Cyberoam VPN Management Guide VPN... · VPN Management Guide Contents Guide ... Data transfer...

VPN ManagementGuide
Version 9
Document version 9410-1.0-06/01/2007

IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER’S LICENSE The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTED RIGHTS Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice

CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad – 380015, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com , www.cyberoam.com

http://www.elitecore.com/

http://www.cyberoam.com/

VPN Management Guide

Contents

Guide Sets ..........................................................................................................................5 Technical Support ..............................................................................................................6 Typographic Conventions..................................................................................................7

Overview................................................................................................................................8 Introduction to VPN...............................................................................................................8 Cyberoam and VPN ...............................................................................................................8 Policy .....................................................................................................................................9

Encryption and Authentication method .............................................................................9 Preshared Key ................................................................................................................9 Digital Certificates .......................................................................................................10 Public Key....................................................................................................................10

Policy Parameters.............................................................................................................10 Create VPN Policy...........................................................................................................13 Update VPN Policy..........................................................................................................17 Delete VPN policy ...........................................................................................................21

Certificate Authority ............................................................................................................22

Generate Certificate Authority.....................................................................................22 Import external Certificate Authority ..........................................................................24 Upload Certificate........................................................................................................25 Generate Self signed certificate ...................................................................................26 Generate Certificate Signing Request..........................................................................28 Download Certificate ...................................................................................................30 Delete Certificate .........................................................................................................31

Certificate Revocation List ..................................................................................................32

Revoke certificate ........................................................................................................32 Download CRL ............................................................................................................34 Upload CRL.................................................................................................................34 Delete CRL ..................................................................................................................36

IPSec Connection.................................................................................................................37

Create Transport mode IPSec Connection.......................................................................38 Create Road Warrior IPSec connection ...........................................................................41 Create Net to Net IPSec connection.................................................................................44 Create Host to Host IPSec connection .............................................................................47 Manage IPSec Connection...............................................................................................51

Activate/Deactivate Connection ..................................................................................51 Export Connection configuration file (only for Road warrior connection) .................52 Delete Connection........................................................................................................52

L2TP Connection.................................................................................................................53

L2TP configuration..........................................................................................................53 Create L2TP connection ..................................................................................................55 Manage L2TP connection ................................................................................................57

3


Delete L2TP connection ..............................................................................................60 PPTP Connection .................................................................................................................61

PPTP Configuration .........................................................................................................61

4


Guide Sets

Guide Describes

User Guide Console Guide Console Management Windows Client Guide Installation & configuration of Cyberoam

Windows Client Linux Client Guide Installation & configuration of Cyberoam Linux

Client HTTP Client Guide Installation & configuration of Cyberoam HTTP

Client Analytical Tool Guide Using the Analytical tool for diagnosing and

troubleshooting common problems LDAP Integration Guide Configuration for integrating LDAP with

Cyberoam for external authentication ADS Integration Guide Configuration for integrating ADS with

Cyberoam for external authentication PDC Integration Guide Configuration for integrating PDC with

Cyberoam for authentication RADIUS Integration Guide Configuration for integrating RADIUS with

Cyberoam for external authentication High Availability Configuration Guide

Configuration of High Availability (HA)

Data transfer Management Guide Configuration and Management of user based data transfer policy

VPN Management Implementing and managing VPN Multi Link Manager User Guide Configuration of Multiple Gateways, load

balancing and failover Cyberoam IDP Implementation Guide

Configuring, implementing and managing Intrusion Detection and Prevention

Cyberoam Anti Virus Implementation Guide

Configuring and implementing anti virus solution

Cyberoam Anti Spam Implementation Guide

Configuring and implementing anti spam solution

5


Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26462200 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: [email protected] site: www.elitecore.com Visit www.cyberoam.com for the regional and latest contact information.

6


mailto:[email protected]


http://www.cyberoam.com/


Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example

Server Machine where Cyberoam Software - Server component is installed

Client Machine where Cyberoam Software - Client component is installed

User The end user Username Username uniquely identifies the user of the system Part titles Bold and

shaded font typefaces Report

Topic titles Shaded font typefaces Introduction

Subtitles Bold & Black typefaces Notation conventions

Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab

Name of a particular parameter / field / command button text

Lowercase italic type

Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked

Cross references

Hyperlink in different color

refer to Customizing User database Clicking on the link will open the particular topic

Notes & points to remember

Bold typeface between the black borders

Note

Prerequisites Bold typefaces between the black borders

Prerequisite • Prerequisite details

7


Overview Welcome to the Cyberoam’s – VPN Management Guide. Cyberoam’s integrated Internet security solution is purpose-built to meet the unified threat management needs of corporate, government organizations and educational institutions. It also provides assistance in improving Bandwidth management, increasing Employee productivity and reducing legal liability associated with undesirable Internet content access. Guide provides a basic introduction to VPN and gives some fundamental information of those technologies that are relevant to the way Cyberoam implements VPN. It outlines how VPNs are actually created and gives a detailed picture of the different settings that can be used to adjust the VPN policies using Cyberoam. VPN management module is an add-on module which needs to be registered before use. Refer to Cyberoam Installation and Registration guide for more details.

Introduction to VPN A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint system to another over a public network such as the Internet without the traffic being aware that there are intermediate hops between the endpoints or the intermediate hops being aware they are carrying the network packets that are traversing the tunnel. The tunnel may optionally compress and/or encrypt the data, providing enhanced performance and some measure of security. VPN allows you to pretend you are using a leased line or a direct telephone call to communicate between the endpoints. VPNs allow users and telecommuters to connect to their corporate intranets or extranets. VPNs are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This not only reduces overhead costs associated with traditional remote access methods, but also improves flexibility and scalability.

