain passphrase via Email.

•    Login to SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
 
 


•   
Click on the Send Email Link against Receive Passphrase to receive an Email containing the passphrase.
 
 
 
 

Note:

-    The Email is sent to the User’s Email Address, as configured in Cyberoam (Identity > Users).

-    Make sure that Mail Server is configured in Cyberoam. You can configure Mail Server from System > Configuration > Notification.
 



                                                                                                                                                                      Document Version: 1.0 – 18/06/2013
1.3.3. Configure SSL VPN for Android Devices using OpenVPN Connect


Applicable Cyberoam Version: 10.04.02 Build 527 onwards

Overview  

OpenVPN Connect is the official full-featured Android client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between any Android Device and Cyberoam.


Scenario
 
Configure SSL VPN for Android Device using OpenVPN Connect.   

Cyberoam Configuration

Configure SSL VPN from Cyberoam Web Admin Console. Configuration requires read-write permission for the relevant features.

Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.

Android Configuration

Configure OpenVPN Connect in your Android Device by following the steps below.

Step 1: Download and Install OpenVPN Connect

Download OpenVPN Connect and install it on your Android Device.

Step 2: Download Cyberoam SSL VPN Client Configuration in Local System

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

·         Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal.  If Two Factor Authentication 
is enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
·         Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.
 
 
 

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh, iOS and Android platforms. 

Step 3: Extract ClientBundle.tgz to your local system
Extract ClientBundle.tgz to your local system. The following files are obtained.
 
-       UserPrivateKey.key
-       UserCertificate.pem
-       RootCertificate.pem
-       Client.ovpn
 

Step 4: Configure client.ovpn file

You need to edit the configuration of the client.ovpn file ONLY IF any or both of the following criteria are applicable:
 
·   If your OpenVPN Connect version is below 1.1.11 Build 44.
If your network has Two Factor Authentication configured.
 

 
OpenVPN Connect Version below 1.1.11 Build 44

If your OpenVPN Connect version is 1.1.11 Build 44 or above, skip to step 5.

Double click client.ovpn to open it in a text editor. 

·    If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto asTCP. If the Protocol is configured as UDP, no change required.
·   Set the parameter reneg-sec to 3600.
 
 

 

 

Note:

 

For OpenVPN Connect version 1.1.11 Build 44 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:
 
-    Sourceforge
-    
OpenVPN

 

 

Two Factor Authentication Configured

 

If Two Factor Authentication is not configured in your network, skip to Step 5.

 

Double click client.ovpn to open it in a text editor and add the parameter:

 

ping-restart 65

 

 
 
 
Step 5: Transfer SSL VPN Configuration files to Android Device
 
Transfer the files mentioned above (UserPrivateKey.key, UserCertificate.pem, RootCertificate.pem, Client.ovpn) from your local system to your Android Device.
 

Step 6: Import SSL VPN Configuration to OpenVPN Connect in Android Device

·         Launch OpenVPN Connect and click Settings.
 
 
 
 
·         Click Import to import the client.ovpn file included in the SSL VPN Configuration files.
 
 
 
 
 
 

Step 7: Connect to Cyberoam

Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn. Enter Password and click Connect to
establish connection with Cyberoam.If Two Factor Authentication is enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
 
 
 
 
 
The above configuration establishes an SSL VPN connection between Cyberoam and Android Device using OpenVPN Connect.
 






                                                                                                                                                                                 Document Version: 1.3 – 13/09/2013
1.3.4. Configure SSL VPN for iPhone/iPad using OpenVPN Connect

Applicable Version: 10.04.02 Build 527 onwards
 
Overview
 
OpenVPN Connect is the official full-featured iPhone/iPad client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between iPhone/iPad and Cyberoam.
 

Scenario

Configure SSL VPN for iPhone using OpenVPN Connect.
 

Configuration

You can configure SSL VPN for iPhone using OpenVPN Connect by following the steps below.  

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam.
 

Step 2: Download and Install OpenVPN Connect
 
Download OpenVPN Connect and install it on your iPhone.
 

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.

·         Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal. If Two Factor Authentication is 
enabled, refer to the article How to Login in a Two Factor Authentication Environment?
 
 
·         Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration and save it in your system.
 
 
 

A compressed file called ClientBundle.tgz is downloaded and saved at your mentioned location.

Note:

The SSL VPN Client Configuration for MAC Tunnelblick is compatible with Macintosh as well as iOS.

Step 4: Extract ClientBundle.tgz to your local system

Extract ClientBundle.tgz to your local system. The following files are obtained.

-       UserPrivateKey.key
-       UserCertificate.pem
-       RootCertificate.pem
-       Client.ovpn 

Step 5: Configure client.ovpn file

You need to edit the configuration of the client.ovpn file ONLY IF any or both of the following criteria are applicable:
 

 

If your OpenVPN Connect version is 1.0.1 Build 88 or above, skip to step 6.

 

Double click client.ovpn to open it in a text editor. 


·    If the Protocol for SSL VPN connection is configured as TCP, then set the parameter proto as TCP. If the Protocol is configured as UDP, no change required.
·    Set the parameter reneg-sec to 3600.
 
