HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon Knowledge Base Information
DrillDown Icon Cyberoam Security Appliances (UTM and NGFW)
DrillDown Icon FAQs on Cyberoam and Sophos Firewall
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Deployment
DrillDown Icon Registration & Licensing
DrillDown Icon System
DrillDown Icon Objects
DrillDown Icon Network
DrillDown Icon Identity
DrillDown Icon Firewall
DrillDown Icon VPN
DrillDown Icon Enable Single Sign On (SSO) for VPN Users
DrillDown Icon Implement Split Tunnel in MAC OS X for PPTP and L2TP VPN
DrillDown Icon Assign Static IP Address to L2TP/PPTP User
DrillDown Icon IPSec VPN
DrillDown Icon Set Default Idle Timeout for IPSec VPN Tunnels
DrillDown Icon Establish Site-to-Site IPSec Connection using Digital Certificates
DrillDown Icon Establish Site-to-Site VPN Connection using RSA Keys
DrillDown Icon Why am I not able to establish IPSec Connection when remote VPN peer is configured with a private/non-routable IP Address?
DrillDown Icon Apply NAT over Site-to-Site VPN connection
DrillDown Icon How to regenerate RSA Key?
DrillDown Icon Route all BO Internet Traffic through HO ISP Gateway
DrillDown Icon Configure a Virtual Host over VPN
DrillDown Icon Configure IPSec VPN Connection with Multiple End Points
DrillDown Icon Bypass IPSec VPN Traffic
DrillDown Icon Allow Branch Office Users to Authenticate with Head Office Authentication Server
DrillDown Icon Forward GRE Traffic over IPSec VPN Tunnel
DrillDown Icon Create Hub and Spoke IPSec VPN Network
DrillDown Icon Configure Syslog over VPN
DrillDown Icon Configure GRE Tunnel on Cyberoam
DrillDown Icon Configure VPN Failover and Failback in Cyberoam
DrillDown Icon Use VPN/MPLS as a Backup(MPLS Scenario)
DrillDown Icon Establish Site-to-Site IPSec Connection using Preshared key
DrillDown Icon Same IPSec VPN Key is not getting registered in the Client after I formatted my laptop. How to resolve this?
DrillDown Icon Even though IPSec Connection is active and connected, why is there no traffic passing through the tunnel?
DrillDown Icon How to configure Email Notifications for IPSec VPN up/down event?
DrillDown Icon Why does my site-to-site VPN connection status display Yellow instead of Green?
DrillDown Icon How to route Cyberoam initiated traffic through an IPSec VPN tunnel?
DrillDown Icon Is it possible to authenticate Branch Office users with the Head Office Authentication Server?
DrillDown Icon How to view Preshared Key applied on IPSec/L2TP connection?
DrillDown Icon SSL VPN
DrillDown Icon VPN Interoperability
DrillDown Icon Errors
DrillDown Icon How to restart VPN service from CLI?
DrillDown Icon How to route all traffic via VPN tunnel in Macintosh?
DrillDown Icon Is it possible to terminate VPN connection on ALIAS IP address?
DrillDown Icon Apply QoS Policies on VPN Users
DrillDown Icon IPS
DrillDown Icon Web Filter
DrillDown Icon Application Filter
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon IM
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Anti Virus
DrillDown Icon Anti Spam
DrillDown Icon Logs & Reports
DrillDown Icon Clients
DrillDown Icon Cyberoam Maintenance
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Visio Stencils for Cyberoam security appliances
DrillDown Icon Product Technical Support
DrillDown Icon Cyberoam Virtual Security
DrillDown Icon Cyberoam iView
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
Rate Icon Rate Icon Rate Icon Rate Icon Rate Icon
 
Create Hub and Spoke IPSec VPN Network

Applicable Version: 10.00 onwards
 
Overview
 
A Hub and Spoke VPN Network is set up in organizations which desire centralized control over all its branch offices. In this network setup, the Head Office acts as the Hub and the Branch Offices act as Spokes. All VPN tunnels from Branch Offices terminate at this hub, which acts as a concentrator. Site-to-site connections between spokes do not exist. Traffic originating from one spoke and destined for another spoke has to go via the hub.

Scenario

Configure Cyberoam Appliances in a Hub and Spoke IPSec VPN Network between the Head Office in New York and Branch Offices in Houston and Dallas as shown below.
 