Cyberoam and VPN For all business people traveling or working from home, connecting securely to the corporate network is essential. With Cyberoam, setting up a VPN is almost effortless. The two endpoints in Cyberoam VPN are referred to as: Local - First endpoint is the local machine itself Remote - Second endpoint is the remote peer - the machine you are trying to establish a VPN connection to, or the machine which is trying to establish a VPN connection with you. Cyberoam VPN automatically encrypts the data and sends it to the remote site over the Internet, where it is automatically decrypted and forwarded to the intended destination. By encrypting, the integrity and confidentiality of data is protected even when transmitted over the untrusted public network. Cyberoam uses IPSec standard i.e. IPSec protocol to protect traffic. In IPSec, the identity of communicating users is checked with the user authentication based on digital certificates, public keys or preshared keys.

8


Cyberoam can be used to establish VPN connection between sites, LAN-to-LAN and Client-to-LAN connection. VPN is the bridge between Local & Remote networks/subnets. Cyberoam supports following protocols to authenticate and encrypt traffic: • Internet Protocol Security (IPSec) • Layer Two Tunneling Protocol (L2TP)

Policy

Encryption and Authentication method

Authentication of communicating parties and integrity of exchanged data is crucial for the reliable implementation of VPN. Encryption is used to provide confidentiality of data during the negotiation. Cyberoam supports 3DES encryption algorithm which is extensively tested public algorithm and uses hash functions - message digest MD5 algorithm for Data integrity. 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the Application of the DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard AES offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Serpent: Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be either 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm. Serpent is faster than DES and more secure than Triple DES. Blowfish: Blowfish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. Blowfish is also a block cipher which divides a message into fixed length blocks during encryption and decryption. Blowfish has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm Twofish: Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.

Preshared Key

An authentication mechanism whereby the key is used in encryption is exchanged before hand/prior to negotiation with another system. Preshared key authentication is the process by which two systems prove their identity to each other where each system encrypts some unpredictable, arbitrary data with a key that has been exchanged beforehand. If they can successfully decrypt the message, it is assumed that the sender is valid. A single shared key is used for encryption and decryption. The data is encrypted by a key and send to the recipient over the Internet. At the receiving end, the data is decrypted with the exact same key that was used for encryption.

9


Digital Certificates

Digital Certificates are yet another authentication method employing digital signatures and public key cryptography. A digital certificate is a document that guarantees the identity of a person or entity and is issued by the trusted third party Certificate Authority (CA). Digital certificate holders have a public or private key pair which can be used to authenticate the sender and decrypt the incoming message ensuring that only the certificate holder can decode the message. A certificate is used to associate a public/private key pair with a given IP address or host name and issued by CA for a specific period of time. A CA can be in-house CA, run by your own organization, or a public CA. To use certificates for negotiation, both peers have to generate public/private key pairs, request and receive public key certificates, and are configured to trust the CA that issues the certificates. Users can download and install certificate from Cyberoam.

Public Key

Public key authentication uses two keys – public key available to anyone and a private key held by only one individual. The sender encrypts the data with the recipient’s public key. Only the recipient can decrypt the data, being the only one who possesses the corresponding private key.

Policy Parameters

Policy describes the security parameters that are used for negotiations to establish and maintain a secure tunnel between two peers. Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the policy parameters for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels. Authentication mode To ensure secure communication, there are two phases to every IKE (Internet Key Exchange) negotiation - Phase 1 (Authentication) and Phase 2 (Key exchange). The Phase 1 negotiation establishes a secure channel between peers and determines a specific set of cryptographic protocols, exchanges shared secret keys and encryption and authentication algorithm that will be used for generating keys. The Phase 2 negotiation establishes a secure channel between peers to protect data. During Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after which to negotiate. Key life Lifetime of key is specified as Key life. Once the connection is established after exchanging authenticated and encrypted keys, connection is not dropped till the key life. If the key life of both the peers is not same then negotiation will take place whenever the key life of any one peer is over. This means intruder has to decrypt only one key to break in your system. Key generation and key rotation are important because the longer the life of the key, the larger the

10


amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis. Perfect Forward Secrecy (PFS) It becomes difficult for a network intruder to get the big picture if keys are changing and they have to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting PFS, new key will be generated for every negotiation and a new DH key exchange is included. So every time intruder will have to break yet another key even though he already knows the key. This enhances security. Diffie-Hellman (DH) Group (IKE group) Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret over an insecure communications channel. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt the data. The Diffie-Hellmann group describes the key length used in encryption. Group number also termed as Identifiers.

DH Group Key length (bits) 1 768 2 1024 5 1536 14 2048 15 3072 16 4096

If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched during the negotiation. Re-key Margin Time before the next key exchange. Time is calculated by subtracting the time elapsed since the last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts automatically without interrupting service before key expiry. Dead Peer detection settings Use to check whether Cyberoam is able to connect the IP address or not. Set time interval after which the status of peer is to be checked and what action to take, if peer is not alive. Tunnel Negotiation Negotiation process starts to establish the connection when local or remote peer wants to communicate with each other. Depending on the connection parameters defined, the key is generated which is used for negotiations. Lifetime of key is specified as Key life. Once the connection is established, connection is alive/active and data can be transferred up to the specified key life. Connection will be closed/deactivated once the key expires. If the connection is to be activated again then the entire negotiation process is to be started all over again. Negotiation process can be started again automatically by either local or remote peer only if Allow Re-keying is set to ‘Yes’. Set the re-keying time in terms of the remaining key life when negotiation is to be started automatically without interrupting the communication before key expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes of key usage. Negotiation process will generate new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’.

11


PFS will generate a new key from scratch and there will be no dependency between old and new key.