 

 

 

Note:

 

For OpenVPN Connect version 1.0.1 Build 88 and below, it is mandatory to set the value of reneg_sec to 3600, and set proto according to the protocol being used for SSL VPN connection. For more information, please refer to the links given below:
 
-        Sourceforge
-        
OpenVPN

 

 

Two Factor Authentication Configured

 

If Two Factor Authentication is not configured in your network, skip to Step 6.

 

Double click client.ovpn to open it in a text editor and add the parameter:

 

ping-restart 65

 

 

Step 6: Import all files to OpenVPN Connect

Import the files mentioned above into OpenVPN Connect using iTunes. Once the files are imported, a new VPN profile gets created pertaining to configuration mentioned in client.ovpn.
 

Step 7: Connect to Cyberoam

·         Select the newly created profile to connect to Cyberoam.
 
 
 
 
·         Enter user credentials and connect to Cyberoam. If Two Factor Authentication is enabled, refer to the article How to Login in a Two Factor Authentication Environment? 
  
 
 
 
 
 
 
 
 
                                                                                                  Document Version: 1.2 – 12/09/2013
1.3.5. Allow an SSL VPN User Access to an Application Hosted at Remote Side of an IPSec Connection

Applicable Version: 10.00 onwards
 
Overview
 
This article describes how you can allow an SSL VPN user access to an application hosted at the remote side of an IPSec VPN connection.
 

Scenario

Allow any SSL VPN user, connected to Head Office Network, access to the RDP Server hosted in the Branch Office network as shown below. The Head Office and Branch Office are connected via an IPSec VPN tunnel.
 
 
 
 
 

Prerequisite

The Head Office and Branch Office should be connected via an IPSec VPN connection.
 

Configuration

In IPSec Configuration, you can allow the SSL VPN user access to the RDP server by adding the Head Office WAN IP in the trusted Local Networks at the Head Office side and trusted Remote Networks at the Branch office side.
 

Head Office Configuration

To configure the Head Office Cyberoam, follow the steps given below.

Step 1: Create Bookmark for RDP Service

Go to VPN à SSL à Bookmark and click Add to add a bookmark using the following parameters.
 
 
 
 
 
Parameter Description
 
 
Parameter
Value
Description
RDP
Type
RDP
Select type of Bookmark.
Available options:
-       HTTP
-       HTTPS
-       RDP
-       Telnet
-       SSH
-       FTP
URL
172.16.16.17

 
 
 

Step 2: Create SSL VPN Policy

Create an SSL VPN policy to allow access to the RDP server. Go to VPN à SSL à Policy and click Add to add an SSL VPN policy using the following parameters.
 
 
 
 
Parameter Description
 
 
Parameter
Value
Description
Add SSL VPN Policy
Name
Access_RDP
Access Mode
Application Access
Mode
Application Access Settings
 
Accessible Resources
RDP
Select Bookmarks/Bookmarks Group that remote user can access.

 
 

Step 3: Create IP Host Object of Head Office WAN IP

Go to Objects à Hosts à IP Host and click Add to create an IP Host using the following parameters.
 
 
  

Parameter Description
 
 
Parameter
Value
Description
Name
192.168.20.182
Name to identify the Host.
Type
IP
Select type of Host.
Available options:
-       IP
-       Network
-       IP Range
-       IP List
IP Address
192.168.20.182
Specify the IP address of the Host.

 
 

Step 4: Include Host in Trusted Local Subnet in IPSec Connection

Go to VPN à IPSec à Connection and select the Head_to_Branch IPSec connection.
 
 
 
 
 
Add Head Office Wan IP, i.e., 192.168.20.182, in Trusted Local Subnet of the connection.
 
 
 
 

Branch Office Configuration

To configure the Branch Office Cyberoam, follow the steps given below.

Step 1: Create IP Host Object of Head Office WAN IP

Go to Objects à Hosts à IP Host and click Add to create an IP Host using the following parameters.
 
 
 
 
Parameter Description
 
 
Parameter
Value
Description
Name
192.168.20.182
Name to identify the Host.
Type
IP
Select type of Host.
Available options:
-       IP
-       Network
-       IP Range
-       IP List
IP Address
192.168.20.182
Specify the IP address of the Host.

 

 

Step 2: Include Host in Trusted Remote Subnet in IPSec Connection

Go to VPN à IPSec à Connection and select the Branch_to_Head IPSec connection.
 
 
 
 
Add Head Office Wan IP, i.e., 192.168.20.182, in Trusted Remote Subnet of the connection.
 
 
 
 
Once the above configuration is done at the Head Office and the Branch Office side, the SSL VPN user is able to access RDP server located at the Branch Office.




                                                                                                                                                                                          Document Version: 1.0 – 28/07/2012
1.3.6. Configure SSL VPN for Macintosh OS X using Tunnelblick VPN client

Applicable Version: 10.00 onwards

Overview

Tunnelblick is an open source graphic user interface for SSL VPN on Macintosh (Mac) OS X. It comes as a ready-to-use application with all necessary binaries and drivers.It does not require any additional installation. You just need to add the VPN tunnel configuration and encryption information.

 

Tunnelblick Client can be used to establish SSL VPN connection between Mac OS and Cyberoam. 

