Cyberoam VPN Config

5/21/2018 Cyberoam VPN Config

1/25

Establish Site-to-Site IPSec Connection using Preshared key

Applicable Version: 10.00 onwards

Overview

IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol

Suite. It is used in protecting data flows between a pair of hosts (host-to-host), between a pair of

security gateways (network-to-network), or between a security gateway and a host (network-to-

host).

Cyberoams IPSec VPNoffers site-to-site VPN with cost-effective site-to-site remote

connectivity, eliminating the need for expensive private remote access networks like leased

lines, Asynchronous Transfer Mode (ATM) and Frame Relay. This article describes a detailed

configuration example that demonstrates how to set up a site-to-site IPSec VPN connection

between the two networks using preshared key to authenticate VPN peers.

Scenario

Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps

given below. In this article, we have used the following parameters to create the VPN

connection.

Network Parameters

Local Network detailsLocal Server (WAN IP address)14.15.16.17

Local LAN address10.5.6.0/24

Remote Network detailsRemote VPN server (WAN IP address)22.23.24.25

Remote LAN Network172.23.9.0/24


2/25

Site A Configuration

The configuration is to be done from Site As CyberoamWeb Admin Console using profile

having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create

the connection using the following parameters.


3/25

Parameter Description

Parameter Value Description

Name SiteA_to_SiteB Name to identify the IPSec Connection

Connection Type Site to Site

Select Type of connection.Available Options:

- Remote Access- Site to Site- Host to Host

Policy DefaultHeadOfficeSelect policy to be used for connection

Action on VPN RestartRespond Only

Select the action for the connection.Available options:

- Respond Only- Initiate- Disable

Authentication details

Authentication Type Preshared KeySelect Authentication Type. Authentication of userdepends on the connection type.

Preshared Key 123456789Preshared key should be the same as that configured inremote site.

Endpoints Details

Local PortB-14.15.16.17 Select local port which acts as end-point to the tunnel

Remote 22.23.24.25 Specify IP address of the remote endpoint.

Local Network Details

Local Subnet 10.5.6.0/24Select Local LAN Address. Add and Remove LAN

Address using Add Button and Remove Button

Remote Network Details

RemoteLAN Network 172.23.9.0/24Select Remote LAN Address. Add and Remove LAN



4/25

Click OK to create IPSec connection.


5/25

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.

Click under Status (Active) to activate the connection.

Site B Configuration

The configuration is to be done from Site Bs Cyberoam Web Admin Console using profile

having read-write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create

the connection using the following parameters.


6/25

Parameter Description


Name SiteB_to_SiteA Name to identify the IPSec Connection

Connection Type Site to Site

Select Type of connection.Available Options:

- Remote Access- Site to Site- Host to Host

Policy DefaultBranchOfficeSelect policy to be used for connection

Action on VPNRestart

Initiate

Select the action for the connection.Available options:

- Respond Only- Initiate- Disable

Authentication details

Authentication Type Preshared KeySelect Authentication Type. Authentication of userdepends on the connection type.

Preshared Key 123456789Preshared key should be the same as that configured inremote site.

Endpoints Details

Local PortB-22.23.24.25 Select local port which acts as end-point to the tunnel

Remote 14.15.16.17 Specify IP address of the remote endpoint.

Local Network Details

Local Subnet 172.23.9.0/24Select Local LAN Address. Add and Remove LAN


Remote Network Details

Remote LAN Network10.5.6.0/24Select Remote LAN Address. Add and Remove LAN



7/25

Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above.


8/25

Click under Status (Active) and Status (Connection).

The above configuration establishes an IPSec connection between Two (2) sites.

Note:

Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.

In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel

initiator and Head Office acts as a responder due to

following reasons:

- Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to

initiate the connection.

- As there can be many Branch Offices, to reduce the load on Head Office it is a good

practise that Branch Offices retries the connection

instead of the Head Office retrying all the branch office connections.