Re-keying Result Yes Local and remote peer both will be able to initiate request for

connection. Depending on PFS, negotiation process will use same key or generate a new key.

No Only remote peer will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.

12


Create VPN Policy

Cyberoam provides the default policy and you can also create a customized policy to meet your organization’s requirement. Select VPN Policy Create Policy to open the create policy page

Screen – Create VPN policy

Screen Elements Description

VPN policy details Name Assign name to policy. Choose a name that best describes the policy to

be created Description Click to enter the full description of policy Using Template Select a template if you want to create a new policy based on an

13



existing policy and want to inherit all the parameters from the existing policy Select ‘None’ template, if you want to create a fresh policy. After creation you can always customize according to the requirement.

Following options are available only if policy is created based on ‘None’ template Keying Method Keying method defines how the keys for the connection are to be

managed. Select keying method: Automatic or Manual Manual key exchange is not supported for L2TP connection

Allow Re-keying Specify whether the negotiation process is to be started automatically before key expiry or not. Process will start automatically at the specified time in re-key margin. If it is set to ‘Yes’, negotiation process can be initiated by both the local or remote peer. Depending on PFS, negotiation process will use same key or generate a new key.

Key Negotiations tries Specify maximum negotiation trials allowed and must be greater than 0 Authentication mode Authentication mode is used to support key exchange. Currently only

Main mode is supported. Depending on Authentication mode, the phase 1 parameters are exchanged for authentication purpose. In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Pass Data In Compress Format

Enable to pass data in compressed format to increase throughput

Perfect Forward Secrecy

Specify whether new key should be generated for every negotiation on key expiry. Set ‘Yes’ to generate new key for every negotiation on key expiry Set ‘No’ to use same key for every negotiation

Phase 1 Encryption and Authentication algorithm

Select the encryption and authentication algorithm that would be used by communicating parties for integrity of exchanged data fpr phase 1. Supported Encryption algorithms: 3DES, AES, TwoFish, BlowFish, Serpent 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Supported Authentication algorithms: MD5, SHA1 Maximum three combination of encryption and authentication algorithm

14



can be selected. The remote peer must be configured to use at least one of the defined combinations. Click to add more than one combination of encryption and authentication algorithm.

DH Group DH group specifies the key length used for encryption. • DH Group 1 uses 768-bit encryption • DH Group 2 uses 1024-bit encryption • DH Group 5 uses 1536-bit encryption • DH Group 14 uses 2048-bit encryption • DH Group 15 uses 3072-bit encryption • DH Group 16 uses 4096-bit encryption

Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16 The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.

Key Life Key life is the amount of time that will be allowed to pass before the key expires. Specify keylife in terms of seconds

Re-Key Margin Re-key margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry. Set time in terms of the remaining key life. For example, if key life is 8 hours and re-key margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of key life. Specify in terms of minutes

Randomize Re-Keying Time by

Randomizes re-key time. For example, if key life is 8 hours, re-key margin is 10 minutes and randomize re-keying time is 20% then the re-key margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.

Enable Dead Peer Detection

Enable to check whether peer is live or not.

Check Peer After Every (Only if Dead Peer Detection option is ‘Enabled’ )

Once the connection is established, peer which initiated the connection checks whether another peer is live or not. Specify time when the peer should be checked for its status.

Wait for Response unto (Only if Dead Peer Detection option is ‘Enabled’ )

Specify till what time initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive. Specify in terms of seconds

Action when Peer is not active (Only if Dead Peer Detection option is ‘Enabled’ )

Specify what action should be taken if peer is not active. Hold – hold the connection Clear – close the connection Restart – reestablish the connection

Phase 2

15



Encryption and Authentication algorithm

Select the encryption and authentication algorithm that would be used by communicating parties for integrity of exchanged data fpr phase 2. Supported Encryption algorithms: DES, 3DES, AES, TwoFish, BlowFish, Serpent DES, 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Supported Authentication algorithms: MD5, SHA1 Maximum three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations. Click to add more than one combination of encryption and authentication algorithm.

PFS Group PFS group specifies the key length used for encryption. • Group 1 uses 768-bit encryption • Group 2 uses 1024-bit encryption • Group 5 uses 1536-bit encryption • Group 14 uses 2048-bit encryption • Group 15 uses 3072-bit encryption • Group 16 uses 4096-bit encryption

Select one of group from 1, 2, 5, 14, 15 or 16 If ‘Same as Phase 1’ is selected PFS group specified at connection initiator’s end will be used If No PFS is selected, this security parameter can not be added for Phase 2 The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.


Create button Creates the policy Click to create

Cancel button Cancels the current operation and return to Manage VPN policy page

Table – Create VPN policy screen elements

Note Policies with the same name cannot be created

16


Update VPN Policy

Select VPN → Policy → Manage policy and Click Policy name to be modified

Screen – Manage VPN Policy


VPN policy details Name Displays policy name

Cannot be modified

Description Displays policy description, modify if required Keying Method Select keying method: Automatic or Manual Allow Re-keying Displays whether re-keying is allowed or not. Modify if required.

Set ‘Yes’, if negotiation process can be initiated by both the local and remote peer automatically before key expires

17



Depending on PFS, negotiation process will use same key or a new key will be generated.

Key Negotiations tries

Displays maximum negotiation trials allowed, modify if required


Enable to pass data in compressed format to increase throughput

Perfect Forward Secrecy

Displays whether new key will be generated or not for every negotiation on key expiry, modify if required. Set ‘Yes’ to generate new key for every negotiation on key expiry Set ‘No’ to use same key for every negotiation


Select the encryption and authentication algorithm that would be used by communicating parties for integrity of exchanged data fpr phase 1. Supported Encryption algorithms: 3DES, AES, TwoFish, BlowFish, Serpent 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Supported Authentication algorithms: MD5, SHA1 Maximum three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations. Click to add more than one combination of encryption and authentication algorithm.