Scenario

Configure SSL VPN for Mac OS X using Tunnelblick VPN client. 

Configuration

You can configure SSL VPN for Mac OS X using Tunnelblick VPN client by following the steps below. Configuration is to be done in Cyberoam and Mac OS using profile having read-write administrative rights for relevant features. 

Step 1: Configure SSL VPN with Tunnel Access Mode in Cyberoam

To know how to configure SSL VPN in Cyberoam, refer to the article How To – Configure SSL VPN in Cyberoam

Step 2: Download and Install Tunnelblick Client

Download Tunnelblick Client from http://code.google.com/p/tunnelblick/ and install it on your Mac workstation.  

Step 3: Download Cyberoam SSL VPN Client Configuration

To download Cyberoam SSL VPN Client Configuration, follow the steps below.


   Access Cyberoam SSL VPN Portal using the URL - https://<WAN IP address of Cyberoam:port> and login to the Portal. 

 


    
Click Download SSL VPN Client Configuration – MAC Tunnelblick to download the client configuration specific for Mac OS and save it in your system.

 

 

A compressed file called clientbundle.tar is downloaded and saved in your system.  

Step 4: Extract clientbundle.tar

Double-click clientbundle.tar to extract it.

 

 

 

A folder named ‘clientbundle’ is extracted, which contains Two (2) files: CRSSLconfig.tblk and Passphrase.txt.

 

CRSSLconfig.tblk: This is a Tunnelblick configuration file containing information about the VPN configuration with Cyberoam and CA Certificate.

Passphrase.txt: This file contains the passphrase to be used by user during SSL VPN Authentication.
 
 

 

Note:

 

Passphrase.txt is present in the clientbundle ONLY IF configured in Cyberoam. For more details refer to article How To - Obtain the Passphrase for SSL VPN Authentication

Step 5: Install Configuration in Tunnelblick

Double-click CRSSLconfig.tblk to install the Cyberoam SSL configuration in Tunnelblick. The following screen appears.

 

 

If you want to install the configuration for all users of the system, click All Users. Else, click Only Me. The VPN configuration for Cyberoam gets installed in Tunnelblick.


Step 6: Establish SSL VPN Connection with Cyberoam

•    Launch Tunnelblick Client from Finder > Applications > Tunnelblick.app. Click the Tunnelblick icon that appears on the top left corner of the screen and click Connect CRSSLconfig

 

•    Login to establish an SSL VPN connection with Cyberoam at remote site.
 

 

 

 

 

The above configuration applies Cyberoam SSL VPN Client Configuration to Tunnelblick client in Mac OS X and establishes an SSL VPN connection with Cyberoam at a remote site.

 






                                                                                                                                                Document Version: 2.0 – 25 February, 2014

1.3.7. Configure SSL VPN in Cyberoam
 
Applicable Version: 10.00 onwards

Overview
 
SSL (Secure Socket Layer) VPN provides simple-to-use, secure access for remote users to the corporate network from anywhere, anytime. It enables creation of point-to-point encrypted tunnels between remote user and company’s internal network, requiring combination of SSL certificates and a username/password for authentication.

Cyberoam allows remote users access to the corporate network in 3 Modes:

-       Tunnel Access Mode: User gains access through a remote SSL VPN Client.

-       Web Access Mode: Remote users can access SSL VPN using a web browser only, i.e., clientless access.

-       Application Access Mode: users can access web applications as well as certain enterprise applications through a web browser, i.e., clientless access.
 

Scenario

Configure SSL VPN in Cyberoam such that the remote user shown in the diagram below is able to access the Web and Intranet Servers in the company’s internal network. The user is to have Full Access, i.e., Tunnel, Web and Application Access. The network particulars given below are used as an example throughout this article.
 
 
 
 

Network Parameters

Configuration Parameter

Value

Cyberoam WAN IP

203.10.10.100

LAN Network

172.16.16.0/24

Intranet Server IP

172.16.16.1

Web Server IP

172.16.16.2

IP Range Leased to user after successful connection through SSL VPN

10.10.10.1 to 10.10.10.254



Configuration

Configure SSL VPN in Cyberoam by following the steps given below. You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Generate Default Certificate Authority

To generate the default Certificate Authority, go to System > Certificate > Certificate Authority and click Default CA.

Update the Default CA as shown below. 
 
 

Click OK to generate Default Certificate Authority. 

Note:

If you are using an external certificate authority, you can upload the same by following steps mentioned in the article Add an External Certificate Authority (CA) in Cyberoam.

Step 2: Create self-signed Certificate

To create a self-signed Certificate, go to System > Certificate > Certificate and click Add. Generate a Self Signed Certificate as shown below. 

 

Click OK to create the certificate.

Step 3: Configure SSL Global Parameters

To set global parameters for tunnel access, go to VPN > SSL > Tunnel Access and configure tunnel access settings with following values:
 
 

Parameter

Value

Description

Protocol

TCP

Select default protocol for all the SSL VPN clients.

