Cyberoam Knowledge Base

Establish Net-to-Net IPSec VPN Connection between Cyberoam and Cisco Router using Preshared key

Product: The information in this article is based on Cyberoam Version 95314 and Cisco Router.

This article describes a detailed configuration example that demonstrates how to set up a net-to-net IPSec VPN connection between Cyberoam and Cisco Router using preshared key to authenticate VPN peers.

Throughout the article we will use the network parameters as shown in the below given network diagram. Cyberoam is installed at AHMD branch while Cisco Router is installed at DLH branch.

In the hypothetical example considered in this article, static IP address is configured for Cyberoam but depending on the network requirement it is also possible that dynamic IP address is configured for Cyberoam.

Article includes network diagram and details on the information to be gathered before configuration and covers following scenarios when Cyberoam is configured for:

Aggressive mode Authentication

Main mode Authentication: Static IP address is assigned to Cyberoam, Dynamic IP address is assigned to Cyberoam

Each scenario includes:

Cyberoam configuration steps
Cisco Router configuration steps

We will establish VPN connection from AHMD branch to DLH branch therefore:

For AHMD branch:

Cyberoam is the Local server.
Cisco Router is the Remote server.

For DLH branch:

Cisco Router is the Local server.
Cyberoam is the Remote server.

Network Diagram

Information to be gathered before configuration

Before configuring for IPSec connection, gather the following information about the Remote server:

Connection details - Encryption algorithm, Authentication Algorithm and DH/PFS Group
Preshared Key
Server IP addresses
Internal Network Subnet

Configuration Table

Please note: Phase 1 and Phase 2 parameters: Encryption algorithm, Authentication Algorithm and DH/PFS Group must be same for both the peers – Cyberoam and Cisco Router VPN servers.

Configuration Parameters

Cyberoam                                                   Cisco Router

IPSec Connection (Net-to-Net)

Local Network details

Local Network details

Cyberoam WAN IP address – 182.7.7.254

Cisco Router IP address – 125.16.7.254

Local Internal Network – 192.168.1.0/24

Local Internal Network – 192.168.2.0/24

Preshared Key - 0123456789

Preshared Key – 0123456789

Remote Network details

Remote Network details

Remote VPN server – IP address – 125.16.7.254

Remote VPN server – IP address – 182.7.7.254

Remote Internal Network – 192.168.2.0/24

Remote Internal Network – 192.168.1.0/24

Cyberoam Configuration

Applicable to version: 9.5.8 onwards

Task list

Define VPN policy – configure Phase 1 & Phase 2 parameters to authenticate the remote peer and establish a secure connection
Define VPN connection parameters

Case I – Aggressive mode Authentication

Step 1: Create VPN Policy

Go to VPN → Policy → Create Policy and create VPN policy with following values:

Policy Name: CR_2_Cisco

Allow Re-keying: Yes
Authentication Mode: Aggressive mode

Phase 1

Encryption Algorithm: 3DES

Authentication Algorithm: MD5
DH Group (Key Group): 2 (DH1024)

Phase 2

Encryption Algorithm: 3DES

Authentication Algorithm: MD5

DH Group (Key Group): Same as Phase 1

Step 2: Create IPSec connection

Go to VPN → IPSec Connection → Create Connection and create connection with the following values:

Connection name: n2n_AHMD

Policy: CR_2_Cisco (created in step 1)

Action on restart: As required

Mode: Tunnel

Type: Net to Net

Authentication Type – Preshared Key
Preshared Key: 0123456789

Local server IP address (WAN IP address) – 182.7.7.254
Local Internal Network – 192.168.1.0/24

Remote server IP address (WAN IP address) – 125.16.7.254
Remote Internal Network – 192.168.2.0/24

User Authentication Mode: Disabled

Protocol: As required

Step 3: Activate Connection

Go to VPN → IPSec Connection → Manage Connection and click  against the n2n_AHMD connection.

Under the Connection status indicates that the connection is successfully activated

Note
At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

Cisco Router Configuration

Step 1. Logon to Cisco Router with Enable privilege

Router> en

Password: ******
Router# conf t

Step 2. Configuring IKE Parameters as follows:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600
crypto isakmp key 0123456789 address 182.7.7.254

Step 3. Verify the IKE Parameters using below given commands

show isakmp

show isamp policy

Step 4. Define Access-list to allow IPSec tunnel traffic

access-list dlhtoahmd permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list dlhtoahmd permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Step 5. Configuring IPSec Parameters

crypto ipsec transform-set dlhtransform esp-3des esp-md5-hmac

crypto map dlhmap ipsec-isakmp

description Tunnel to CR

set peer 182.7.7.254

set transform-set dlhtransform

set pfs group2
match address dlhtoahmd

Step 6. Enabling the IPSec on External Interface of Cisco Router

Interface fastethernet0/1 (external interface of Cisco router)

crypto map dlhmap

Case II – Main mode Authentication and Cyberoam configured with static IP address