DH Group DH group specifies the key length used for encryption. • DH Group 1 uses 768-bit encryption • DH Group 2 uses 1024-bit encryption • DH Group 5 uses 1536-bit encryption • DH Group 14 uses 2048-bit encryption • DH Group 15 uses 3072-bit encryption • DH Group 16 uses 4096-bit encryption

Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16 The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.

Key Life Displays key life, modify if required Key life is the amount of time that will be allowed to pass before the key expires and can be specified in terms of hours or minutes Keylife cannot be less than 2 minutes and at least 1 minute greater

18



than Re-Key margin Re-Key Margin Displays re-key margin, modify if required

Re-key margin time is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry. Set time in terms of the remaining key life. For example, if key life is 8 hours and Re-key margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of key life. Specify in terms of minutes

Randomize Re-Keying Time by

Randomizes re-key margin For example, if key life is 8 hours, re-key margin is 10 minutes and randomize re-keying time is 20% then the re-key margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.


Displays whether data is passed in the compressed format or not, modify if required.

Enable Dead Peer Detection

Enable to check whether peer is live or not.

Check Peer After Every(Only if Dead Peer Detection option is ‘Enabled’)

Displays time when the peer that initiated the connection checks for whether another peer is live or not. Modify if required.

Wait for Response unto(Only if Dead Peer Detection option is ‘Enabled’)

Displays response wait time, modify if required It specifies till what time initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive. Specify in terms of seconds

Action when Peer is not active(Only if Dead Peer Detection option is ‘Enabled’)

Displays what action will be taken if peer is not active, modify if required Hold – hold the connection Clear – close the connection Restart – restart the connection


Select the encryption and authentication algorithm that would be used by communicating parties for integrity of exchanged data fpr phase 2. Supported Encryption algorithms: DES, 3DES, TwoFish, BlowFish, Serpent DES, 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are

19



128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Supported Authentication algorithms: MD5, SHA1 Maximum three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations. Click to add more than one combination of encryption and authentication algorithm.

PFS Group PFS group specifies the key length used for encryption. • Group 1 uses 768-bit encryption • Group 2 uses 1024-bit encryption • Group 5 uses 1536-bit encryption • Group 14 uses 2048-bit encryption • Group 15 uses 3072-bit encryption • Group 16 uses 4096-bit encryption

Select one of group from 1, 2, 5, 14, 15 or 16 If ‘Same as Phase 1’ is selected PFS group specified at connection initiator’s end will be used If No PFS is selected, this security parameter can not be added for Phase 2 The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.


Update button Updates the policy Click to update and save

Cancel button Cancels the current operation and return to Manage VPN policy page

Table – Manage VPN policy screen elements

Note Default policy cannot be updated

20


Delete VPN policy

Prerequisite • Not assigned for any connection

Select VPN → Policy → Manage policy to view the list of policies

Screen – Delete VPN policy


Del Select policy for deletion Click Del to select More than one policy can also be selected

Select All Select all the policies for deletion Click Select All to select all the policies

Delete button Deletes all the selected policy/policies Table – Delete VPN policy screen elements

Note Default policy cannot be deleted

21


Certificate Authority Digital Certificates are used for authentication purpose. Certificates are generated by the third party trusted Certificate Authorities. They create certificates by signing public keys and identify the information of the communicating parties with their own private keys. This way it is possible to verify that a public key really belongs to the communicating party only and not been forged by someone with malicious intentions. A certificate signed by a CA identifies the owner of a public key. Each communicating party may be required to present its own certificate signed by a CA verifying the ownership of the corresponding private key. Additionally, the communicating parties need to have a copy of the CA’s public key. In case private key is lost or stolen or the information is changed CA is responsible for revoking the certificate. Cyberoam provides a facility to generate a local certificate authority as well as import certificates, signed by commercial providers, such as VeriSign.

Generate Certificate Authority

Select VPN → Certificate Authority → Manage Certificate Authority and click Default

22


Screen – Generate Certificate Authority


Certificate Authority Details Certificate Authority Name

Displays certificate authority name

Country Name Select the Country for which the Certificate will be used. Generally this would be the name of the country where Cyberoam is installed.

State/Province Name

Select the State/Province for which the Certificate will be used. Generally this would be the name of the state where Cyberoam is installed.

Locality Name Specify the locality/City. Generally this would be the name of the city where Cyberoam is installed.

Organization Name Specify your organization name Organizational Unit Name

Specify department/section name which will use this certificate

Common Name Specify domain name. This domain will be certified to use the Certificate.

Email Address Specify Email address CA Password Specify password and confirm by re-typing the password Generate button Generates the certificate with the above specified details

Click to generate If the certificate is already generated, it will re-generate the certificate with the above specified details

Cancel button Cancels the current operation

Table – Generate Certificate Authority screen elements

23


Import external Certificate Authority

Select VPN → Certificate Authority → Upload Certificate Authority

Screen – Define external Certificate Authority


Certificate Certificate Authority Name

Specify Certificate authority name

Certificate Format Cyberoam supports certificates in two formats: PEM and DER PEM (Privacy Enhanced Mail): A format encoding the certificate in ASCII code. The certificate, request, and private key are stored in separate files. DER: A binary format for encoding certificates. The certificate, request, and private key are stored in separate files.