SSL Server Certificate

SSLVPN_SelfSigned

Select SSL Server certificate from the dropdown list to be used for authentication

Per User Certificate

Disabled

SSL server uses certificate to authenticate the remote client. One can use the common certificate for all the users or create individual certificate for each user

SSL Client Certificate

SSLVPN_SelfSigned

Select the SSL Client certificate from the dropdown list if you want to use common certificate for authentication

IP Lease Range

10.10.10.1 to 10.10.10.45

Specify the range of IP addresses reserved for the SSL Clients

Subnet Mask

255.255.255.0

Specify Subnet mask

Primary DNS

4.2.2.2

Specify IP address of Primary DNS

Secondary DNS

8.8.8.8

Specify IP address of Secondary DNS

Enable DPD

Enabled

Click to enable Dead Peer Detection.

Check Peer after every

60

Specify time interval in the range of 60 to 3600 seconds after which the peer should be checked for its status.

Disconnect after

300

Specify time interval in the range of 300 to 1800 seconds after which the connection should be disconnected if peer is not live.

Idle Time Out

15

Specify idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login.

Data Transfer Threshold

250

Once the idle timeout is reached, before dropping the connection, appliance will check the data transfer. If data transfer is more than the configured threshold, connection will be dropped.

 
 
 
To set global Idle Time for Web Access Mode, go to VPN > SSL > Web Access and set Idle Time as shown below. 
 
 

Step 4: Create Bookmarks (Applicable for Web and Application Access Mode Only)

Bookmarks are the resources whose access is available through SSL VPN Web portal. You can also create a group of bookmarks that can be configured in SSL VPN Policy. These resources are available in Web and Application Access mode only.

To create Bookmark, go to VPN > SSL > Bookmark and click Add. Create Bookmark using following parameters. 
 

Parameter

Value

Description

Name

Telnet

Name to identify Bookmark.

Type

TELNET

Specify type of bookmark.

URL

192.168.1.120

Specify URL at which telnet sessions are allowed to remote users.

 
  

Click OK to create Bookmark.

Similarly, create a bookmark Intranet of type HTTP to allow access to the internal Intranet server.
Note:
 
Intranet is accessible in Web as well as Application Access Mode, while Telnet is accessible in Application Access Mode.

Step 5: Configure SSL VPN Policy

To configure SSL VPN policy, go to VPN > SSL > Policy and click Add. Create policy using parameters given below.

Parameter Description
 
 

Parameter

Value

Description

Add SSL VPN Policy

Name

Full_Access

Name to identify the SSL VPN policy

Access Mode

Tunnel Access Mode
Web Access Mode
Application Access Mode

Select the access mode by clicking the appropriate option.

Tunnel Access Settings

Tunnel Type

Split Tunnel

Select tunnel type. Tunnel type determines how the remote user’s traffic will be routed.

Accessible Resources

<As required>

Select Hosts or Networks that remote user can access.

DPD Settings

Use Global Settings

You can customize and override the global Dead Peer Detection setting.

Idle Time out

Use Global Settings

You can use the global settings or customize the idle timeout.

Web Access Settings

Enable Arbitary URL Access

Enabled

Enable to access custom URLs not defined as Bookmarks.

Accessible Resources

Intranet

Select Bookmarks/Bookmarks Group that remote user can access.

Idle Time out

Use Global Settings

You can use the global settings or customize the idle timeout.

Application Access Settings

Accessible Resources

Intranet

Telnet

Select Bookmarks/Bookmarks Group that remote user can access.

 
 
 

Step 6: Apply SSL VPN Policy on User

To apply SSL VPN policy on user, follow the steps given below.

Go to Identity > Users > User and select the user to which policy is to be applied. Here we have applied it on user John Smith. Under Policies section, select Full_Access for SSL VPN as shown below. 
 
 
 
Click OK to update the user’s SSL VPN Policy.

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.
 

Step 7: Download and Install SSL VPN Client at Remote End

Remote users can login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.

Note:

Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy. 
 
 
 
User is directed to the Main Page which displays Tunnel, Web or Application Access Mode section according to policy applied on user. 
 
 

For Tunnel Access, user needs to access internal resources through an SSL VPN Client.

-       Download the SSL VPN client by clicking “Download Clientand follow the on-screen instructions.

-       Install the client on the remote user’s system.

-       On complete installation, the CrSSL Client icon   appears in the system tray. Login to the Client and access the company’s internal network through SSL VPN.

For Web and Application Access, user can access internal resources using web browser, i.e., clientless access. In this, user needs to browse to https://<WAN IP address of Cyberoam:port> and login.

                                                                                                                                                                              









                                                                                                                                                               Document Version: 3.0 – 10 July, 2014
1.3.8. Configure SSL VPN Client in Linux
 

Applicable to Version: 10.00 onwards

Open VPN package is used in Linux to configure SSL VPN Client.

Configuration

Follow the below mentioned steps to configure SSL VPN Client in Linux.

Step 1: Configure SSL VPN on Cyberoam 


Refer to SSL VPN User Guide for details on how to configure SSL VPN on Cyberoam.
 
 
Step 2: Download SSL VPN Client Configuration

Logon to SSL VPN portal with the help of username and password of SSL VPN policy member.
 
 
 
 
Click Download SSL VPN Client Configuration to download and install SSL VPN client.
 
 
 
 
 

Step 3: Linux Configuration


Ubuntu flavor of Linux has been taken as an example in this article for Linux Configuration.
 
