Vous êtes sur la page 1sur 62

VPN Management

Guide Version 9

Document version 9410-1.0-06/01/2007


IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of
any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility
for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or
specifications. Information is subject to change without notice.

USER’S LICENSE
The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms
and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this
license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the
place of purchase for a full refund.

LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software
is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its
published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the
original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore
or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the
software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the
software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky
Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that
the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that
virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components
will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or
replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make,
model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that
Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.

DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any
implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade
practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or
punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if
Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the
customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations
shall apply even if the above stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without
limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have
been advised of the possibility of such damages.

RESTRICTED RIGHTS
Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd.
Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore
Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without
notice, to make changes in product design or specifications. Information is subject to change without notice

CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower,
Off. C.G. Road,
Ahmedabad – 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com , www.cyberoam.com
VPN Management Guide

Contents

Guide Sets ..........................................................................................................................5


Technical Support ..............................................................................................................6
Typographic Conventions..................................................................................................7

Overview................................................................................................................................8
Introduction to VPN...............................................................................................................8
Cyberoam and VPN ...............................................................................................................8

Policy .....................................................................................................................................9
Encryption and Authentication method .............................................................................9
Preshared Key ................................................................................................................9
Digital Certificates .......................................................................................................10
Public Key....................................................................................................................10
Policy Parameters.............................................................................................................10
Create VPN Policy...........................................................................................................13
Update VPN Policy..........................................................................................................17
Delete VPN policy ...........................................................................................................21

Certificate Authority ............................................................................................................22


Generate Certificate Authority.....................................................................................22
Import external Certificate Authority ..........................................................................24
Upload Certificate........................................................................................................25
Generate Self signed certificate ...................................................................................26
Generate Certificate Signing Request..........................................................................28
Download Certificate ...................................................................................................30
Delete Certificate .........................................................................................................31

Certificate Revocation List ..................................................................................................32


Revoke certificate ........................................................................................................32
Download CRL ............................................................................................................34
Upload CRL .................................................................................................................34
Delete CRL ..................................................................................................................36

IPSec Connection.................................................................................................................37
Create Transport mode IPSec Connection.......................................................................38
Create Road Warrior IPSec connection ...........................................................................41
Create Net to Net IPSec connection.................................................................................44
Create Host to Host IPSec connection .............................................................................47
Manage IPSec Connection...............................................................................................51
Activate/Deactivate Connection ..................................................................................51
Export Connection configuration file (only for Road warrior connection) .................52
Delete Connection........................................................................................................52

L2TP Connection .................................................................................................................53


L2TP configuration..........................................................................................................53
Create L2TP connection ..................................................................................................55
Manage L2TP connection ................................................................................................57

3
VPN Management Guide

Delete L2TP connection ..............................................................................................60

PPTP Connection .................................................................................................................61


PPTP Configuration .........................................................................................................61

4
VPN Management Guide

Guide Sets

Guide Describes
User Guide
Console Guide Console Management
Windows Client Guide Installation & configuration of Cyberoam
Windows Client
Linux Client Guide Installation & configuration of Cyberoam Linux
Client
HTTP Client Guide Installation & configuration of Cyberoam HTTP
Client
Analytical Tool Guide Using the Analytical tool for diagnosing and
troubleshooting common problems
LDAP Integration Guide Configuration for integrating LDAP with
Cyberoam for external authentication
ADS Integration Guide Configuration for integrating ADS with
Cyberoam for external authentication
PDC Integration Guide Configuration for integrating PDC with
Cyberoam for authentication
RADIUS Integration Guide Configuration for integrating RADIUS with
Cyberoam for external authentication
High Availability Configuration Configuration of High Availability (HA)
Guide
Data transfer Management Guide Configuration and Management of user based
data transfer policy
VPN Management Implementing and managing VPN
Multi Link Manager User Guide Configuration of Multiple Gateways, load
balancing and failover
Cyberoam IDP Implementation Configuring, implementing and managing
Guide Intrusion Detection and Prevention
Cyberoam Anti Virus Configuring and implementing anti virus solution
Implementation Guide
Cyberoam Anti Spam Configuring and implementing anti spam
Implementation Guide solution

5
VPN Management Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:

Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26462200
Web site: www.elitecore.com

Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Email: support@cyberoam.com
Web site: www.elitecore.com

Visit www.cyberoam.com for the regional and latest contact information.

6
VPN Management Guide

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example


Server Machine where Cyberoam Software - Server component is
installed
Client Machine where Cyberoam Software - Client component is
installed
User The end user
Username Username uniquely identifies the user of the system
Part titles Bold and

Report
shaded font
typefaces

Topic titles Shaded font

Introduction
typefaces

Subtitles Bold & Black


typefaces Notation conventions

Navigation link Bold typeface Group Management → Groups → Create


it means, to open the required page click on Group
management then on Groups and finally click Create tab

Name of a Lowercase Enter policy name, replace policy name with the specific
particular italic type name of a policy
parameter / Or
field / command Click Name to select where Name denotes command button
button text text which is to be clicked
Cross Hyperlink in refer to Customizing User database Clicking on the link will
references different color open the particular topic

Notes & points Bold typeface Note


to remember between the
black borders
Prerequisites Bold typefaces Prerequisite
between the
• Prerequisite details
black borders

7
VPN Management Guide

Overview
Welcome to the Cyberoam’s – VPN Management Guide.