 
 
  

Network Schema

Office

LAN Network

WAN IP Address

New York HO

192.168.1.0/24

202.11.11.11

Houston BO

192.168.2.0/24

202.10.10.10

Dallas BO

192.168.3.0/24

202.12.12.12




Configuration

The configuration of Cyberoam Appliances at New York, Houston and Dallas is given below. All configurations are to be done from Web Admin Console of respective appliances.


Houston Branch Office (Spoke)

Configure a site-to-site IPSec VPN connection between Houston (Spoke) and New York (Hub) by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 
 

Network Parameters

Local Network details

Local Server (WAN IP address) – 202.10.10.10

Local LAN address – 192.168.2.0/24

Local ID – john@cyberoam.com

Remote Network details

Remote VPN server (Hub IP address) – 202.11.11.11

Remote LAN Network –

192.168.1.0/24 and 192.168.3.0/24

Remote ID – dean@cyberoam.com



Step 1: Create IPSec Connection
 
Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

Houston_to_NY

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-   Remote Access
-   Site to Site
-   Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

-   Respond Only
-   
Initiate
-   Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.10.10.10

Select local port which acts as end-point to the tunnel

Remote

202.11.11.11

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.2.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

192.168.1.0/24 and 192.168.3.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.
 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.

 
 
 
Click     under Status (Active) to activate the connection.
 
 
  
 

Dallas Branch Office (Spoke)

Configure a site-to-site IPSec VPN connection between Dallas (Spoke) and New York (Hub) by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
 
 

Network Parameters

Local Network details

Local Server (WAN IP address) – 202.12.12.12

Local LAN address – 192.168.3.0/24

Local ID – mathew@cyberoam.com

Remote Network details

Remote VPN server (Hub IP address) – 202.11.11.11

Remote LAN Network –

192.168.1.0/24 and 192.168.2.0/24

Remote ID – dean@cyberoam.com




Step 1: Create IPSec Connection

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

Dallas_to_NY

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultBranchOffice

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.12.12.12

Select local port which acts as end-point to the tunnel

Remote

202.11.11.11

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.3.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.1.0/24 and 192.168.2.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.
 

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
 

Note:

If there is more than one connection between 2 gateways, where each connection uses a different authentication mode, at a time only one connection can remain active.
 

New York Head Office (Hub)

Configure site-to-site IPSec VPN connections between New York (Hub) and Dallas (Spoke), and New York (Hub) and Houston (Spoke) by following the steps given below.
 

Step 1: Create IPSec VPN Connection with Houston BO 

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
  
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

NY_to_Houston

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.11.11.11

Select local port which acts as end-point to the tunnel

Remote

202.10.10.10

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.1.0/24 and 192.168.3.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.2.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Click OK to create IPSec connection.

Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
 

Step 2: Create IPSec VPN Connection with Dallas BO 

Add Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
 
 
 

Parameter Description
 
 

Parameter

Value

Description

Name

NY_to_Dallas

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
-    Remote Access
-    Site to Site
-    Host to Host

Policy

DefaultHeadOffice

Select policy to be used for connection

Action on VPN Restart

Respond Only

Select the action for the connection.

Available options:
-    Respond Only
-    Initiate
-    Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

123456789

Preshared key should be the same as that configured in remote site.

Endpoints Details

Local

PortB – 202.11.11.11

Select local port which acts as end-point to the tunnel

Remote

202.12.12.12

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

192.168.1.0/24 and 192.168.2.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network

192.168.3.0/24

Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button

 
 
 

Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.
 
 
 
 
Click    under Status (Active) to activate the connection.
 
 
  

Step 3: Add Firewall Rule to allow VPN Traffic

To create the firewall rule, go to Firewall > Rule > Rule and click Add. Create the rule using following parameters.
 
 
 

Parameter Description

 
 
 

Click OK to create the firewall rule.

Step 4: Establish connections

Once all Cyberoam Appliances at Head and Branch Offices are configured, establish connection between them. Click    under Status (Connection) to establish the connection.
 
 
 

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly.
 
                                                                                                                                                                                                                                       
                                                                                                                                                                                Document Version: 3.2 - 25 October, 2016
Attachments
Related Articles

Article ID: 2260