1.     Extract file using command "tar"
    
     #tar zxvf clientbundle.tgz
 
 
 
 
2.     Go to "CRSSLconfig/pem" folder and open the file client.crssl
 
 
 
 
3.     Comment following lines in the configuration files
      
      #dhcp-renew
      #dhcp-release

      Add following lines at the end of configuration file

     
      
status crssl_client_status.log
      ca ./RootCertificate.pem
      cert ./UserCertificate.pem
      key ./UserPrivateKey.key
     
      Save and exit from configuration file
 
 
 

4.    
Install Open VPN, by following below mentioned command
     
     #sudo apt-get installopenvpn
 
     Run following command as "ROOT" within "CRSSLconfig/pem" folder
    
     #sudo openvpn --config client.crssl
 
 
 
      Enter the SSL VPN username and password
 
 
 
 
 
 
 
 

Step 4: View Live User


Logon to Cyberoam Web Admin Console and Go to VPN à Live users à SSL VPN
.

You can view the user “Cyberoam” logged in.
 
 
                                                                                                                                                                                                Document Version: 1.0 – 05/03/2012
 
 
 
Disclaimer:
 
Steps described in this document are for reference purpose only. Cyberoam is not responsible for any malfunction or misbehaviour on the part of the Open VPN Client. Kindly contact Open VPN support to resolve any such issues.
1.3.9. Access Arbitrary URLs through Cyberoam’s SSL VPN Portal

Applicable to Version: 10.00 onwards

Cyberoam SSL VPN allows users to access Internal/External URLs through bookmarks. Most of the resources are migrating to the cloud and thus are hosted on arbitrary URLs because of the shift in technology and benefits of cloud computing.

E.g. :
https://example.com:9090/forms/frmservlet?config=PROD
is difficult to publish through bookmark.

Note:

This is a “dummy URL” and would not correspond to a resource on the Internet.

To allow access of such URLs, Cyberoam provides options to access “Arbitrary URLs” through Cyberoam’s SSL VPN portal.

Prerequisites
 
  • This document is intended for Cyberoam administrators and it is assumed that he/she has knowledge of deploying, administering and

  •     configuring Cyberoam.
     
  • It is assumed that Cyberoam has a way to resolve the hostname mentioned in the Arbitrary URL.

    Solution 
     
    Step 1
     
    Go to VPN à SSL à Policy and Edit the existing SSL VPN Policy to configure Arbitrary URL access option on Cyberoam.
     

    Once Arbitrary URL access is enabled, user can access any URL either from internet or from intranet.

    Note:

    If user wants to access intranet URL, then make sure that DNS resolution has to be done properly on Cyberoam.

    Step 2

    Login to Cyberoam SSL VPN Portal to Access the arbitrary URL by pasting it in the address bar.

    Note: By default, Cyberoam SSL VPN Portal is accessible on https://<ip address of Cyberoam>:8443
     

    This would let the remote user access the URL https://example.com:9090/forms/frmservlet?config=PROD

                                                                                                                                                             Document Version – 1.0 – 16/08/2011
     
     
     
  • 1.3.10. Access ActiveX applications through (WebAccess) SSL VPN Bookmark
     
    Applicable to Version : 10

    Cyberoam’s Application Access Mode under SSL VPN provides for the ability to access applications through Java applets or Active X.
     
    Scenario: Consider the need for giving administrator remote desktop access to the Active Directory Server and SSH to an internal Cyberoam in bridge mode by publishing bookmarks without the SSL VPN client.
     
    This can be done through publishing of application bookmarks.
     

    Bookmarks are the resources whose access will be available through End-user Web portal. You can create also a group of bookmarks that can be configured in SSL VPN Policy.

    These resources will be available in Web Access mode only and is to be configured in SSL VPN Policy.

    The entire configuration is to be done from Web Admin Console. Access Web Admin Console with user having ‘Administrator’ profile.

    Remote Desktop (RDP)

    Steps

    Go to VPN à SSL à Bookmark and Click on “Add” button to create a new Bookmark with the parameters mentioned below.
     
     

    Parameters

    Value

    Name

    RemoteDesktopAD

    Type

    RDP

    This will invoke the Java applet for connecting the RDP through to the published resource when clicked from the SSL VPN Portal.

    URL

    rdp://172.16.16.2/

    Specify the IP address of the application server for which the bookmark is to be created.

     

    Click OK and the Bookmark ‘RemoteDesktopAD’ will be added successfully.
     
     

    Secure Shell

    Step 1: Add Bookmark

    Go to VPN à SSL à Bookmark and Click on “Add” button to create a new Bookmark with the parameters mentioned below.
     
     

    Parameters

    Value

    Name

    SSHtoCyberoamBridge

    Type

    SSH

    This will invoke the Java applet for connecting the SSH through to the published resource when clicked from the SSL VPN Portal.

    URL

    ssh://172.16.16.16/

    Specify the IP address of the application server for which the bookmark is to be created.

     

    Click OK and the Bookmark ‘SSHtoCyberoamBridge’ will be added successfully.
     
     

    Step 2: Create Policy for SSL VPN

    Go to VPN à SSL à Policy and Click on “Add” button to add a new SSL VPN Policy with the following parameters.
     