Cyberoam’s integrated Internet security solution is purpose-built to meet the unified threat
management needs of corporate, government organizations and educational institutions. It also
provides assistance in improving Bandwidth management, increasing Employee productivity and
reducing legal liability associated with undesirable Internet content access.

Guide provides a basic introduction to VPN and gives some fundamental information of those
technologies that are relevant to the way Cyberoam implements VPN. It outlines how VPNs are
actually created and gives a detailed picture of the different settings that can be used to adjust the
VPN policies using Cyberoam.

VPN management module is an add-on module which needs to be registered before use. Refer to
Cyberoam Installation and Registration guide for more details.

Introduction to VPN
A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint
system to another over a public network such as the Internet without the traffic being aware that
there are intermediate hops between the endpoints or the intermediate hops being aware they are
carrying the network packets that are traversing the tunnel. The tunnel may optionally compress
and/or encrypt the data, providing enhanced performance and some measure of security.

VPN allows you to pretend you are using a leased line or a direct telephone call to communicate
between the endpoints.

VPNs allow users and telecommuters to connect to their corporate intranets or extranets. VPNs
are cost-effective because users can connect to the Internet locally and tunnel back to connect to
corporate resources. This not only reduces overhead costs associated with traditional remote
access methods, but also improves flexibility and scalability.

Cyberoam and VPN

For all business people traveling or working from home, connecting securely to the corporate
network is essential. With Cyberoam, setting up a VPN is almost effortless.

The two endpoints in Cyberoam VPN are referred to as:


Local - First endpoint is the local machine itself
Remote - Second endpoint is the remote peer - the machine you are trying to establish a VPN
connection to, or the machine which is trying to establish a VPN connection with you.

Cyberoam VPN automatically encrypts the data and sends it to the remote site over the Internet,
where it is automatically decrypted and forwarded to the intended destination. By encrypting, the
integrity and confidentiality of data is protected even when transmitted over the untrusted public
network. Cyberoam uses IPSec standard i.e. IPSec protocol to protect traffic. In IPSec, the identity
of communicating users is checked with the user authentication based on digital certificates, public
keys or preshared keys.

8
VPN Management Guide

Cyberoam can be used to establish VPN connection between sites, LAN-to-LAN and Client-to-LAN
connection. VPN is the bridge between Local & Remote networks/subnets.

Cyberoam supports following protocols to authenticate and encrypt traffic:


• Internet Protocol Security (IPSec)
• Layer Two Tunneling Protocol (L2TP)

Policy
Encryption and Authentication method
Authentication of communicating parties and integrity of exchanged data is crucial for the reliable
implementation of VPN.

Encryption is used to provide confidentiality of data during the negotiation. Cyberoam supports
3DES encryption algorithm which is extensively tested public algorithm and uses hash functions -
message digest MD5 algorithm for Data integrity.

3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP
standard. It is the Application of the DES standard where three keys are used in succession to
provide additional security.

AES: Advanced Encryption Standard AES offers the highest standard of security. The effective key
lengths that can be used with AES are 128, 192 and 256 Bits.
This security system supports a number of encryption algorithms.

Serpent: Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks
variable key length to be either 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or
iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.

Blowfish: Blowfish is a symmetric encryption algorithm which uses the same secret key to both
encrypt and decrypt messages. Blowfish is also a block cipher which divides a message into fixed
length blocks during encryption and decryption. Blowfish has a 64-bit block size and a key length
of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm

Twofish: Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to
256 bits.

Preshared Key
An authentication mechanism whereby the key is used in encryption is exchanged before
hand/prior to negotiation with another system.

Preshared key authentication is the process by which two systems prove their identity to each
other where each system encrypts some unpredictable, arbitrary data with a key that has been
exchanged beforehand. If they can successfully decrypt the message, it is assumed that the
sender is valid.

A single shared key is used for encryption and decryption. The data is encrypted by a key and
send to the recipient over the Internet. At the receiving end, the data is decrypted with the exact
same key that was used for encryption.

9
VPN Management Guide

Digital Certificates
Digital Certificates are yet another authentication method employing digital signatures and public
key cryptography.

A digital certificate is a document that guarantees the identity of a person or entity and is issued by
the trusted third party Certificate Authority (CA). Digital certificate holders have a public or private
key pair which can be used to authenticate the sender and decrypt the incoming message
ensuring that only the certificate holder can decode the message.

A certificate is used to associate a public/private key pair with a given IP address or host name
and issued by CA for a specific period of time. A CA can be in-house CA, run by your own
organization, or a public CA. To use certificates for negotiation, both peers have to generate
public/private key pairs, request and receive public key certificates, and are configured to trust the
CA that issues the certificates.

Users can download and install certificate from Cyberoam.