Certificate Specify certificate to be uploaded Use Browse to select the complete path

Upload button Uploads the specified certificate Cancel button Cancels the current operation

Table – Define external Certificate Authority screen elements

24


Upload Certificate

Select VPN → Certificate → New Certificate

Screen – Upload Certificate


Certificate Action Select Upload Certificate Certificate Name Specify certificate name Password Specify password and confirm by re-typing the password Certificate Specify certificate to be uploaded

Use Browse to select the complete path

Private key Specify private key for the certificate Use Browse to select the complete path

Upload button Uploads the specified certificate Cancel button Cancels the current operation

Table – Upload Certificate screen elements

25


Generate Self signed certificate

You can use Cyberoam to act as a certificate authority and sign its own certificates. This eliminates the need of having your own certificate authority.

Prerequisite • Certificate Authority generated

Select VPN → Certificate → New Certificate

Screen – Generate Self Signed Certificate


Certificate Action Select Generate Self Signed Certificate Certificate Name Specify Certificate name Valid upto Specify certificate validity period using Calendar

Validity period is the certificate life i.e. period up to which the certificate will be considered as valid Minimum validity period is one day

Key Length Select key length Displays the number of bits used to construct the key. Generally the larger the key, the less chance that it will be compromised but requires more time to encrypt and decrypt data than smaller keys.

Password Specify password and confirm by re-typing Password must be at least 10 character long

Certificate ID Specify certificate ID. You can specify any one of the following: • DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable when Authentication Type is

Digital Certificate) Generate button Generates certificate with the specified details

26



Click to generate


27


Generate Certificate Signing Request

If you are using third party CA, you have to submit the request to CA, CA will verify the details then sign and send the signed certificate. Cyberoam provides a way for you to generate the request. Select VPN → Certificate → New Certificate

Screen – Generate CSR


Certificate Action Select Generate Certificate Signing Request (CSR) Certificate Name Specify Certificate name Valid upto Specify certificate validity period using Calendar

Validity period is the certificate life i.e. period up to which the certificate will be considered as valid Minimum validity period is one day

Key Length Select key length Displays the number of bits used to construct the key. Generally the larger the key, the less chance that it will be compromised but requires more time to encrypt and decrypt data than smaller keys.

Password specify password and confirm by re-typing

28



Password must be at least 10 character long Certificate ID Specify certificate ID. You can specify any one of the following:

• DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable when Authentication Type is

Digital Certificate) Country Name Select the Country for which the Certificate will be used.

Generally this would be the name of the country where Cyberoam is installed.

State/Province Name

Select the State/Province for which the Certificate will be used. Generally this would be the name of the state where Cyberoam is installed.

Locality Name Specify the locality/City. Generally this would be the name of the city where Cyberoam is installed.

Organization Name Specify your organization name Organizational Unit Name

Specify department/section name which will use this certificate

Common Name Specify domain name. This domain will be certified to use the Certificate. Domain name has to be unique

Email Address Specify Email address Generate button Generates certificate request with the details specified which you can

send to your CA for Certificate Click to generate


Screen – Generate CSR

29


Download Certificate

Select VPN → Certificate → Manage Certificate, click the certificate to be downloaded and follow the screen steps. Certificate Signing Request is downloaded in zip format, unzip the file. It contains three file: certificatename.csr, certificatename.key, password.txt Cyberoam supports certificate in two formats: p12 and pem format. Certificate is downloaded in tar.gz format, unzip the file winzip or winrar. It contains: Certificatename.p12 (certificate in p12 format) Password.txt PEM folder which contains certificate in pem format as: certificatename.pem, certificatename.key

Screen – Download Certificate

30


Delete Certificate

Prerequisite • Not used by any Connection

Select VPN → Certificate → Manage Certificate

Screen – Delete Certificate


Del Select certificate for deletion Click Del to select More than one certificate can also be selected

Select All Select all the certificates for deletion Click Select All to select all the certificate(s)

Delete button Deletes all the selected certificate(s)

Table – Delete Certificate screen elements

Note The deleted certificate will be revoked

31


Certificate Revocation List CA maintains the list of valid and revoked certificates. Certificates which are stolen, lost or updated are revoked by CA. Revocation list is the list of certificates which are revoked by CA.

Revoke certificate

Select VPN → Certificate → Manage Certificate and click the certificate to be revoked

Screen – Revoke Certificate


Certificate Certificate Name Displays Certificate name Valid upto Displays certificate validity period, modify if required.

Validity period is the certificate life i.e. period up to which the certificate will be considered as valid

Key Length Displays key length, modify if required. Displays the number of bits used to construct the key. Generally the larger the key, the less chance that it will be compromised but requires

32



more time to encrypt and decrypt data than smaller keys. Password Displays password

Click Change Password to modify the password Password must be at least 10 character long

Regenerate button Regenerates the certificate Revoke button Revoke certificate if lost, stolen or updated

Click to revoke If the certificate is revoked it is automatically added to the Certificate Revocation List (CRL). You can download and circulate if required.


Table – Revoke Certificate screen elements

33


Download CRL

Cyberoam creates the Default CRL the name Default.crl. Once you revoke the certificate, the details of the revoked certificate are added to the default file and regenerated. You can download and distribute if required. Select VPN → Certificate Authority → Manage CRL and to view the list of CRLs. Click Download against the CRL name to be downloaded. It downloads the zip file, unzip the file to check the details.

Upload CRL

If you are using External Certificate Authority, you need to upload the CRL obtained from External Certificate Authority. Select VPN → Certificate Authority → Upload CRL Enter CRL name and specify the full path of the file to be uploaded Click Upload

34


35


Delete CRL

Select VPN → Certificate Authority → Manage CRL and to view the list of CRLs.