     

    Parameters

    Value

    Name

    SSL

    Access Mode

    Web Access – Enabled

    Application Access Mode - Enabled

    Application Access Settings

    Accessible Resources

    RemoteDesktopAD

    SSHtoCyberoamBridge

     

    Click OK and the SSL VPN Policy ‘SSL’ will be inserted successfully.
     
     

    Step 3: Apply Policy to User 

    • Go to Identity à Users à User
    • Select user to apply SSL VPN policy created in Step 2.
    • Under Policies Section, select ‘SSL’ for SSL VPN
    • Click OK button to update
     
     
    Click OK and the policy will be applied to user and the user will be updated successfully.

    Step 4: Launch SSL VPN Portal

    Login to Cyberoam SSL VPN Portal and as “Application Bookmarks” have been published, the following screen would be displayed on SSL VPN Portal.

    Note: By default, Cyberoam SSL VPN Portal is accessible on https://<ip address of Cyberoam>:8443
     
     

    Step 5: Click Bookmarks

    Click any of the bookmarks above and it will initiate the respective applet as below:
     
     

    Step 6: Execute Applet 

    Click on Yes, accept the certificate warning and execute the applet. The following screen would be displayed:
     
     
     
     
     

    Remote Desktop
    (RDP)
     
    For RDP, the below screen will be visible after following all the above steps (Step 2 to Step 6) from SSH Section:
     

    Click on Connect, and it will launch the RDP screen without the need of executing the mstsc.exe (Remote Desktop) executable.
     
     
                                                                                                                                                   Document Version: 2.0-01/09/2011
     
     
    1.3.11. How can I access SSL VPN portal page using different port?
     
       1.  Login to Web Admin Console with user having “Administrator” profile.
     
       2.  Go to System à Administration à Settings and go to SSL VPN Settings to make modifications in the general 
            port settings. Configure Port number on SSL VPN port to access SSL VPN Portal page using different port.
        
                                                                                                                        Document Version: 1.0 – 17/11/2011
    1.3.12. How to check SSL VPN Logs from CLI?

    Follow the below mentioned steps to check SSL VPN Logs from CLI:

       1.  Login to CLI Console (Telnet or SSH)

       2.  Choose option 4 – Cyberoam Console and press Enter

       3.  Execute the command - show sslvpn log (tunnel-access/web-access/application-access). Choose the access mode 
            for which you want to see the logs.
     
            For E.g.: show sslvpn log tunnel-access
     
     
                                                                                                               Document Version: 1.0 – 17/11/2011
    1.3.13. Why I am unable to access network resources after successful connection of SSL VPN from Windows 7/ Vista machine

    Windows7/Vista operating system have the UAC security feature enabled which aims to improve the security of Microsoft Windows by limiting application software to
    standard user privileges.
     
    Even if you are an administrator, any exe that is going to modify the system will have lower privileges if the UAC is turned ON (Vista and Windows 7). This causes the restrictions on CR SSL VPN Client and results in failure of the SSL VPN remote network route addition on local machine’s routing table.
     
    To allow CR SSL VPN Client to be able to add routes on local machine, right click on the CR SSL VPN Client and specify “Run as Admin”. 
     
    This document consists of two (2) sections:

    How to confirm that UAC is blocking the route addition on machine?

    After you get connected with the CR SSL VPN Client and an IP Address is leased to you, check the status logs to verify if UAC has blocked route addition on local machine.
     
    1. Right click on the SSL VPN Logo on System tray.
    2. Click on Show Status after the IP Address is leased to client.
    3. If it shows logs “route addition failed: Access Denied”, it means UAC is enabled which is preventing the route addition on local machine. Refer the below screen: 
     
     
    How to avoid error “route addition failed: Access Denied” when you dial SSL VPN?

    Follow below steps to avoid error “route addition failed: Access Denied” when you dial SSL VPN.

    1.  Right click on the CR SSL VPN Client logo on desktop and click on properties.
     
     
    2.  Click on “Compatibility” tab and select check box “Run this program as an administrator” and apply the settings.
     

    3.  Go to Start à Run and type “msconfig” and press enter. It will open a System Configuration Window.
     
    4.  Uncheck the crssl-client from the list of startup selection list.
     
     
     
    5.  Next time when you start the CR SSL VPN Client, it will by default launch with the administrative rights and you will get following prompt.
     
     
    Click on Yes and it will allow CR SSL VPN Client to add routes on local machines and you will have no issues accessing remote network resources on successful connection of SSL VPN.
     
                                                                                                                                      Document Version: - 1.0-14/06/2011
    1.3.14. Can I use Cyberoam as an SSL VPN Gateway when it is deployed in Bridge Mode?

    Applicable Version: 10.02.00 Build 224 onwards
     
    Yes. From Cyberoam firmware version 10.02.00 Build 224 onwards, you can configure Cyberoam as an SSL VPN Gateway by using Bridge Pair Configuration.
     
     
     
     
                                                                                                                                     
    1.4. VPN Interoperability
    1.4.1. Establish IPSec VPN connection between Cyberoam and Cradle Point router
    Applicable Version: 10.00 onwards
     
    Scenario                                                                 
    Establish IPSec VPN connection between Cyberoam and Cradle Point router using Preshared Key authentication.
     