Public Key
Public key authentication uses two keys – public key available to anyone and a private key held by
only one individual. The sender encrypts the data with the recipient’s public key. Only the recipient
can decrypt the data, being the only one who possesses the corresponding private key.

Policy Parameters
Policy describes the security parameters that are used for negotiations to establish and maintain a
secure tunnel between two peers.

Before you set up your secure tunnels, to make their configuration faster and easier, you can
create VPN policies that work on a global level. Rather than configuring the policy parameters for
every tunnel you create, you can configure general policies and then later apply them to your
secure tunnels.

Authentication mode
To ensure secure communication, there are two phases to every IKE (Internet Key Exchange)
negotiation - Phase 1 (Authentication) and Phase 2 (Key exchange).

The Phase 1 negotiation establishes a secure channel between peers and determines a specific
set of cryptographic protocols, exchanges shared secret keys and encryption and authentication
algorithm that will be used for generating keys.

The Phase 2 negotiation establishes a secure channel between peers to protect data. During
Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the
peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after
which to negotiate.

Key life
Lifetime of key is specified as Key life.

Once the connection is established after exchanging authenticated and encrypted keys,
connection is not dropped till the key life. If the key life of both the peers is not same then
negotiation will take place whenever the key life of any one peer is over. This means intruder has
to decrypt only one key to break in your system.

Key generation and key rotation are important because the longer the life of the key, the larger the

10
VPN Management Guide

amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis.

Perfect Forward Secrecy (PFS)


It becomes difficult for a network intruder to get the big picture if keys are changing and they have
to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting
PFS, new key will be generated for every negotiation and a new DH key exchange is included. So
every time intruder will have to break yet another key even though he already knows the key. This
enhances security.

Diffie-Hellman (DH) Group (IKE group)


Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret
over an insecure communications channel. Diffie-Hellman Key Exchange uses a complex
algorithm and public and private keys to encrypt and then decrypt the data.

The Diffie-Hellmann group describes the key length used in encryption. Group number also termed
as Identifiers.

DH Group Key length (bits)


1 768
2 1024
5 1536
14 2048
15 3072
16 4096

If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched
during the negotiation.

Re-key Margin
Time before the next key exchange. Time is calculated by subtracting the time elapsed since the
last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts
automatically without interrupting service before key expiry.

Dead Peer detection settings


Use to check whether Cyberoam is able to connect the IP address or not. Set time interval after
which the status of peer is to be checked and what action to take, if peer is not alive.

Tunnel Negotiation
Negotiation process starts to establish the connection when local or remote peer wants to
communicate with each other. Depending on the connection parameters defined, the key is
generated which is used for negotiations. Lifetime of key is specified as Key life. Once the
connection is established, connection is alive/active and data can be transferred up to the
specified key life. Connection will be closed/deactivated once the key expires.

If the connection is to be activated again then the entire negotiation process is to be started all
over again. Negotiation process can be started again automatically by either local or remote peer
only if Allow Re-keying is set to ‘Yes’. Set the re-keying time in terms of the remaining key life
when negotiation is to be started automatically without interrupting the communication before key
expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation
process will automatically start after 7 hours 50 minutes of key usage.

Negotiation process will generate new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’.

11
VPN Management Guide

PFS will generate a new key from scratch and there will be no dependency between old and new
key.

Re-keying Result
Yes Local and remote peer both will be able to initiate request for
connection.

Depending on PFS, negotiation process will use same key or


generate a new key.
No Only remote peer will be able to initiate request for connection.

Depending on PFS, negotiation process will use same key or


generate a new key.

12
VPN Management Guide

Create VPN Policy


Cyberoam provides the default policy and you can also create a customized policy to meet your
organization’s requirement.

Select VPN Æ Policy Æ Create Policy to open the create policy page

Screen – Create VPN policy

Screen Elements Description


VPN policy details
Name Assign name to policy. Choose a name that best describes the policy to
be created
Description Click to enter the full description of policy
Using Template Select a template if you want to create a new policy based on an

13
VPN Management Guide

Screen Elements Description


existing policy and want to inherit all the parameters from the existing
policy

Select ‘None’ template, if you want to create a fresh policy. After


creation you can always customize according to the requirement.
Following options are available only if policy is created based on ‘None’ template
Keying Method Keying method defines how the keys for the connection are to be
managed.

Select keying method: Automatic or Manual

Manual key exchange is not supported for L2TP connection


Allow Re-keying Specify whether the negotiation process is to be started automatically
before key expiry or not. Process will start automatically at the specified
time in re-key margin.

If it is set to ‘Yes’, negotiation process can be initiated by both the local


or remote peer.

Depending on PFS, negotiation process will use same key or generate a


new key.
Key Negotiations tries Specify maximum negotiation trials allowed and must be greater than 0
Authentication mode Authentication mode is used to support key exchange. Currently only
Main mode is supported.

Depending on Authentication mode, the phase 1 parameters are


exchanged for authentication purpose.

