HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon Knowledge Base Information
DrillDown Icon Cyberoam Security Appliances (UTM and NGFW)
DrillDown Icon FAQs on Cyberoam and Sophos Firewall
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Deployment
DrillDown Icon Registration & Licensing
DrillDown Icon System
DrillDown Icon Objects
DrillDown Icon Network
DrillDown Icon Identity
DrillDown Icon Firewall
DrillDown Icon VPN
DrillDown Icon Enable Single Sign On (SSO) for VPN Users
DrillDown Icon Implement Split Tunnel in MAC OS X for PPTP and L2TP VPN
DrillDown Icon Assign Static IP Address to L2TP/PPTP User
DrillDown Icon IPSec VPN
DrillDown Icon SSL VPN
DrillDown Icon VPN Interoperability
DrillDown Icon Establish IPSec Connection between Cyberoam and Palo Alto
DrillDown Icon Establish IPSec VPN Connection between Cyberoam and a Web Service Provider using an Assigned IP Address
DrillDown Icon Establish IPSec VPN connection between Cyberoam and Mikrotik router
DrillDown Icon Establish Site-to-Site IPSec Connection between Cyberoam and Cisco Router (through Command Line) using Preshared key
DrillDown Icon Establish IPSec VPN connection between Cyberoam and Cradle Point router
DrillDown Icon Establish IPSec VPN connection between Cyberoam and Sophos UTM
DrillDown Icon Establish VPN Connection between Cyberoam and AVAYA IP Phone using Cisco VPN Client
DrillDown Icon Establish PPTP VPN Connection between Cyberoam and iOS Device
DrillDown Icon Establish IPSec VPN Connection between Cyberoam and Microsoft Azure
DrillDown Icon Configure L2TP VPN Connection for MAC OS X client
DrillDown Icon Configure PPTP VPN Connection for MAC OS X client
DrillDown Icon Establish IPSec VPN Connection between Cyberoam and Cisco VPN Client for MAC OS X
DrillDown Icon Implement Split Tunnel in Windows 7 for PPTP and L2TP VPN
DrillDown Icon Establish IPSec VPN connection between Cyberoam and Watchguard
DrillDown Icon Establish IPSec VPN Connection between Cyberoam and Amazon VPC
DrillDown Icon Establish Site-to-Site IPSec Connection between Cyberoam and PIX Firewall using Preshared key
DrillDown Icon Establish IPSec VPN Tunnel between Cyberoam and NetScreen
DrillDown Icon Establish IPSec VPN Tunnel between Cyberoam and Cisco ASA using Preshared key
DrillDown Icon Establish VPN Tunnel between Cyberoam and SonicWall using Preshared key
DrillDown Icon Establish VPN Tunnel between Cyberoam and Fortigate using Preshared key
DrillDown Icon Configure Cyberoam to Establish PPTP connection using MS Windows 7 VPN Client
DrillDown Icon Configure MS Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication
DrillDown Icon Configure L2TP between Cyberoam and Windows 7
DrillDown Icon Configure Apple iPhone for Cyberoam L2TP VPN Connection
DrillDown Icon Configure Apple iPad for Cyberoam L2TP VPN Connection
DrillDown Icon Configure MS Windows XP VPN Client for L2TP connection with MS-CHAP v2 Authentication
DrillDown Icon Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key
DrillDown Icon Establish Site-to-Site IPSec Connection using Preshared key Between Cyberoam and NetGenie SOHO
DrillDown Icon Connect Android Devices with Cyberoam Using L2TP VPN
DrillDown Icon Establish an IPSec Connection Between Cyberoam and Cisco VPN Client for Apple iOS
DrillDown Icon Establish an IPSec Road Warrior Connection between Cyberoam and Macintosh using IP Securitas
DrillDown Icon Establish an IPSec Connection Between Cyberoam and Cisco VPN Client for Windows
DrillDown Icon Errors
DrillDown Icon How to restart VPN service from CLI?
DrillDown Icon How to route all traffic via VPN tunnel in Macintosh?
DrillDown Icon Is it possible to terminate VPN connection on ALIAS IP address?
DrillDown Icon Apply QoS Policies on VPN Users
DrillDown Icon IPS
DrillDown Icon Web Filter
DrillDown Icon Application Filter
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon IM
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Anti Virus
DrillDown Icon Anti Spam
DrillDown Icon Logs & Reports
DrillDown Icon Clients
DrillDown Icon Cyberoam Maintenance
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Cyberoam Virtual Security
DrillDown Icon Cyberoam iView
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
 
Establish IPSec Connection between Cyberoam and Palo Alto
Applicable Cyberoam Version: 10.00 onwards
Applicable PAN OS Version: 5.0.8 onwards

Scenario

This article demonstrates how to set up a Site-to-Site IPSec VPN connection between Cyberoam and Palo Alto, using preshared key, to authenticate VPN peers. Throughout the article we have used network parameters as shown in the diagram below. 
 