     
     
    Cradle Point Configuration

    Administrator privileges for Cradle Point Administration Page are required to add or modify configuration.

    Create IPSec VPN Policy

    Navigate to Tools > IPSec VPN > Add IPSEC Policy and specify the parameters as shown in the table below. Click Advanced for advanced configuration. 

    Parameters

    Value

    Policy Name

    cyberoam

    Remote Gateway

    1.1.1.1

    Remote Network

    10.10.1.0

    Remote Subnet

    255.255.255.0

    Local Network

    10.1.1.0

    Local Submask

    255.255.255.0

    Hash Algorithm

    SHA-1

    Cipher Algorithm

    AES 128

    DH Group

    Group 2

    Phase 1 Key Lifetime

    28800

    Phase 2 Key Lifetime

    3600

    Preshared Key

    cyberoam

    Aggressive Mode

    Enabled

    Perfect Forward Secrecy (PFS)

    Enabled

    Dead Peer Detection

    Disable

     

    Click Save Policy and then Save Settings to create the IPSec Policy.
     
     
    Cyberoam Configuration

    You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

    To configure IPSec Connection in Cyberoam, follow the steps given below.
     
    Step 1: Create VPN Policy

    Go to VPN > Policy > Policy and click Add to add a new policy. Specify the parameters as shown in the table below.


    Parameter

    Value

    Description

    Name

    Policy_Cradle_Point

    Specify a name to identify the VPN Policy.

    Keying Method

    Automatic

    Keying Method defines how the keys for the connection are to be managed. Select Keying Method from the available options.

    Available Options:

    ·         Automatic

    ·         Manual

    Allow Re-Keying

    Enabled

    Enable Re-Keying to start the negotiation process automatically before key expiry.

    Key Negotiation Tries

    3

    Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.

    Authentication Mode

    Aggressive Mode

    Select Authentication Mode. Authentication Mode is used for exchanging authentication information.

    Available Options:

    ·         Main Mode

    ·         Aggressive Mode

    Pass Data in Compressed Format

    Enabled

    Enable to pass data in compressed format to increase throughput.

    Perfect Forward Secrecy (PFS)

    Enabled

    Enable to generate new key for every negotiation on key expiry and disable to use same key for every negotiation.

    Phase 1

    Encryption Algorithm

    AES 128

    Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

    Authentication Algorithm

    SHA1

    Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

    DH Group (Key Group)

    2(DH1024)

    Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.

    Key Life

    28800

    Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

    Re-Key Margin

    120

    Specify Re-Key Margin. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.

    Randomize Re-Keying Margin By

    0

    Specify Randomize Re-Keying time.

    Dead Peer Detection

    Disabled

    Enable to check at regular interval whether peer is live or not.

    Check Peer After every

    30

    Specify time after which the peer should be checked for its status. Once the connection is established, peer which initiated the connection checks whether another peer is live or not.

    Wait For Response Upto

    120

    Specify till what time (seconds) initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive.

    Action When Peer Unreachable

    Re-initiate

    Specify what action should be taken if peer is not active.

    Available Options:

    Hold – Holds the connection.

    Disconnect – Closes the connection.

    Re-initiate – Re-establishes the connection.

    Phase 2

    Encryption Algorithm

    AES 128

    Select Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

    Authentication Algorithm

    SHA1

    Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

    PFS Group (DH Group)

    Same as Phase-1

    Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.

    Key Life

    3600

    Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

     


     

    Click OK to save policy.

    Step 2: Configure IPSec Connection

    Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below. Specify the parameters according to the table given below.

    Parameter

    Value

    Description

    Name

    IPSec_CR_CP

    Name to identify the IPSec Connection

    Connection Type

    Site to Site

    Select Type of connection.

    Available Options:

    ·         Remote Access

    ·         Site to Site

    ·         Host to Host

    Policy

    Policy_Cradle_Point(created in Step 1)

    Select policy to be used for connection

    Action on VPN Restart

    Respond Only

    Select the action for the connection.

    Available options:

    ·         Respond Only

    ·         Initiate

    ·         Disable

    Authentication details

    Authentication Type

    Preshared Key

    Select Authentication Type. Authentication of user depends on the connection type. 

    Preshared Key

    Cyberoam

    Specify the Preshared Key

    Endpoints Details

    Local

    PortB-1.1.1.1

    Select local port which acts as end-point to the tunnel

    Remote

    2.2.2.2

    Specify Gateway IP Address assigned to Cradle Point router.

    Local Network Details

    Local Subnet

    10.10.1.0

    Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

    Remote Network Details

    Remote LAN Network

    10.1.1.0

    Select/specify IP address of Cradle Point local network.

     

     

    Click OK to create the connection.

    Step 3: Activate IPSec Connection

    Go to VPN > IPSec > Connection and click    under Active and Connection heads against Cyberoam_Sophos connection, created in Step 2.

     

     

      Under the Active status indicates that the connection is successfully activated.

    Under the Connection status indicates that the connection is successfully established.