In Main mode, the phase 1 parameters are exchanged in multiple


rounds with encrypted authentication information.
Pass Data In Enable to pass data in compressed format to increase throughput
Compress Format
Perfect Forward Specify whether new key should be generated for every negotiation on
Secrecy key expiry.

Set ‘Yes’ to generate new key for every negotiation on key expiry

Set ‘No’ to use same key for every negotiation


Phase 1
Encryption and Select the encryption and authentication algorithm that would be used
Authentication by communicating parties for integrity of exchanged data fpr phase 1.
algorithm
Supported Encryption algorithms: 3DES, AES, TwoFish, BlowFish,
Serpent
3DES: Triple DES is a symmetric strong encryption algorithm that is
compliant with the OpenPGP standard. It is the application of DES
standard where three keys are used in succession to provide additional
security.

AES: Advanced Encryption Standard offers the highest standard of


security. The effective key lengths that can be used with AES are 128,
192 and 256 Bits. This security system supports a number of encryption
algorithms.

Supported Authentication algorithms: MD5, SHA1

Maximum three combination of encryption and authentication algorithm

14
VPN Management Guide

Screen Elements Description


can be selected. The remote peer must be configured to use at least
one of the defined combinations.

Click to add more than one combination of encryption and


authentication algorithm.
DH Group DH group specifies the key length used for encryption.
• DH Group 1 uses 768-bit encryption
• DH Group 2 uses 1024-bit encryption
• DH Group 5 uses 1536-bit encryption
• DH Group 14 uses 2048-bit encryption
• DH Group 15 uses 3072-bit encryption
• DH Group 16 uses 4096-bit encryption

Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16

The remote peer must be configured to use the same group. If


mismatched groups are specified on each peer, negotiation fails.
Key Life Key life is the amount of time that will be allowed to pass before the key
expires.

Specify keylife in terms of seconds


Re-Key Margin Re-key margin is the time when the negotiation process should be
started automatically without interrupting the communication before the
key expiry.

Set time in terms of the remaining key life.

For example, if key life is 8 hours and re-key margin is 10 minutes then
negotiation process will automatically start after 7 hours 50 minutes
usage of key life.

Specify in terms of minutes


Randomize Re- Randomizes re-key time.
Keying Time by
For example, if key life is 8 hours, re-key margin is 10 minutes and
randomize re-keying time is 20% then the re-key margin will be 8 to 12
minutes and negotiation process will start automatically 8 minutes before
the key expiry and will try up to 2 minutes after key expiry.
Enable Dead Peer Enable to check whether peer is live or not.
Detection
Check Peer After Once the connection is established, peer which initiated the connection
Every (Only if Dead checks whether another peer is live or not.
Peer Detection
option is ‘Enabled’ ) Specify time when the peer should be checked for its status.
Wait for Response Specify till what time initiated peer should wait for the status response. If
unto (Only if Dead the response is not received within the specified time, the peer is
Peer Detection considered to be inactive.
option is ‘Enabled’ )
Specify in terms of seconds
Action when Peer is Specify what action should be taken if peer is not active.
not active (Only if
Dead Peer Detection Hold – hold the connection
option is ‘Enabled’ ) Clear – close the connection
Restart – reestablish the connection

Phase 2

15
VPN Management Guide

Screen Elements Description


Encryption and Select the encryption and authentication algorithm that would be used
Authentication by communicating parties for integrity of exchanged data fpr phase 2.
algorithm
Supported Encryption algorithms: DES, 3DES, AES, TwoFish,
BlowFish, Serpent

DES, 3DES: Triple DES is a symmetric strong encryption algorithm that


is compliant with the OpenPGP standard. It is the application of DES
standard where three keys are used in succession to provide additional
security.

AES: Advanced Encryption Standard offers the highest standard of


security. The effective key lengths that can be used with AES are 128,
192 and 256 Bits. This security system supports a number of encryption
algorithms.

Supported Authentication algorithms: MD5, SHA1

Maximum three combination of encryption and authentication algorithm


can be selected. The remote peer must be configured to use at least
one of the defined combinations.

Click to add more than one combination of encryption and


authentication algorithm.
PFS Group PFS group specifies the key length used for encryption.
• Group 1 uses 768-bit encryption
• Group 2 uses 1024-bit encryption
• Group 5 uses 1536-bit encryption
• Group 14 uses 2048-bit encryption
• Group 15 uses 3072-bit encryption
• Group 16 uses 4096-bit encryption

Select one of group from 1, 2, 5, 14, 15 or 16

If ‘Same as Phase 1’ is selected PFS group specified at connection


initiator’s end will be used

If No PFS is selected, this security parameter can not be added for


Phase 2

The remote peer must be configured to use the same group. If


mismatched groups are specified on each peer, negotiation fails.
Key Life Key life is the amount of time that will be allowed to pass before the key
expires.

Specify keylife in terms of seconds


Create button Creates the policy

Click to create
Cancel button Cancels the current operation and return to Manage VPN policy page
Table – Create VPN policy screen elements

Note
Policies with the same name cannot be created

16
VPN Management Guide

Update VPN Policy


Select VPN → Policy → Manage policy and Click Policy name to be modified

Screen – Manage VPN Policy

Screen Elements Description


VPN policy details
Name Displays policy name

Cannot be modified
Description Displays policy description, modify if required
Keying Method Select keying method: Automatic or Manual
Allow Re-keying Displays whether re-keying is allowed or not. Modify if required.