 

Palo Alto Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Configure IKE Gateway or Phase 1 Parameters

Go to Network Profiles > IKE Gateways and configure the parameters as shown below. 

Parameter

Value

Name

fd-wv-fw01

Interface

Ethernet1/1

Local IP Address

172.16.1.2/24

Peer Type

Static

Peer IP Address

172.16.1.1

Pre-shared Key

Confirm Pre-shared Key

<Pre-shared key>

Exchange Mode

auto

IKE Crypto Profile

g5-sha1-aes256-28800

 

Click OK to save gateway.

Step 2: Configure IPSec Phase 2 Parameters

Go to Network Profiles > IPSec Crypto and configure the parameters as shown below.
 
 

Step 3: Define Monitor Profile

Go to Network Profiles > Monitor and define a Monitor profile as shown below.
 
 

Click OK to create Monitor Profile. 

Step 4: Configure IPSec VPN Tunnel

Go to IPSec Tunnels and create an IPSec Tunnel as shown below. 

Parameter

Value

Name

fd-wv-fw01

Tunnel Interface

tunnel.1

Type

Auto Key

IKE Gateway

fd-wv-fw01

(created in step 1)

IPSec Crypto Profile

esp-aes256-sha1-g5-3600

(crated in step 2)

Enable Replay Protection

Enable

Tunnel Monitor

Destination IP

192.168.121.1

Profile

Default-mon

(created in step 3)

 
 

Click OK to create tunnel 

Step 5: Add Proxy ID

Go to IPSec Tunnels > Proxy ID and add a Proxy ID as shown below.
 


Step 6: Create Route for VPN Traffic

Go to Virtual Router > Static Route > IPv4 and configure a route as shown below.


Step 7: Define Firewall Rule to allow VPN traffic

Define a Firewall Rule as shown below.
 


Cyberoam Configuration

After configuration of VPN connection on Palo Alto, configure IPSec connection in Cyberoam. You can configure IPSec in Cyberoam by following the steps given below. Configuration is to be done from the Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features.

Step 1: Create VPN Policy

Go to VPN > Policy > Policy and click Add to add a new policy as per parameters given below. 

Parameter

Value

Description

Name

CR_PA

Specify a name to identify the VPN Policy.

Allow Re-Keying

Enable

Enable Re-Keying to start the negotiation process automatically before key expiry.

Key Negotiation Tries

3

Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.

Authentication Mode

Main Mode

Select Authentication Mode. Authentication Mode is used for exchanging authentication information.

 

Available Options:

-      Main Mode

-      Aggressive Mode

Pass Data in Compressed Format

Enable

Enable to pass data in compressed format to increase throughput.

Phase 1

Encryption Algorithm

AES256

Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

Authentication Algorithm

SHA1

Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

DH Group (Key Group)

5(DH1536)

Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.

Key Life

28800

Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

Re-Key Margin

120

Specify Re-Key Margin. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.

Randomize Re-Keying Margin By

0

Specify Randomize Re-Keying time.

Dead Peer Detection

Enable

Enable to check at regular interval whether peer is live or not.

Phase 2

Encryption Algorithm

3DES

Select Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

Authentication Algorithm

SHA1

Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

PFS Group (DH Group)

Same as Phase-1

Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.

Key Life

3600

Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

 

Click OK to save policy. 

Step 2: Configure IPSec Connection

Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below. 

Parameter

Value

Description

Name

CR_to_PA

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:

-      Remote Access

-      Site to Site

-      Host to Host

Policy

CR_PA(created in step 1)

Select policy to be used for connection

Action on VPN Restart

Initiate

Select the action for the connection.

Available options:

-      Respond Only

-      Initiate

-      Disable

Authentication details

Authentication Type

Preshared Key

Select Authentication Type. Authentication of user depends on the connection type. 

Preshared Key

<As configured in PA created above >

Specify the Preshared Key to be used.

Endpoints Details

Local

PortB-172.16.1.1

Select local port which acts as end-point to the tunnel

Remote

172.16.1.2

Select remote port which acts as end-point to the tunnel

Local Network Details

Local Subnet

172.16.16.0/24

Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network

10.10.10.0/27

Select IP addresses and netmaskassigned to Azure Virtual Network.

 

 

Click OK to create the connection. 

Step 3: Activate IPSec Connection

Go to VPN > IPSec > Connection and click   under Active and Connection headsagainst BO_to_HO connection, created in step 2.
 

  Under the Active status indicates that the connection is successfully activated.

  Under the Connection status indicates that the connection is successfully established. 

Step 4: Create LAN-VPN Firewall Rules

Create appropriate LAN to VPN and VPN toLAN firewall rules to allow traffic over the VPN tunnel.          

 

 

 

 

 

                                                                                                                                                                                    Document Version: 1.0 – 16 July, 2015

Attachments
Article ID: 3137