Vous êtes sur la page 1sur 45

Establish Site-to-Site IPSec Connection using Preshared key

Applicable Version: 10.00 onwards


Overview
IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol
Suite. It is used in protecting data flows between a pair of hosts (host-to-host), between a pair of
security gateways (network-to-network), or between a security gateway and a host (network-tohost).
Cyberoams IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote
connectivity, eliminating the need for expensive private remote access networks like leased
lines, Asynchronous Transfer Mode (ATM) and Frame Relay. This article describes a detailed
configuration example that demonstrates how to set up a site-to-site IPSec VPN connection
between the two networks using preshared key to authenticate VPN peers.

Scenario
Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps
given below. In this article, we have used the following parameters to create the VPN
connection.

Network Parameters
Local Network details

Remote Network details

Local Server (WAN IP address) 14.15.16.17


Local LAN address 10.5.6.0/24
Remote VPN server (WAN IP address) 22.23.24.25
Remote LAN Network 172.23.9.0/24

Site A Configuration
The configuration is to be done from Site As Cyberoam Web Admin Console using profile
having read-write administrative rights for relevant feature(s).
Step 1: Create IPSec Connection
To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create
the connection using the following parameters.

Parameter Description

Parameter

Value

Description

Name

SiteA_to_SiteB

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.


Available Options:
Remote Access
Site to Site
Host to Host

Policy

DefaultHeadOffice Select policy to be used for connection

Action on VPN Restart Respond Only

Select the action for the connection.


Available options:
Respond Only
Initiate
Disable

Authentication details
Authentication Type

Preshared Key

Preshared Key

123456789

Select Authentication Type. Authentication of user


depends on the connection type.
Preshared key should be the same as that configured in
remote site.

Endpoints Details
Local

PortB-14.15.16.17 Select local port which acts as end-point to the tunnel

Remote

22.23.24.25

Specify IP address of the remote endpoint.

Local Network Details


Local Subnet

10.5.6.0/24

Select Local LAN Address. Add and Remove LAN


Address using Add Button and Remove Button

Remote Network Details


RemoteLAN Network 172.23.9.0/24

Select Remote LAN Address. Add and Remove LAN


Address using Add Button and Remove Button

Click OK to create IPSec connection.

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.

Click

under Status (Active) to activate the connection.

Site B Configuration
The configuration is to be done from Site Bs Cyberoam Web Admin Console using profile
having read-write administrative rights for relevant feature(s).
Step 1: Create IPSec Connection
To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create
the connection using the following parameters.

Parameter Description
Parameter

Value

Description

SiteB_to_SiteA

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.


Available Options:
Remote Access
Site to Site
Host to Host

Policy

DefaultBranchOffice Select policy to be used for connection

Name

Action on VPN
Restart

Initiate

Select the action for the connection.


Available options:
Respond Only
Initiate
Disable

Authentication details
Authentication Type

Preshared Key

Preshared Key

123456789

Select Authentication Type. Authentication of user


depends on the connection type.
Preshared key should be the same as that configured in
remote site.

Endpoints Details
Local

PortB-22.23.24.25

Select local port which acts as end-point to the tunnel

Remote

14.15.16.17

Specify IP address of the remote endpoint.

Local Network Details


Local Subnet

172.23.9.0/24

Select Local LAN Address. Add and Remove LAN


Address using Add Button and Remove Button

Remote Network Details


Remote LAN Network 10.5.6.0/24

Select Remote LAN Address. Add and Remove LAN


Address using Add Button and Remove Button

Step 2: Activate and Establish Connection


On clicking OK, the following screen is displayed showing the connection created above.

Click

under Status (Active) and Status (Connection).

The above configuration establishes an IPSec connection between Two (2) sites.
Note:
Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel
initiator and Head Office acts as a responder due to
following reasons:
- Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to
initiate the connection.
-

As there can be many Branch Offices, to reduce the load on Head Office it is a good

practise that Branch Offices retries the connection


instead of the Head Office retrying all the branch office connections.