Set ‘Yes’, if negotiation process can be initiated by both the local and
remote peer automatically before key expires

17
VPN Management Guide

Screen Elements Description

Depending on PFS, negotiation process will use same key or a new


key will be generated.
Key Negotiations Displays maximum negotiation trials allowed, modify if required
tries
Pass Data In Enable to pass data in compressed format to increase throughput
Compress Format
Perfect Forward Displays whether new key will be generated or not for every
Secrecy negotiation on key expiry, modify if required.

Set ‘Yes’ to generate new key for every negotiation on key expiry

Set ‘No’ to use same key for every negotiation


Phase 1
Encryption and Select the encryption and authentication algorithm that would be
Authentication used by communicating parties for integrity of exchanged data fpr
algorithm phase 1.

Supported Encryption algorithms: 3DES, AES, TwoFish,


BlowFish, Serpent

3DES: Triple DES is a symmetric strong encryption algorithm that is


compliant with the OpenPGP standard. It is the application of DES
standard where three keys are used in succession to provide
additional security.

AES: Advanced Encryption Standard offers the highest standard of


security. The effective key lengths that can be used with AES are
128, 192 and 256 Bits. This security system supports a number of
encryption algorithms.

Supported Authentication algorithms: MD5, SHA1

Maximum three combination of encryption and authentication


algorithm can be selected. The remote peer must be configured to
use at least one of the defined combinations.

Click to add more than one combination of encryption and


authentication algorithm.
DH Group DH group specifies the key length used for encryption.
• DH Group 1 uses 768-bit encryption
• DH Group 2 uses 1024-bit encryption
• DH Group 5 uses 1536-bit encryption
• DH Group 14 uses 2048-bit encryption
• DH Group 15 uses 3072-bit encryption
• DH Group 16 uses 4096-bit encryption

Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16

The remote peer must be configured to use the same group. If


mismatched groups are specified on each peer, negotiation fails.
Key Life Displays key life, modify if required

Key life is the amount of time that will be allowed to pass before the
key expires and can be specified in terms of hours or minutes

Keylife cannot be less than 2 minutes and at least 1 minute greater

18
VPN Management Guide

Screen Elements Description


than Re-Key margin
Re-Key Margin Displays re-key margin, modify if required

Re-key margin time is the time when the negotiation process should
be started automatically without interrupting the communication
before the key expiry.

Set time in terms of the remaining key life.

For example, if key life is 8 hours and Re-key margin is 10 minutes


then negotiation process will automatically start after 7 hours 50
minutes usage of key life.

Specify in terms of minutes


Randomize Re- Randomizes re-key margin
Keying Time by
For example, if key life is 8 hours, re-key margin is 10 minutes and
randomize re-keying time is 20% then the re-key margin will be 8 to
12 minutes and negotiation process will start automatically 8 minutes
before the key expiry and will try up to 2 minutes after key expiry.
Pass Data In Displays whether data is passed in the compressed format or not,
Compress Format modify if required.
Enable Dead Peer Enable to check whether peer is live or not.
Detection
Check Peer After Displays time when the peer that initiated the connection checks for
Every(Only if Dead whether another peer is live or not. Modify if required.
Peer Detection
option is ‘Enabled’)
Wait for Response Displays response wait time, modify if required
unto(Only if Dead
Peer Detection It specifies till what time initiated peer should wait for the status
option is ‘Enabled’) response. If the response is not received within the specified time,
the peer is considered to be inactive.

Specify in terms of seconds


Action when Peer is Displays what action will be taken if peer is not active, modify if
not active(Only if required
Dead Peer
Detection option is Hold – hold the connection
‘Enabled’) Clear – close the connection
Restart – restart the connection

Phase 2
Encryption and Select the encryption and authentication algorithm that would be
Authentication used by communicating parties for integrity of exchanged data fpr
algorithm phase 2.

Supported Encryption algorithms: DES, 3DES, TwoFish,


BlowFish, Serpent

DES, 3DES: Triple DES is a symmetric strong encryption algorithm


that is compliant with the OpenPGP standard. It is the application of
DES standard where three keys are used in succession to provide
additional security.

AES: Advanced Encryption Standard offers the highest standard of


security. The effective key lengths that can be used with AES are

19
VPN Management Guide

Screen Elements Description


128, 192 and 256 Bits. This security system supports a number of
encryption algorithms.

Supported Authentication algorithms: MD5, SHA1

Maximum three combination of encryption and authentication


algorithm can be selected. The remote peer must be configured to
use at least one of the defined combinations.