Screen – Delete CRL


Del Select CRL for deletion Click Del to select More than one CRLs can also be selected

Select All Select all the CRLs for deletion Click Select All to select all the CRLs

Delete button Deletes all the selected CRLs Table – Delete CRL screen elements

Note The default CRL cannot be deleted

36


IPSec Connection IP Security (IPSec) is a suite of protocols designed for cryptographically secure communication at the IP layer (layer 3). IPSec protocols: • Authentication Header (AH) - Used for the authentication of packet senders and for ensuring

the integrity of packet data. The Authentication Header protocol (AH) checks the authenticity and integrity of packet data. In addition, it checks that the sender and receiver IP addresses have not been changed in transmission. Packets are authenticated using a checksum created using a Hash-based Message Authentication Code (HMAC) in connection with a key.

• Encapsulating Security Payload (ESP) - Used for encrypting the entire packet and for the

authenticating its contents. In addition to encryption, the ESP offers the ability to authenticate senders and verify packet contents.

IPSec modes: • Transport Mode - the original IP packet is not encapsulated in another packet. The original IP

header is retained, and the rest of the packet is sent either in clear text (AH) or encrypted (ESP). Either the complete packet can be authenticated with AH, or the payload can be encrypted and authenticated using ESP. In both cases, the original header is sent over the WAN in clear text.

Use Transport mode where both endpoints understand IPSEC directly. Transport mode is used between peers supporting IPSec, or between a host and a gateway, if the gateway is being treated as a host.

• Tunnel Mode - the complete packet – header and payload – is encapsulated in a new IP

packet. An IP header is added to the IP packet, with the destination address set to the receiving tunnel endpoint. The IP addresses of the encapsulated packets remain unchanged. The original packet is then authenticated with AH or encrypted and authenticated using ESP.

Tunnel mode is primarily used for interoperability with gateways or end systems that do not support L2TP/IPSec or PPTP VPN site-to-site connections.

IPSec connections types (for Tunnel mode only): • Road Warrior - This type of VPN is a user-to-internal network connection via a public or

shared network. Many large companies have employees that need to connect to the Internal network from the field. These field agents access the Internal network by using remote computers and laptops without static IP address.

• Net to Net - A Net-to-Net VPN connects an entire network (such as a LAN or WAN) to a remote network by way of a network-to-network connection. A network-to-network connection requires routers on each side of the connecting networks to transparently process and route information from one node on a LAN to a node on a remote LAN.

• Host to Host - Host-to-Host VPN connects one desktop or workstation to another by way of a host-to-host connection. This type of connection uses the network to which each host is connected to create the secure tunnel to each other.

Note Alias IP address cannot be used for establishing Connection

37


Create Transport mode IPSec Connection

In transport mode only host-to-host connection is supported. Select VPN → IPSec Connection → Create Connection

Screen - Create Transport mode IPSec Connection


Connection details Name Assign name to connection. Choose a name that best describes the

connection to be created Description Specify full description of connection

38



Policy Name Select policy to be used for connection Action on Restart Select the action for the connection

Deactive – Keep connection deactive mode till the user activates. Active – Activate connection on system/service start so that the connection can be established whenever required Connect – Connect as soon as the system/service starts

Mode Select Transport mode Refer to IPSec modes for details

Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the

connection type. Select Preshared key An authentication mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the preshared key. Remote peer uses the preshared key for decryption. Select Digital Certificate An authentication mechanism whereby sender and receiver both uses the digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. Select RSA key An Authentication mechanism whereby two keys - Public and Private - are used for encryption and decryption. Private key is known only to the owner and never transmitted over network.

Preshared key Only if Authentication Type is ‘Preshared key’

Specify the preshared key to be used. This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration. If there is mismatch in the key, user will not be able to establish the connection.

Local Certificate Only if Authentication Type is ‘Digital Certificate’

Select the local certificate that should be used for authentication by Cyberoam

Remote Certificate Only if Authentication Type is ‘Digital Certificate’

Select the remote certificate that should be used for authentication by remote peer

Local RSA Key Only if Authentication Type is ‘RSA Key’

Displays automatically generated key which cannot be modified. Local Public key can be regenerated from Text based Administration (Telnet) Console. Refer to Console guide for more details.

Remote RSA Key Only if Authentication Type is ‘RSA Key’

Specify the public key which is to be used by the remote peer.

Local Network Details Local server Specify public IP address of local server

39



Click to select Local ID Displays ID and its value specified in the Local certificate

For preshared key, select local id and specify it’s value For preshared key, DER ASN1 DN is not applicable

Remote Network Remote Host Specify IP address of remote peer Allow NAT Traversal

Enable if a NAT device is located between your VPN endpoints i.e. remote peer has an private IP address

Remote Internal Network Only if NAT Traversal is enabled

Specify IP addresses and netmask of remote network which is allowed to connect to the Cyberoam server through VPN tunnel At a time only one connection can be established behind one NAT-box Click Add to add network

Remote ID Displays ID if remote certificate is selected else specify ID specified in the certificate used by peer For preshared key, select any type of id and specify it’s value For preshared key, DER ASN1 DN is not applicable

User Authentication User Authentication Specify whether user authentication is required at the time of

connection or not Click Disable if user authentication is not required If enabled as client, specify username and password If enabled as server, Click Add to select and add all the users which are to be allowed to connect

Quick Mode Selectors Allow Protocols Select the protocol for negotiations.