Allow download of specific file types from selected website(s) only


Applicable to Version: 10.00 onwards
Scenario

Allow file type categories like .mpeg, .mp3, .exe for website www.example.com, while
blocking the file types for other websites.

Prerequisite
Web and Application Filter Module Subscribed.

Configuration
You must be logged on to the Web Admin Console as an administrator with Read-Write
permission for relevant feature(s).
Step 1: Create a Custom Web Category
Create a Custom Web Category to add the required URL: www.example.com. To create a
web category, go to Web Filter > Category > Category and click Add to create a new
category. Specify the category parameters along with the Domain value
aswww.example.com, refer screen below.

Click OK and the Custom Web Category AllowFileDownload will be created successfully.

Step 2: Create Web Filter Policy


Go to Web Filter > Policy >Policy and click Add to create a new Web Filter Policy
named Example_Custom as shown in the diagram below.

Click OK and the Web Filter Policy Example_Custom will be created successfully.
Step 3: Configure Rules for Web Filter Policy
Select the Policy Example_Custom created inStep 2 and click Add to add the Web Filter
Policy Rules.

Specify Web Filter Policy Rules as shown in the table below.


Rule 1
Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites.
Parameter

Value

Description

Category Type

File Type

Select Category Type for which the rule is to be


added.

Category

Video Files,
Audio Files,
Executable Files

Select the Categories which you want to deny for


all the sites.

Deny

Select HTTP and HTTPS action.

All the time

Select the Schedule for categories selected.

HTTP and
HTTPS Action
Schedule

Click Add and the Web Filter Policy Rule will be added successfully.
Rule 2
Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites, but all these
file types are allowed for www.example.com.
Parameters

Value

Description

Category Type

Web Category

Select Web Category from the list of


available categories.

Category

AllowFileDownload

Select the
CategoryAllowFileDownloadcreated
inStep 1.

HTTP and
HTTPs Action

Allow

Select HTTP and HTTPS action.

Schedule

All the Time

Select the Schedule for categories


selected.

Click Add and the Web Filter Policy Rule will be added successfully.

Note:
AllowFileDownload Category should be on top as rules are executed in top to bottom
sequence.
Step 4: Apply Policy to Firewall Rule or User/User Group
Firewall Rule
You can apply the policy through a Firewall Rule such that it is applied on all traffic that hits
on that rule. To create a Firewall Rule, go toFirewall > Rule > IPv4 Rule and click Add. As
shown below, apply the Policy created in Step 1.

Click OK to apply the Firewall Rule.


User/User Group
You can apply the rule to individual users or user groups. Here, as an example we have
applied the rule on a user named John Smith. To apply the policy on an individual user, go
to Identity > Users > Users and select the user on whom policy is to be applied, i.e., John
Smith. As shown below, apply the Policy created in Step 1.

Click OK to apply policy on the user.

Configure Gateway Load Balancing and Failover

Applicable to Version: 10.00 onwards


Overview
Today organizations require stable, redundant and fast ISP links to run business critical
applications. To achieve constant and secure availability to the Internet and to avoid network
vulnerability, organizations prefer to have multiple ISP links. Multiple ISP links provisions
network administrator to configure failover and load balancing over Internet links.
Cyberoam supports Load Balancing and Failover for multiple ISP links based on number of
WAN ports available in the Appliance. You can terminate multiple ISP links on available
physical interfaces of Cyberoam in the form of Gateways. A Gateway can be configured as an
Active or a Backup Gateway. The Gateways can be setup in Two (2) ways:
Active-Active: Here, all Gateways are in Active State and traffic is Load Balanced between all
Active Gateways. By default, Cyberoam adds a new gateway as an Active Gateway. Hence,
Load Balancing is automatically enabled between the existing and newly added links.
Cyberoam employs weighted round robin algorithm for load balancing to enable maximum
utilization of capacities across the various links.
Active-Backup: Here, One (1) or more Gateways are configured as Backup. This setup allows
Administrator to configure Gateway Failover if any active gateway goes down.