9/25

Allow download of specific file types from selected website(s) only

Applicable to Version: 10.00 onwards

Scenario

Allow file type categories like .mpeg, .mp3, .exe for website www.example.com, while

blocking the file types for other websites.

Prerequisite

Web and Application Filter Module Subscribed.

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Writepermission for relevant feature(s).

Step 1: Create a Custom Web Category

Create a Custom Web Category to add the required URL: www.example.com. To create a

web category, go to Web Filter > Category > Category and click Add to create a new

category. Specify the category parameters along with the Domain value

aswww.example.com,refer screen below.

Click OK and the Custom Web Category AllowFileDownload will be created successfully.
http://www.example.com/http://www.example.com/http://www.example.com/http://www.example.com/


10/25

Step 2: Create Web Filter Policy

Go to Web Filter > Policy >Policy and click Add to create a new Web Filter Policy

named Example_Custom as shown in the diagram below.

Click OK and the Web Filter Policy Example_Custom will be created successfully.

Step 3: Configure Rules for Web Filter Policy

Select the Policy Example_Custom created inStep 2 and click Add to add the Web Filter

Policy Rules.


11/25

Specify Web Filter Policy Rules as shown in the table below.

Rule 1

Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites.


Category Type File TypeSelect Category Type for which the rule is to beadded.

CategoryVideo Files,Audio Files,Executable Files

Select the Categories which you want to deny forall the sites.

HTTP and

HTTPS Action

Deny Select HTTP and HTTPS action.

Schedule All the time Select the Schedule for categories selected.

Click Add and the Web Filter Policy Rule will be added successfully.

Rule 2

Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites, but all thesefile types are allowed for www.example.com.

Parameters Value Description

Category Type Web Category Select Web Category from the list ofavailable categories.

Category AllowFileDownload Select theCategoryAllowFileDownloadcreatedinStep 1.

HTTP andHTTPs Action

Allow Select HTTP and HTTPS action.

Schedule All the Time Select the Schedule for categories


12/25

selected.

Click Add and the Web Filter Policy Rule will be added successfully.

Note:

AllowFileDownload Category should be on top as rules are executed in top to bottomsequence.

Step 4: Apply Policy to Firewall Rule or User/User Group

Firewall Rule

You can apply the policy through a Firewall Rule such that it is applied on all traffic that hitson that rule. To create a Firewall Rule, go toFirewall > Rule > IPv4 Rule and click Add. Asshown below, apply the Policy created in Step 1.


13/25

Click OK to apply the Firewall Rule.

User/User Group

You can apply the rule to individual users or user groups. Here, as an example we haveapplied the rule on a user named John Smith. To apply the policy on an individual user, goto Identity > Users > Users and select the user on whom policy is to be applied, i.e., JohnSmith. As shown below, apply the Policy created in Step 1.


14/25

Click OK to apply policy on the user.


15/25

Configure Gateway Load Balancing and Failover

Applicable to Version: 10.00 onwards

Overview

Today organizations require stable, redundant and fast ISP links to run business critical

applications. To achieve constant and secure availability to the Internet and to avoid network

vulnerability, organizations prefer to have multiple ISP links. Multiple ISP links provisions

network administrator to configure failover and load balancing over Internet links.

Cyberoam supports Load Balancing and Failover for multiple ISP links based on number of

WAN ports available in the Appliance. You can terminate multiple ISP links on available

physical interfaces of Cyberoam in the form of Gateways. A Gateway can be configured as an

Active or a Backup Gateway. The Gateways can be setup in Two (2) ways:

Active-Active: Here, all Gateways are in Active State and traffic is Load Balanced between all

Active Gateways. By default, Cyberoam adds a new gateway as an Active Gateway. Hence,

Load Balancing is automatically enabled between the existing and newly added links.

Cyberoam employs weighted round robin algorithm for load balancing to enable maximum

utilization of capacities across the various links.