Tunnel will pass only that data which uses the above specified protocol

Local port Only for TCP protocol

Specify local port

Remote port Only for TCP protocol

Specify remote port

Create button Creates the connection Click to create

Cancel button Cancels the current operation Table - Create Transport mode IPSec Connection screen elements

40


Create Road Warrior IPSec connection

Select VPN → IPSec Connection → Create Connection

Screen – Create Road Warrior IPSec Connection



connection to be created

41



Description Specify full description of connection Policy Name Select policy to be used for connection Action on Restart Select the action for the connection


Mode Select Tunnel mode Refer to IPSec modes for details

Connection Type

Specify connection type. Authentication of user depends on the connection type. Select ‘Road warrior’ Refer to Connection types for details


connection type. Preshared key An authentication mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the preshared key. Remote peer uses the preshared key for decryption. Digital Certificate An authentication mechanism whereby sender and receiver both uses the digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.






Select the remote certificate that should be used for authentication by remote peer

Local Network Details Local Server Specify IP address of local server

Click to select

Local Internal Network

Specify IP address and netmask of the local network which is allowed to access remote peer through VPN connection

Local ID Displays ID and its value specified in the Local certificate For preshared key, select local id and specify it’s value

42



For preshared key, DER ASN1 DN is not applicable




Specify IP addresses and netmask of remote network which is allowed to connect to the Cyberoam server through VPN tunnel At a time only one connection can be established behind one NAT-box Click Add to add network Specify 0.0.0.0/0 to allow all the networks

Remote ID Specify ID specified in the Remote certificate For preshared key, select any type of id and specify it’s value For preshared key, DER ASN1 DN is not applicable


connection or not Click Disable if user authentication is not required If enabled as server, Click Add to select and add all the users which are to be allowed to connect

Quick Mode Selectors Allow Protocols Select the protocol for negotiations



Specify local port


Specify remote port



Table – Create Road Warrior IPSec Connection screen elements

43


Create Net to Net IPSec connection


Screen - Create Net to Net IPSec connection



44



connection to be created Description Specify full description of connection Policy Name Select policy to be used for connection Action on Restart Select the action for the connection



Connection Type

Specify connection type. Authentication of user depends on the connection type. Select ‘Net to Net’ Refer to Connection types for details








Select the remote certificate that should be used for authentication by remote peer. Select ‘External Certificate’, if the remote certificate is not available

Local RSA Key Only if Authentication

Displays automatically generated key which cannot be modified. Local Public key can be regenerated from Text based Administration

45



Type is ‘RSA Key’ (Telnet) Console. Refer to Console guide for more details. Remote RSA Key Only if Authentication Type is ‘RSA Key’


Local Network Details Local Server Specify IP address of local server

Click to select

Local Internal Network

Specify IP address and netmask of the local network which is allowed to access to remote network through VPN connection

Local ID Displays ID and its value specified in the Local certificate For preshared key, select local id and specify it’s value For preshared key, DER ASN1 DN is not applicable

Remote Network Remote Host Specify IP address of remote peer Remote Internal Network






Tunnel will pass only that data which uses the above specified protocol.


Specify local port


Specify remote port



46


Table - Create Net to Net IPSec connection screen elements

Create Host to Host IPSec connection


Screen - Create Host to Host IPSec connection


Connection details

47



Name Assign name to connection. Choose a name that best describes the connection to be created

Description Specify full description of connection Policy Name Select policy to be used for connection Action on Restart Select the action for the connection



Connection Type

Specify connection type. Authentication of user depends on the connection type. Select ‘Host to Host’ Refer to Connection types for details








Select the remote certificate that should be used for authentication by remote peer Select ‘External Certificate’, if the remote certificate is not available

Local RSA Key Only if

Displays automatically generated key which cannot be modified.

48



Authentication Type is ‘RSA Key’

Local Public key can be regenerated from Text based Administration (Telnet) Console. Refer to Console guide for more details.

Remote RSA Key Only if Authentication Type is ‘RSA Key’


Local Network Details Local Server Specify public IP address of local server

Click to select

Local ID Displays ID and its value specified in the Local certificate For preshared key, select local id and specify it’s value For preshared key, DER ASN1 DN is not applicable











Specify local port


Specify remote port


Cancel button Cancels the current operation Table - Create Host to Host IPSec connection screen elements

49


50


Manage IPSec Connection

Use to • Activate, Deactivate, Initiate and disconnect connection • Export Connection Configuration file • Update connection details • Delete connection

Activate/Deactivate Connection

1. Select VPN → IPSec Connection → Manage IPSec Connection to display the list of connections

2. Under Connection status, Active column

Click to deactivate the connection

Click to activate the connection

Once disconnected, Road Warrior connection can be re-established from the remote peer only after activating connection from the local server.

3. Under Connection status, Connection column

Click to initiate connection.

Click to disconnect connection. When you disconnect, connection will be deactivated and to re-establish connection the connection, activate connection.

Note If connection is created using manual keying policy, both the peers need to initiate the connection Local peer cannot initiate the connection if remote peer is using dynamic IP address Local peer cannot initiate the connection if Authentication mode is ‘Enable as Server’ Only one connection can be active at a time if two connections with different authentication types (preshared key authentication and digital certification) are created for the same destination. All similar connections should have same authentication mode

Screen – Activate/Deactivate Connection

51


Export Connection configuration file (only for Road warrior connection)

Select VPN IPSec Connection Manage IPSec Connection to view the list of connections and click ‘Export’ against the Connection Name whose configuration is to be exported. Configuration file will be created in .tbg format which can directly be imported in Cyberoam VPN Client.