Note:
Load Balancing and Failover is supported both for IPv4 and IPv6 traffic. The Load Balancing
or Failover can be done between Two (2) IPv4 gateways or Two (2) IPv6 gateways.

Scenario
Consider the hypothetical network in which one ISP link is terminated on Port B and
Administrator wants to terminate another ISP link on Port D.

IP Schema
Below given IP schema is configured on Cyberoam.

Parameters

Value

Port A
IP Address
10.10.1.1
Subnet Mask
255.255.255.0
Zone
LAN
Port B
IP Address
172.16.16.1
Subnet Mask
255.252.240.0
Zone
WAN
Gateway Details
ISP Name
Default
IP Address
172.16.16.15
Port C
IP Address
10.10.10.1
Subnet Mask
255.255.255.0
Zone
DMZ
Port D
Port D is an unbound port so zone type for port D is set to N/A
DNS Configuration
Primary DNS
4.2.2.2
This article is divided into the following Three (3) sections:
- Add a New Gateway

- Configure Load Balancing


- Configure Gateway Failover

Prerequisites
An unbound physical port should be available on Cyberoam. An unbound port is one, which is
not assigned to any security zone.

Add a New Gateway


You must be logged on to the Web Admin Console as an administrator with Read-Write
permission for relevant feature(s).
To add a gateway, go to Network > Interface > Interface and configure an unbound physical

port according to parameters given below. Here, as an example, we have configured Port D.

Parameters

Value

Description

General Settings
Physical Interface

PortD

Physical Interface for example, Port A, Port B

Network Zone

WAN

Select Zone to which Interface belongs.

IP Assignment

Static

Select IP Assignment type.


Available Options:
Static: Static IP Addresses are available for all
the zones.
PPPoE: PPPoE is available only for WAN Zone.
If PPPoE is configured, WAN port is displayed
as the PPPoE Interface.
DHCP:DHCP is available only for WAN Zone.

IP Address

10.10.2.1

Subnet Mask

/24 (255.255.255.0) Specify Network Subnet mask.

Primary DNS

203.88.135.194

Specify Primary DNS Server IP Address.

Secondary DNS

4.2.2.2

Specify Secondary DNS Server IP Address.

PortD_Gateway

Specify Gateway Name

Specify IP Address.

Gateway Details
Gateway Name

IP Address

10.10.2.19

Specify IP Address of Gateway

Click OK to update the interface.


On updating the interface, the gateway is added to the list of Gateways in Network > Gateway
> Gateway.

Configure Load Balancing


Cyberoam allows Load Balancing between 2 or more Active-Active Gateways. By default,
Cyberoam adds a new gateway as an Active Gateway. Hence, Load Balancing is automatically
enabled between the existing and newly added links.
Weighted Round Robin algorithm is used for load balancing wherein each link is assigned a
weight. The traffic that Cyberoam distributes among the links is in proportion to the weight
assigned to them.
To assign weight to a Link, go to Network > Gateway > Gateway and select the required
Gateway.

Mention the Weight, as shown below and click OK.

Configure Gateway Failover


Cyberoam allows Gateway Failover both in Active-Active and Active Backup setup.
In an Active-Active setup, if any one of the active gateways fails, the traffic is redirected to
another active gateway. Administrator can specify Failover Conditions to indicate how the failed
gateway is to be detected.
In Active-Backup setup, one or more of the gateways are configured as backup gateway. If an
Active Gateway fails, the traffic can be redirected to a backup gateway, ensuring Internet
continuity.
Configure Backup Gateway
You can configure a gateway as a Backup gateway by following steps below.
1.

Go to Network > Gateway > Gateway and select the required Gateway.

2.

Select Gateway Type as Backup and configure Backup Gateway Details as shown

below.

Click OK to save changes.

This setup indicates if any Active Gateway Fails, PortD_Gateway would get activated and
would inherit the weight of the failed gateway.
Configure Failover Condition
By default, on adding a gateway, Cyberoam adds a Failover Rule indicating that if Cyberoam
is not able to PING the gateway, it would be considered down, as shown below.