Click to add more than one combination of encryption and


authentication algorithm.
PFS Group PFS group specifies the key length used for encryption.
• Group 1 uses 768-bit encryption
• Group 2 uses 1024-bit encryption
• Group 5 uses 1536-bit encryption
• Group 14 uses 2048-bit encryption
• Group 15 uses 3072-bit encryption
• Group 16 uses 4096-bit encryption

Select one of group from 1, 2, 5, 14, 15 or 16

If ‘Same as Phase 1’ is selected PFS group specified at connection


initiator’s end will be used

If No PFS is selected, this security parameter can not be added for


Phase 2

The remote peer must be configured to use the same group. If


mismatched groups are specified on each peer, negotiation fails.
Key Life Key life is the amount of time that will be allowed to pass before the
key expires.

Specify keylife in terms of seconds


Update button Updates the policy

Click to update and save


Cancel button Cancels the current operation and return to Manage VPN policy page
Table – Manage VPN policy screen elements

Note
Default policy cannot be updated

20
VPN Management Guide

Delete VPN policy

Prerequisite
• Not assigned for any connection

Select VPN → Policy → Manage policy to view the list of policies

Screen – Delete VPN policy

Screen Elements Description


Del Select policy for deletion

Click Del to select

More than one policy can also be selected


Select All Select all the policies for deletion

Click Select All to select all the policies


Delete button Deletes all the selected policy/policies
Table – Delete VPN policy screen elements

Note
Default policy cannot be deleted

21
VPN Management Guide

Certificate Authority
Digital Certificates are used for authentication purpose. Certificates are generated by the third
party trusted Certificate Authorities. They create certificates by signing public keys and identify the
information of the communicating parties with their own private keys. This way it is possible to
verify that a public key really belongs to the communicating party only and not been forged by
someone with malicious intentions.

A certificate signed by a CA identifies the owner of a public key. Each communicating party may
be required to present its own certificate signed by a CA verifying the ownership of the
corresponding private key. Additionally, the communicating parties need to have a copy of the
CA’s public key. In case private key is lost or stolen or the information is changed CA is
responsible for revoking the certificate.

Cyberoam provides a facility to generate a local certificate authority as well as import certificates,
signed by commercial providers, such as VeriSign.

Generate Certificate Authority

Select VPN → Certificate Authority → Manage Certificate Authority and click


Default

22
VPN Management Guide

Screen – Generate Certificate Authority

Screen Elements Description


Certificate Authority Details
Certificate Authority Displays certificate authority name
Name
Country Name Select the Country for which the Certificate will be used.

Generally this would be the name of the country where Cyberoam is


installed.
State/Province Select the State/Province for which the Certificate will be used.
Name
Generally this would be the name of the state where Cyberoam is
installed.
Locality Name Specify the locality/City.

Generally this would be the name of the city where Cyberoam is


installed.
Organization Name Specify your organization name
Organizational Unit Specify department/section name which will use this certificate
Name
Common Name Specify domain name. This domain will be certified to use the
Certificate.
Email Address Specify Email address
CA Password Specify password and confirm by re-typing the password
Generate button Generates the certificate with the above specified details

Click to generate

If the certificate is already generated, it will re-generate the certificate


with the above specified details
Cancel button Cancels the current operation
Table – Generate Certificate Authority screen elements

23
VPN Management Guide

Import external Certificate Authority

Select VPN → Certificate Authority → Upload Certificate Authority

Screen – Define external Certificate Authority

Screen Elements Description


Certificate
Certificate Authority Specify Certificate authority name
Name
Certificate Format Cyberoam supports certificates in two formats: PEM and DER

PEM (Privacy Enhanced Mail): A format encoding the certificate in


ASCII code. The certificate, request, and private key are stored in
separate files.

DER: A binary format for encoding certificates. The certificate,


request, and private key are stored in separate files.
Certificate Specify certificate to be uploaded

Use Browse to select the complete path


Upload button Uploads the specified certificate
Cancel button Cancels the current operation
Table – Define external Certificate Authority screen elements

24
VPN Management Guide

Upload Certificate

Select VPN → Certificate → New Certificate

Screen – Upload Certificate

Screen Elements Description


Certificate
Action Select Upload Certificate
Certificate Name Specify certificate name
Password Specify password and confirm by re-typing the password
Certificate Specify certificate to be uploaded

Use Browse to select the complete path


Private key Specify private key for the certificate

Use Browse to select the complete path


Upload button Uploads the specified certificate
Cancel button Cancels the current operation
Table – Upload Certificate screen elements

25
VPN Management Guide

Generate Self signed certificate

You can use Cyberoam to act as a certificate authority and sign its own certificates. This
eliminates the need of having your own certificate authority.

Prerequisite
• Certificate Authority generated

Select VPN → Certificate → New Certificate

Screen – Generate Self Signed Certificate

Screen Elements Description


Certificate
Action Select Generate Self Signed Certificate
Certificate Name Specify Certificate name
Valid upto Specify certificate validity period using Calendar

Validity period is the certificate life i.e. period up to which the


certificate will be considered as valid

Minimum validity period is one day


Key Length Select key length

Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but
requires more time to encrypt and decrypt data than smaller keys.
Password Specify password and confirm by re-typing

Password must be at least 10 character long


Certificate ID Specify certificate ID. You can specify any one of the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate)
Generate button Generates certificate with the specified details

26
VPN Management Guide

Screen Elements Description

Click to generate
Cancel button Cancels the current operation

27
VPN Management Guide

Generate Certificate Signing Request


If you are using third party CA, you have to submit the request to CA, CA will verify the details then
sign and send the signed certificate.