Active-Backup: Here, One (1) or more Gateways are configured as Backup. This setup allows

Administrator to configure Gateway Failover if any active gateway goes down.

Note:

Load Balancing and Failover is supported both for IPv4 and IPv6 traffic. The Load Balancing

or Failover can be done between Two (2) IPv4 gateways or Two (2) IPv6 gateways.

Scenario

Consider the hypothetical network in which one ISP link is terminated on Port B and

Administrator wants to terminate another ISP link on Port D.


16/25

IP Schema

Below given IP schema is configured on Cyberoam.

Parameters Value

Port A

IP Address 10.10.1.1

Subnet Mask 255.255.255.0

Zone LAN

Port B



Zone WAN

Gateway Details

ISP Name Default

IP Address 172.16.16.15

Port C



Zone DMZ

Port D

Port D is an unbound port so zone type for port D is set to N/A

DNS Configuration

Primary DNS 4.2.2.2


17/25

This article is divided into the following Three (3) sections:

- Add a New Gateway

- Configure Load Balancing

- Configure Gateway Failover

Prerequisites

An unbound physical port should be available on Cyberoam. An unbound port is one, which is

not assigned to any security zone.

Add a New Gateway

You must be logged on to the Web Admin Console as an administrator with Read-Write

permission for relevant feature(s).

To add a gateway, go to Network > Interface > Interface and configure an unbound physical

port according to parameters given below. Here, as an example, we have configured Port D.


General Settings

Physical Interface PortD Physical Interface for example, Port A, Port B

Network Zone WAN Select Zone to which Interface belongs.

IP Assignment Static Select IP Assignment type.

Available Options:Static: Static IP Addresses are available for allthe zones.PPPoE: PPPoE is available only for WAN Zone.

If PPPoE is configured, WAN port is displayedas the PPPoE Interface.DHCP:DHCP is available only for WAN Zone.
http://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#_Add_a_New_1http://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#_Add_a_New_1http://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#LBandFailoverhttp://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#LBandFailoverhttp://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#_Configure_Gateway_Failoverhttp://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#_Configure_Gateway_Failoverhttp://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#_Configure_Gateway_Failoverhttp://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#LBandFailoverhttp://kb.cyberoam.com/Modules/Cute/default.aspx?FileName=/admin/virtual/tmp/17_2149_empty.htm&imgDir=/admin/virtual/imgs&templateDir=/admin/virtual/content_templates&SID=#_Add_a_New_1


18/25

IP Address 10.10.2.1 Specify IP Address.

Subnet Mask /24 (255.255.255.0) Specify Network Subnet mask.

Primary DNS 203.88.135.194 Specify Primary DNS Server IP Address.

Secondary DNS 4.2.2.2 Specify Secondary DNS Server IP Address.

Gateway Details

Gateway Name PortD_Gateway Specify Gateway Name

IP Address 10.10.2.19 Specify IP Address of Gateway

Click OK to update the interface.

On updating the interface, the gateway is added to the list of Gateways in Network > Gateway

> Gateway.

Configure Load Balancing

Cyberoam allows Load Balancing between 2 or more Active-Active Gateways. By default,

Cyberoam adds a new gateway as an Active Gateway. Hence, Load Balancing is automatically

enabled between the existing and newly added links.

Weighted Round Robin algorithm is used for load balancing wherein each link is assigned a

weight. The traffic that Cyberoam distributes among the links is in proportion to the weight

assigned to them.

To assign weight to a Link, go to Network > Gateway > Gateway and select the required

Gateway.


19/25

Mention the Weight, as shown below and click OK.

Configure Gateway Failover

Cyberoam allows Gateway Failover both in Active-Active and Active Backup setup.

In an Active-Active setup, if any one of the active gateways fails, the traffic is redirected to

another active gateway. Administrator can specify Failover Conditions to indicate how the failed

gateway is to be detected.