Click Add to add another rule, or Edit to change the existing rule. Here, as an example, we
have added a Rule that indicates that if Cyberoam is not able to PING the
Gateway 172.16.16.15 and establish a TCP connection on port 80 with 4.2.2.2, the gateway
will be considered down.

Click OK to save the Gateway Failure Rule.


During a link failure, Cyberoam regularly checks the health of a given connection, assuring
fast reconnection when Internet service is restored.
When the connection is restored and gateway is up again, traffic is rerouted through the
Active gateway automatically.

Configure Email Notification

Applicable Version: 10.00 onwards

Overview

Cyberoam allows configuration of Email notifications for certain system-generated events and
reports (as specified by administrator). Such Email notifications can be configured to inform
administrator about:

Change in gateway status

Change in HA (high availability) link status (if HA cluster is configured)

Change in State of IPSec Tunnel(s)

Various reports (customizable)

Scenario
Configure Email Notifications in Cyberoam.

Configuration
The entire configuration is to be done from the Web Admin Console of Cyberoam. Configuration
requires read-write administrative permission for the relevant features.
Step 1: Configure Mail Server Settings
Configuring Mail Server Settings enables administrator to receive Email notifications for systemgenerated events like change in gateway status, change in HA link status and change in state
of IPSec Tunnel. Configure Mail Server by going to System > Configuration >
Notification and setting parameters as shown below.

Parameters
Mail Server Settings
Mail Server IP
Address/FQDN - Port
Authentication Required

Value

172.16.16.24 - 25
Enabled

Description
Configure your Mail Server IP Address
and port

If Enabled, specify authentication


parameters i.e. username and password

Email Setting
From Email Address

admin@cyberoam.com

Send Notifications to
Email Address

john.smith@cyberoam.com

Specify the email addresses from which


the notification is to be sent.
Specify the email address to which the
notification is to be sent.

Click Test Mail to check Mail Server Configuration. If test mail is delivered successfully,
click Apply to save configuration.

Step 2: Configure Email notification for reports


You can configure daily or weekly Email notification for the following report groups - Web
Usage, Mail Usage, FTP Usage, Blocked Web Attempts, Attacks, Spam, Virus, Event, Search
Engine, IM Usage, Blocked IM Attempts, Internet Usage, VPN, SSL VPN, Denied SSL VPN
Attempts, Blocked Applications, Applications. Configure Report Notifications by following steps
given below.

Go to Logs & Reports > View Reports or click Reports Tab

available on Icon

Bar on the upper rightmost corner of every


page to access On-Appliance iView.

In iView, go to System > Configuration > Report Notification and click Add to add report

notification. Here, as an example, we have


configured a daily Email Notification for Search Engine Reports.

Parameters

Value

Description

Name

Search_Engine_Report

Specify report notification name

To Email Address

admin@cyberoam.com

Specify Email address of the recipient

Report Group

Search Engine

Email Frequency

Daily at 11 hours

Select report category from the Report


Group drop down list
Set Email Frequency

Click Add to add a new notification.

With above configuration, all the Search Engine reports will be mailed everyday at 10 am.

Configure Port Forwarding using Virtual Host to access devices on Internal network
Applicable to Version: 10.00 onwards
This article describes a detailed configuration example that demonstrates how to configure Cyberoam
to provide the access of internal resources.
Article covers how to

Create virtual host

Create firewall rule to allow the inbound traffic

Virtual host
Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.
Virtual Host maps services of a public IP address to services of a host in a private network. In other
words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the
Destination address to access internal or DMZ server.
A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself.
Cyberoam will automatically respond to the ARP request received on the WAN zone for the external
IP address of Virtual host.

Sample schema
Throughout the article we will use the network parameters displayed in the below given network
diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public
servers - mail and web server are hosted in DMZ.
Network
components
Web server
Mail server

External IP address
(Public)
203.88.135.208
204.88.135.192

IP address (Internal)
192.168.1.4 (Mapped)
192.168.1.15

(Mapped)

For virtual host:


External IP: IP address through which Internet users access internal server.
Mapped IP: IP address bound to the internal server.