Cyberoam Configuration

Step 1: Create VPN Policy

Go to VPN → Policy → Create Policy and create VPN policy with following values:

Policy Name: CR_2_Cisco

Allow Re-keying: Yes
Authentication Mode: Main mode

Phase 1

Encryption Algorithm: 3DES

Authentication Algorithm: MD5
DH Group (Key Group): 2 (DH1024)

Phase 2

Encryption Algorithm: 3DES

Authentication Algorithm: MD5

DH Group (Key Group): Same as Phase 1

Step 2: Create IPSec connection

Go to VPN → IPSec Connection → Create Connection and create connection with the following values:

Connection name: n2n_AHMD

Policy: CR_2_Cisco (created in step 1)

Action on restart: As required

Mode: Tunnel

Type: Net to Net
Authentication Type – Preshared Key

Preshared Key: 0123456789

Local server IP address (WAN IP address) – 182.7.7.254

Local Internal Network – 192.168.1.0/24

Remote server IP address (WAN IP address) – 125.16.7.254

Remote Internal Network – 192.168.2.0/24

User Authentication Mode: Disabled

Protocol: As required

Step 3: Activate Connection

Go to VPN → IPSec Connection → Manage Connection and click  against the n2n_AHMD connection.

Under the Connection status indicates that the connection is successfully activated

Note
At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

Cisco Router Configuration

Step 1. Logon to Cisco Router with Enable privilege

Router> en

Password: ******
Router# conf t

Step 2. Configuring IKE Parameters as follows:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600
crypto isakmp key 0123456789 address 182.7.7.254

Step 3. Verify the IKE Parameters using below given commands

show isakmp

show isamp policy

Step 4. Define Access-list to allow IPSec tunnel traffic

access-list dlhtoahmd permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list dlhtoahmd permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Step 5. Configuring IPSec Parameters

crypto ipsec transform-set dlhtransform esp-3des esp-md5-hmac

crypto map dlhmap ipsec-isakmp

description Tunnel to CR

set peer 182.7.7.254

set transform-set dlhtransform

set pfs group2
match address dlhtoahmd

Step 6. Enabling the IPSec on External Interface of Cisco Router

Interface fastethernet0/1 (external interface of Cisco router)

crypto map dlhmap

Case III – Main mode Authentication and Cyberoam configured with dynamic IP address

Cyberoam Configuration

Step 1: Create VPN Policy

Go to VPN → Policy → Create Policy and create VPN policy with following values:

Policy Name: CR_2_Cisco

Allow Re-keying: Yes
Authentication Mode: Main mode

Phase 1

Encryption Algorithm: 3DES

Authentication Algorithm: MD5
DH Group (Key Group): 2 (DH1024)

Phase 2

Encryption Algorithm: 3DES

Authentication Algorithm: MD5

DH Group (Key Group): Same as Phase 1

Step 2: Create IPSec connection

Go to VPN → IPSec Connection → Create Connection and create connection with the following values:

Connection name: n2n_AHMD

Policy: CR_2_Cisco (created in step 1)

Action on restart: As required

Mode: Tunnel

Type: Net to Net

Authentication Type – Preshared Key
Preshared Key: 0123456789

Local server IP address (WAN IP address) – Dynamic IP address assigned to the Cyberoam WAN interface

Local Internal Network – 192.168.1.0/24

Remote server IP address (WAN IP address) – 125.16.7.254
Remote Internal Network – 192.168.2.0/24

User Authentication Mode: Disabled

Protocol: As required

Step 3: Activate Connection

Go to VPN → IPSec Connection → Manage Connection and click  against the n2n_AHMD connection.

Under the Connection status indicates that the connection is successfully activated

Note
At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error ‘unable to activate connection’ hence you need to deactivate all other connections.

Cisco Router Configuration

Step 1. Logon to Cisco Router with Enable privilege

Router> en

Password: ******
Router# conf t

Step 2. Configuring IKE Parameters as follows:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600
crypto isakmp key 0123456789 hostname elite.elitecore.com no-xauth

Step 3. Verify the IKE Parameters using below given commands

show isakmp

show isamp policy

Step 4. Define Access-list to allow IPSec tunnel traffic

access-list dlhtoahmd permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list dlhtoahmd permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Step 5. Configuring IPSec Parameters

crypto ipsec transform-set dlhtransform esp-3des esp-md5-hmac

crypto map dlhmap ipsec-isakmp

description Tunnel to CR

set peer elite.elitecore.com (With CR on DDNS) set transform-set dlhtransform

set pfs group2
match address dlhtoahmd

Step 6. Enabling the IPSec on External Interface of Cisco Router

Interface fastethernet0/1 (external interface of Cisco router)

crypto map dlhmap



Document version: 1.0-24/12/2008