Cyberoam provides a way for you to generate the request.

Select VPN → Certificate → New Certificate

Screen – Generate CSR

Screen Elements Description


Certificate
Action Select Generate Certificate Signing Request (CSR)
Certificate Name Specify Certificate name
Valid upto Specify certificate validity period using Calendar

Validity period is the certificate life i.e. period up to which the


certificate will be considered as valid

Minimum validity period is one day


Key Length Select key length

Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but
requires more time to encrypt and decrypt data than smaller keys.
Password specify password and confirm by re-typing

28
VPN Management Guide

Screen Elements Description


Password must be at least 10 character long
Certificate ID Specify certificate ID. You can specify any one of the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate)
Country Name Select the Country for which the Certificate will be used.

Generally this would be the name of the country where Cyberoam is


installed.
State/Province Select the State/Province for which the Certificate will be used.
Name
Generally this would be the name of the state where Cyberoam is
installed.
Locality Name Specify the locality/City.

Generally this would be the name of the city where Cyberoam is


installed.
Organization Name Specify your organization name
Organizational Unit Specify department/section name which will use this certificate
Name
Common Name Specify domain name. This domain will be certified to use the
Certificate.

Domain name has to be unique


Email Address Specify Email address
Generate button Generates certificate request with the details specified which you can
send to your CA for Certificate

Click to generate
Cancel button Cancels the current operation
Screen – Generate CSR

29
VPN Management Guide

Download Certificate

Select VPN → Certificate → Manage Certificate, click the certificate to be downloaded


and follow the screen steps.

Certificate Signing Request is downloaded in zip format, unzip the file. It contains three file:
certificatename.csr, certificatename.key, password.txt

Cyberoam supports certificate in two formats: p12 and pem format. Certificate is downloaded in
tar.gz format, unzip the file winzip or winrar. It contains:
Certificatename.p12 (certificate in p12 format)
Password.txt
PEM folder which contains certificate in pem format as: certificatename.pem, certificatename.key

Screen – Download Certificate

30
VPN Management Guide

Delete Certificate

Prerequisite
• Not used by any Connection

Select VPN → Certificate → Manage Certificate

Screen – Delete Certificate

Screen Elements Description


Del Select certificate for deletion

Click Del to select

More than one certificate can also be selected


Select All Select all the certificates for deletion

Click Select All to select all the certificate(s)


Delete button Deletes all the selected certificate(s)
Table – Delete Certificate screen elements

Note
The deleted certificate will be revoked

31
VPN Management Guide

Certificate Revocation List


CA maintains the list of valid and revoked certificates. Certificates which are stolen, lost or updated
are revoked by CA. Revocation list is the list of certificates which are revoked by CA.

Revoke certificate

Select VPN → Certificate → Manage Certificate and click the certificate to be revoked

Screen – Revoke Certificate

Screen Elements Description


Certificate
Certificate Name Displays Certificate name
Valid upto Displays certificate validity period, modify if required.

Validity period is the certificate life i.e. period up to which the certificate
will be considered as valid
Key Length Displays key length, modify if required.

Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but requires

32
VPN Management Guide

Screen Elements Description


more time to encrypt and decrypt data than smaller keys.
Password Displays password

Click Change Password to modify the password

Password must be at least 10 character long


Regenerate button Regenerates the certificate
Revoke button Revoke certificate if lost, stolen or updated

Click to revoke

If the certificate is revoked it is automatically added to the Certificate


Revocation List (CRL). You can download and circulate if required.
Cancel button Cancels the current operation
Table – Revoke Certificate screen elements

33
VPN Management Guide

Download CRL
Cyberoam creates the Default CRL the name Default.crl. Once you revoke the certificate, the
details of the revoked certificate are added to the default file and regenerated. You can download
and distribute if required.

Select VPN → Certificate Authority → Manage CRL and to view the list of CRLs.
Click Download against the CRL name to be downloaded. It downloads the zip file, unzip the file to
check the details.

Upload CRL
If you are using External Certificate Authority, you need to upload the CRL obtained from External
Certificate Authority.

Select VPN → Certificate Authority → Upload CRL


Enter CRL name and specify the full path of the file to be uploaded
Click Upload

34
VPN Management Guide

35
VPN Management Guide

Delete CRL

Select VPN → Certificate Authority → Manage CRL and to view the list of CRLs.

Screen – Delete CRL

Screen Elements Description


Del Select CRL for deletion

Click Del to select

More than one CRLs can also be selected


Select All Select all the CRLs for deletion

Click Select All to select all the CRLs


Delete button Deletes all the selected CRLs
Table – Delete CRL screen elements

Note
The default CRL cannot be deleted

36
VPN Management Guide

IPSec Connection
IP Security (IPSec) is a suite of protocols designed for cryptographically secure communication at
the IP layer (layer 3).