Delete Connection

Select VPN → IPSec Connection → Manage IPSec Connection to display list of connections

Screen – Delete IPSec Connection


Del Select connection for deletion Click Del to select More than one connection can also be selected

Select All Select all the connections for deletion Click Select All to select all the connections(s)

Delete button Deletes all the selected connection(s) Table – Delete IPSec Connection screen elements

52


L2TP Connection

L2TP configuration

You can use Layer 2 Tunneling Protocol (L2TP) to create VPN tunnel over public networks such as the Internet. For authentication, currently Cyberoam supports only Password Authentication Protocol (PAP) algorithm. Select VPN → L2TP Configuration

Screen – L2TP Configuration


L2TP Configuration Local IP Address Displays IP address that will be assigned to L2TP server Assign IP from Specify IP address range if L2TP server has to lease the IP address Client Information DNS server Specify IP address of your DNS server and alternate DNS server WINS server Specify IP address of your WINS server and alternate WINS server Save Saves the details

Click to save

Add Users button Click to add L2TP user. Displays list of users which are migrated or created in Cyberoam. Click Select against the Names that are to be allowed L2TP access i.e. only the selected users will be allowed L2TP connection Click Select All to allow L2TP access to all the users.

53



Click Add

Add Groups button Click to add L2TP user group. Displays list of user groups created in Cyberoam. Click Select against the Group Names that are to be allowed L2TP access i.e. only the selected user groups will be allowed L2TP connection Click Select All to allow L2TP access to all the user groups. Click Add. All the users in the selected groups will be allowd L2TP access

Delete Users & Groups button

To delete user/groups: Click Del against the names to deleted Click Delete Users & Groups button Table – L2TP Configuration screen elements

54


Create L2TP connection

Select VPN → L2TP Connection → Create Connection to open the create page

Screen – Create L2TP Connection

55




connection to be created Description Specify full description of connection Policy Name Select policy to be used for connection Action on Restart Select the action for the connection

Deactive – Keep connection deactive mode till the user activates. Active – Activate connection on system/service start so that the connection can be established whenever required

Local Network Details Local Server Specify public IP address of local VPN server/peer

Click to select

Gateway of Local VPN server

Select Gateway of the local VPN server

Local ID Specify local ID You can specify any one of the following:

• DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable only if Authentication Type

is Digital Certificate) Remote Network Remote Host

Specify IP address of remote peer

Remote ID Specify remote ID. You can specify any one of the following: • DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable only if Authentication Type

is Digital Certificate) Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the




Local Certificate Displays the local certificate which will be used for authentication

56



Only if Authentication Type is ‘Digital Certificate’ Quick Mode Selectors Local port Specify local port Remote port Specify remote port Create button Creates the connection

Click to create

Cancel button Cancels the current operation Table – Create L2TP Connection screen elements

Note L2TP and IPSec connection name cannot be same You may receive ‘Connection name already exists’ message while creating connection, if the name with which you are creating the connection is already used for either L2TP or IPSec connection

Manage L2TP connection

Select VPN → L2TP Connection → Manage Connection to view the list of connections

Screen – Manage L2TP Connection

57


Screen – Update L2TP Connection


Connection details Name Displays Connection name Description Displays description, modify if required Policy Name Displays policy that will be used for connection Action on Restart Displays the action


Local Network Details Local Server Displays public IP address of local VPN server/peer

Click to select

Gateway of Local Displays Gateway of the local VPN server

58



VPN server Local ID Displays local ID, modify if required

You can specify any one of the following: • DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable only if Authentication Type

is Digital Certificate) Remote Network Remote Host Displays IP address of remote peer Remote ID Displays remote ID, modify if required. You can specify any one of

the following: • DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable only if Authentication Type

is Digital Certificate) Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the





Displays the local certificate which will be used for authentication

Quick Mode Selectors Local port Displays local port, modify if required Remote port Displays remote port, modify if required Update button Saves the modified details

Click to update

Cancel button Cancels the current operation Table – Update L2TP Connection screen elements

59


Delete L2TP connection

Select VPN → L2TP Connection → Manage Connection to view the list of connections

Screen – Delete L2TP connection


Del Select connection for deletion Click Del to select More than one connection can also be selected

Select All Select all the connections for deletion Click Select All to select all the connections(s)

Delete button Deletes all the selected connection(s) Table – Delete L2TP connection screen elements

60


61

PPTP Connection Cyberoam support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with a Cyberoam Appliance that has been configured to act as a PPTP server.

PPTP Configuration

Use to: • Configure PPTP • Add and delete PPTP User • Add and delete PPTP User Groups

Select VPN → PPTP Configuration

Screen – PPTP Configuration


PPTP Configuration Local IP Address Displays LAN IP address that will be used for PPTP server Assign IP from PPTP server will lease IP address to the PPTP client from the

specified IP address range. The PPTP client uses the assigned IP address as its source address for the duration of the connection. Do not specify the same IP address range in L2TP configuration and PPTP configuration

Client Information DNS server Specify IP address of your DNS server and alternate DNS server to

be used at the client end WINS server Specify IP address of your WINS server and alternate WINS server


62


to be used at the client end Save Saves the details

Click to save

Add Users button Click to add PPTP user. Displays list of users which are migrated or created in Cyberoam. Click Select against the Names that are to be allowed PPTP access i.e. only the selected users will be allowed PPTP connection Click Select All to allow PPTP access to all the users. Click Add

Add Groups button Click to add PPTP user group. Displays list of user groups created in Cyberoam. Click Select against the Group Names that are to be allowed PPTP access i.e. only the selected user groups will be allowed PPTP connection Click Select All to allow PPTP access to all the user groups. Click Add. All the users in the selected groups will be allowd PPTP access

Delete Users & Groups button

To delete user/groups: Click Del against the names to deleted Click Delete Users & Groups button Table – PPTP Configuration Screen elements

Cyberoam VPN Management Guide VPN... · VPN Management Guide Contents Guide ... Data transfer...

Documents

Transcript of Cyberoam VPN Management Guide VPN... · VPN Management Guide Contents Guide ... Data transfer...