Configuration
The entire configuration is to be done from Web Admin Console with user having Administrator
profile.
Step 1: Create virtual host for Web server
Go to Firewall --> Virtual Host and click on Add button to add a virtual host with the parameters as
specified in sample schema.

In our example, Internet users will access internal web server using public IP 203.88.135.208 which is
mapped to local IP 192.168.1.4. In other words, all the inbound requests from 203.88.135.208 will be
forwarded to 192.168.1.4.

Parameters
Name

Value
WebServer
203.88.135.208

External IP

Public IP address is the IP address


through which Internet users access
internal server/host.
192.168.1.4

Mapped IP

Physical Zone

Mapped IP is the IP address to which


the external IP address is mapped.
This is the actual private IP address of
the host being accessed using the
virtual host.
DMZ

Click on OK and the Virtual Host WebServer has been added successfully.
Note

If servers are hosted on LAN, change the Physical Zone to LAN.

In case you have custom zones, change the Physical Zones accordingly.

Public IP address is the IP address through which Internet users access internal server/host. If
public IP address is already configured as main
Interface IP or alias IP, then use the option Interface IP to select it as an external IP or else
Create the host of the IP and select it from the
IP address.

Step 2: Create virtual host for Mail server


Go to Firewall --> Virtual Hostand click on Add button to add a virtual host with the parameters
as specified in sample schema.
In our example, Internet users will access internal mail server using public IP 203.88.135.192 which is
mapped to local IP 192.168.1.15. In other words, all the inbound requests from 203.88.135.192 will be
forwarded to 192.168.1.15.

Parameters
Name

Value
Mailserver
203.88.135.192

External IP

Public IP address is the IP address


through which Internet users access
internal server/host.
192.168.1.15

Mapped IP

Physical Zone

Mapped IP is the IP address to which


the external IP address is mapped.
This is the actual private IP address of
the host being accessed using the
virtual host.
DMZ

Click on OK and the Virtual Host MailServer has been added successfully.

Step 3: Loopback firewall rule


Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule
for the zone of the mapped IP address. Loopback firewall rule is created for the service specified in
virtual host.
Loopback rules allow same zone internal users to access the internal resources using its public IP
(external IP) or FQDN.
For our example, DMZ to DMZ firewall rule is created as virtual host (mapped IP address) belongs to
DMZ interface subnet.
Check creation of loopback rule from Firewall --> Rule

Step 4: Add Firewall rules


Rule 1
Go to Firewall --> Ruleand add a firewall rule for WebServer with the parameters as displayed in
the below given screens.

Click OK and the Firewall Rule will be created successfully.

Rule 2
Go to Firewall Rule and add a firewall rule for MailServer with the parameters as displayed in the
below given screens.

Click OK and the Firewall Rule will be created successfully.


Note
Change the Destination Host according to the actual server Location (Zone).

To create firewall rules to allow internal users to access resources in DMZ using its public IP (external
IP) or FQDN follow the below mentioned steps:
Go to Firewall Rule and add a firewall rule for each server with the parameters as displayed in the
below given screens.

Click OK and the Firewall Rule for Web Server will be created successfully.

Click OK and the Firewall Rule for Mail Server will be created successfully.
Note:
DO NOT Apply NAT for inbound SMTP rules. This will setup the MailServer as an OPEN RELAY.

Connect Android Devices with Cyberoam Using L2TP VPN

Applicable Cyberoam Version: 10.01.0 Build 667 onwards

Applicable Android Version: 2.2 onwards

Overview

This article describes how you can connect an Android device, like mobile phone, PDA, tablet,
etc., with Cyberoam using L2TP VPN. Such a connection is especially useful when you want to
securely connect to the Internet at a public Wi-Fi hotspot. The VPN connection enables all data
to be transferred in an encrypted form, ensuring security of personal data in your device.