                                                                                                    
     
     
                                                                                                                                                     Document Version 1.0 – 17 July, 2014
    1.4.2. Establish IPSec VPN connection between Cyberoam and Sophos UTM

    Applicable Version: 10.00 onwards

    Scenario

    Establish IPSec VPN connection between Cyberoam and Sophos-UTM using preshared key authentication.
     

    Sophos Configuration

    Administrator privileges for Sophos Web Administration dashboard are required to add or modify configuration.You can configure the IPSec VPN connection in Sophos by following the steps given below.

    Step 1: Create IPSecPolicy

    ·        Go to Site-to-Site VPN > IPSec and switch to the Policies tab. Click New IPSec Policy to define new policy.
     

    ·        Specify the policy parameters as shown in the table.

    Parameters

    Value

    Name

    Cyberoam_Sophos

    IKE encryption algorithm

    AES 256

    IKE authentication algorithm

    SHA1

    IKE SA lifetime

    3600

    IKE DH group

    Group 5: MODP 1536

    IPSec encryption algorithm

    AES 256

    IPSec authentication algorithm

    SHA1

    IPSec SA lifetime

    3600

    IPSec PFS group

    Group 5: MODP 1536

    Strict Policy

    Checked

    Compression

    Unchecked

     

    ·        Click Save to complete the policy settings. The IPSec policy is created as shown in the image. 

    Step 2: Create Remote Gateway

    ·        Go to Site-to-Site VPN > IPSec and switch to the Remote Gateway tab. Click New Remote Gateway to define new gateway.


    ·        Specify the remote gateway parameters as shown in the table.
     

    Parameters

    Value

    Name

    Cyberoam

    Gateway type

    AES 256

    Gateway

    Click  to add gateway network definition.

    Name: Cyberoam

    Type: Host

    IP address: 1.1.1.1

    Authentication Type

    Preshared Key

    Key

    12345

    Repeat

    12345

    VPN ID type

    IP Address

    Remote Network

    Click  to add remote network definition.

    Name: 10.10.1.0

    Type: Network

    IP address: 10.10.1.0

    Netmask: /24 (255.255.255.0)

    IPSec PFS group

    Group 5: MODP 1536

    Strict Policy

    Checked

    Compression

    Unchecked

     


    ·        Click Save to complete the Remote Gateway settings. The Remote Gateway is created as shown in the image.

    Step 3: Create IPsec VPN Connection

            Go to Site-to-Site VPN > IPSec and switch to the IPSec Connection tab. Click New IPSec Connection to define new IPSec connection. 

            Specify the IPSec connection parameters as shown in the table.

    Parameters

    Value

    Name

    VPN_Cyberoam_Sophos

    Remote Gateway

    Cyberoam (created in Step 1)

    Local Interface

    2.2.2.2 (configured WAN IP)

    Policy

    Cyberoam_Sophos (created in Step 1)

    Local Networks

    Click to add local network definition.

    Name: 10.10.1.0

    Type: Network

    IP address: 10.10.1.0

    Netmask: /24 (255.255.255.0)

    Automatic Firewall Rules

    Checked

    Strict Routing

    Unchecked

    Bind Tunnel to Local Interface

    Unchecked

     

    ·        Click Save to complete the IPSec connection settings. The IPSec connection is created as shown in the image.

    Step 4: Verification of the configured IPSec VPN connection

    To verify the IPSec VPN configuration, go to Network Protection > Firewall. Under Rules tab, select Automatic Firewall Rules to see the configured rule for the IPSec site-to-site connection between Cyberoam and Sophos.  

     

    Cyberoam Configuration

    You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

    To configure IPSec Connection in Cyberoam, follow the steps given below.

    Step 1: Create VPN Policy

    Go to VPN > Policy > Policy and click Add to add a new policy.

     Specify the parameters as shown in the table below.  

    Parameter

    Value

    Description

    Name

    Cyberoam_Sophos

    Specify a name to identify the VPN Policy.

    Keying Method

    Automatic

    Keying Method defines how the keys for the connection are to be managed.Select Keying Method from the available options.

    Available Options:

    ·        Automatic
    ·        Manual

    Allow Re-Keying

    Enable

    Enable Re-Keying to start the negotiation process automatically before key expiry.

    Key Negotiation Tries

    0

    Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.

    Authentication Mode

    Main Mode

    Select Authentication Mode. Authentication Mode is used for exchanging authentication information.

    Available Options:

    ·        Main Mode
    ·        Aggressive Mode

    Pass Data in Compressed Format

    Enable

    Enable to pass data in compressed format to increase throughput.

    Perfect Forward Secrecy (PFS)

    Enable

    Enable to generate new key for every negotiation on key expiry and disable to use same key for every negotiation.

    Phase 1

    Encryption Algorithm

    AES 256

    Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

    Authentication Algorithm

    SHA1

    Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

    DH Group (Key Group)

    5(DH1536)

    Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.

    Key Life

    3600

    Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

    Re-Key Margin

    120

    Specify Re-Key Margin. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.

    Randomize Re-Keying Margin By

    0

    Specify Randomize Re-Keying time.

    Dead Peer Detection

    Enable

    Enable to check at regular interval whether peer is live or not.

    Phase 2

    Encryption Algorithm

    AES 256

    Select Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.