In Active-Backup setup, one or more of the gateways are configured as backup gateway. If an

Active Gateway fails, the traffic can be redirected to a backup gateway, ensuring Internet

continuity.

Configure Backup Gateway

You can configure a gateway as a Backup gateway by following steps below.


20/25

1. Go to Network > Gateway > Gateway and select the required Gateway.

2. Select Gateway Type as Backup and configure Backup Gateway Details as shown

below.

Click OK to save changes.

This setup indicates if any Active Gateway Fails, PortD_Gateway would get activated and

would inherit the weight of the failed gateway.


21/25

Configure Failover Condition

By default, on adding a gateway, Cyberoam adds a Failover Rule indicating that if Cyberoam

is not able to PING the gateway, it would be considered down, as shown below.

Click Add to add another rule, or Edit to change the existing rule. Here, as an example, we

have added a Rule that indicates that if Cyberoam is not able to PING the

Gateway 172.16.16.15 and establish a TCP connection on port 80 with 4.2.2.2, the gateway

will be considered down.

Click OK to save the Gateway Failure Rule.

During a link failure, Cyberoam regularly checks the health of a given connection, assuring

fast reconnection when Internet service is restored.

When the connection is restored and gateway is up again, traffic is rerouted through the

Active gateway automatically.


22/25

Configure Email Notification

Applicable Version: 10.00 onwards

Overview

Cyberoam allows configuration of Email notifications for certain system-generated events and

reports (as specified by administrator). Such Email notifications can be configured to inform

administrator about:

- Change in gateway status

- Change in HA (high availability) link status (if HA cluster is configured)

- Change in State of IPSec Tunnel(s)

- Various reports (customizable)

Scenario

Configure Email Notifications in Cyberoam.

Configuration

The entire configuration is to be done from the Web Admin Console of Cyberoam. Configuration

requires read-write administrative permission for the relevant features.

Step 1: Configure Mail Server Settings

Configuring Mail Server Settings enables administrator to receive Email notifications for system-

generated events like change in gateway status, change in HA link status and change in state

of IPSec Tunnel. Configure Mail Server by going to System > Configuration >

Notificationand setting parameters as shown below.

arameters Value Description


23/25

Mail Server Settings

Mail Server IP

Address/FQDN - Port172.16.16.24 - 25

Configure your Mail Server IP Address

and port

Authentication Required Enabled

If Enabled, specify authentication

parameters i.e. username and passwordEmail Setting

From Email Address [email protected]

Specify the email addresses from whichthe notification is to be sent.

Send Notifications toEmail Address

[email protected]

Specify the email address to which thenotification is to be sent.

Click Test Mailto check Mail Server Configuration. If test mail is delivered successfully,

click Apply to save configuration.

Step 2: Configure Email notification for reports

You can configure daily or weekly Email notification for the following report groups - Web

Usage, Mail Usage, FTP Usage, Blocked Web Attempts, Attacks, Spam, Virus, Event, Search

Engine, IM Usage, Blocked IM Attempts, Internet Usage, VPN, SSL VPN, Denied SSL VPN

Attempts, Blocked Applications, Applications. Configure Report Notifications by following steps

given below.

Go to Logs & Reports >View Reports or click Reports Tab available on Icon

Bar on the upper rightmost corner of every
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


24/25

page to access On-Appliance iView.

In iView, go to System > Configuration > Report Notificationand click Addto add report

notification. Here, as an example, we have

configured a daily Email Notification for Search Engine Reports.


Name Search_Engine_Report Specify report notification name

To Email Address [email protected]

Specify Email address of the recipient

Report Group Search Engine Select report category from the Report

Group drop down listEmail Frequency Daily at 11 hours Set Email Frequency
mailto:[email protected]:[email protected]:[email protected]


25/25

Click Addto add a new notification.

With above configuration, all the Search Engine reports will be mailed everyday at 10 am.

Cyberoam VPN Config

Documents

Transcript of Cyberoam VPN Config