Scenario
Configure Cyberoam and Android device to enable an L2TP VPN connection between them.
This document consists of 2 sections:
1. Cyberoam Configuration
2. Android Configuration

Cyberoam Configuration
Configure Cyberoam as the L2TP VPN server by following the steps given below. Configuration
is to be done from Web Admin console as well as Cyberoam CLI using Administrator profile.
Note:

PPTP and L2TP connections established using MSCHAPv2 or CHAP protocol can be
authenticated through RADIUS or Local authentication server.

For AD Authentication, the AD Server should be behind a RADIUS Server and passwords
should be stored in reversible encrypted form.

Step 1: Configure L2TP Settings


Go to VPN L2TP Configuration to configure L2TP Settings using parameters given

below.
Parameter Description
Parameters

Value

Description

Enable L2TP

Enabled

Click to enable L2TP

General Settings

Assign IP from

172.16.16.221172.16.16.225

Specify IP address range if L2TP server has to


lease IP Addresses. This range preferably should
be in a different range other than any of the
Cyberoams Local Subnet.

Client Information
Primary DNS
Server

Secondary DNS
Server

203.88.135.194

Select Primary DNS Server from the


list. Alternately, you can also specify DNS Server
by choosing Other from the list.

4.2.2.2

Select Secondary DNS Server from the list.


Alternately, you can also specify DNS Server by
choosing Other from the list.

Step 2: Configure L2TP Connection Parameters


Go to VPN L2TP Connection and click Add to configure the L2TP Connection using
parameters given below.

Parameter Description

Parameters

Value

Description

General Settings
Name

L2TP

Name to identify the L2TP Connection

Policy

DefaultL2TP

Select policy to be used for L2TP


connection

Action on VPN
Restart

Respond Only

Select the action for the connection.

Authentication Details
Authentication Type

Preshared Key

Select Authentication Type.


Authentication of user depends on the
connection type.

Preshared Key

cyberoam

Set password as required

Local Network Details


Local WAN Port

PortB
192.168.13.120

Select local WAN port.

Remote Network Details


Remote Host

Specify IP address of remote peer/host.


Specify * for any IP address

Allow NAT Traversal

Disabled

Enable NAT traversal if a NAT device is


located between your VPN endpoints i.e.
when remote peer has private/nonroutable IP address.

Remote LAN Network

Any IP Host

Select IP addresses and netmask of


remote network which is allowed to
connect to the Cyberoam server through

VPN tunnel.
Quick Mode Selectors
Local Port

1701

Specify Local Port for TCP or UDP

Remote Port

Specify Remote Port for TCP or UDP

Click OK to add L2TP connection.

Step 3: Activate L2TP Connection

Click

under Status (Active) to activate the connection.

Step 4: CLI Configuration

Login to Cyberoam CLI

Select option 4. Cyberoam Console to access CLI

Execute the following command to authentication mechanism for your client


console> set vpn l2tp authentication MS_CHAPv2

Note:

You can also set the authentication to CHAP or PAP or ANY depending on your requirement.

Step 5: Add Users/User Groups


Go to VPN L2TP Configuration (as configured in Step 1) and click Add Members to
define users.

Select the Users/User Groups to give L2TP VPN access. Here we have selected the user
cyberoam.

Click Apply to add these Users/User Groups to the L2TP members list.

The above steps configure Cyberoam as the L2TP VPN Server.

Android Configuration
You can configure your Android device to connect with Cyberoam using L2TP VPN by following
the steps given below.
On your Device go to Menu Settings Wireless and network VPN settings Add
VPN and click Add L2TP/IPSec PSK VPN to configure L2TP settings according to parameters
given below.

Parameters
VPN name
Set VPN Server
Set IPSec pre-shared
key

Click Save to save the configuration.

Click CyberoamL2TP to connect to the network.

Value
CyberoamL2TP
192.168.13.120
cyberoam

Specify credentials and click Connect to authenticate and connect.

The above steps configure L2TP VPN in your Android device and connect it to your L2TP server.