IPSec protocols:
• Authentication Header (AH) - Used for the authentication of packet senders and for ensuring
the integrity of packet data. The Authentication Header protocol (AH) checks the authenticity
and integrity of packet data. In addition, it checks that the sender and receiver IP addresses
have not been changed in transmission. Packets are authenticated using a checksum created
using a Hash-based Message Authentication Code (HMAC) in connection with a key.

• Encapsulating Security Payload (ESP) - Used for encrypting the entire packet and for the
authenticating its contents. In addition to encryption, the ESP offers the ability to authenticate
senders and verify packet contents.

IPSec modes:
• Transport Mode - the original IP packet is not encapsulated in another packet. The original IP
header is retained, and the rest of the packet is sent either in clear text (AH) or encrypted
(ESP). Either the complete packet can be authenticated with AH, or the payload can be
encrypted and authenticated using ESP. In both cases, the original header is sent over the
WAN in clear text.

Use Transport mode where both endpoints understand IPSEC directly. Transport mode is
used between peers supporting IPSec, or between a host and a gateway, if the gateway is
being treated as a host.

• Tunnel Mode - the complete packet – header and payload – is encapsulated in a new IP
packet. An IP header is added to the IP packet, with the destination address set to the
receiving tunnel endpoint. The IP addresses of the encapsulated packets remain unchanged.
The original packet is then authenticated with AH or encrypted and authenticated using ESP.

Tunnel mode is primarily used for interoperability with gateways or end systems that do not
support L2TP/IPSec or PPTP VPN site-to-site connections.

IPSec connections types (for Tunnel mode only):


• Road Warrior - This type of VPN is a user-to-internal network connection via a public or
shared network. Many large companies have employees that need to connect to the Internal
network from the field. These field agents access the Internal network by using remote
computers and laptops without static IP address.
• Net to Net - A Net-to-Net VPN connects an entire network (such as a LAN or WAN) to a
remote network by way of a network-to-network connection. A network-to-network connection
requires routers on each side of the connecting networks to transparently process and route
information from one node on a LAN to a node on a remote LAN.
• Host to Host - Host-to-Host VPN connects one desktop or workstation to another by way of a
host-to-host connection. This type of connection uses the network to which each host is
connected to create the secure tunnel to each other.

Note
Alias IP address cannot be used for establishing Connection

37
VPN Management Guide

Create Transport mode IPSec Connection


In transport mode only host-to-host connection is supported.

Select VPN → IPSec Connection → Create Connection

Screen - Create Transport mode IPSec Connection

Screen Elements Description


Connection details
Name Assign name to connection. Choose a name that best describes the
connection to be created
Description Specify full description of connection

38
VPN Management Guide

Screen Elements Description


Policy Name Select policy to be used for connection
Action on Restart Select the action for the connection

Deactive – Keep connection deactive mode till the user activates.


Active – Activate connection on system/service start so that the
connection can be established whenever required
Connect – Connect as soon as the system/service starts
Mode Select Transport mode

Refer to IPSec modes for details


Authentication details
Authentication Type Specify Authentication type. Authentication of user depends on the
connection type.

Select Preshared key


An authentication mechanism whereby a single key is used for
encryption and decryption. Both the peers should possess the
preshared key. Remote peer uses the preshared key for decryption.

Select Digital Certificate


An authentication mechanism whereby sender and receiver both
uses the digital certificate issued by the Certificate Authority. Both
sender and receiver must have each other’s Certificate Authority.

Select RSA key


An Authentication mechanism whereby two keys - Public and Private
- are used for encryption and decryption. Private key is known only to
the owner and never transmitted over network.
Preshared key Specify the preshared key to be used. This preshared key will have
Only if to be shared or communicated to the peer at the remote end. At the
Authentication remote end, client will have to specify this key for authentication.
Type is ‘Preshared Refer to VPN Client guide, Phase 1 Configuration.
key’
If there is mismatch in the key, user will not be able to establish the
connection.
Local Certificate Select the local certificate that should be used for authentication by
Only if Cyberoam
Authentication
Type is ‘Digital
Certificate’
Remote Certificate Select the remote certificate that should be used for authentication by
Only if remote peer
Authentication
Type is ‘Digital
Certificate’
Local RSA Key Displays automatically generated key which cannot be modified.
Only if
Authentication Local Public key can be regenerated from Text based Administration
Type is ‘RSA Key’ (Telnet) Console. Refer to Console guide for more details.
Remote RSA Key Specify the public key which is to be used by the remote peer.
Only if
Authentication
Type is ‘RSA Key’
Local Network Details
Local server Specify public IP address of local server

39
VPN Management Guide

Screen Elements Description


Click to select
Local ID Displays ID and its value specified in the Local certificate

For preshared key, select local id and specify it’s value

For preshared key, DER ASN1 DN is not applicable


Remote Network
Remote Host Specify IP address of remote peer
Allow NAT Enable if a NAT device is located between your VPN endpoints i.e.
Traversal remote peer has an private IP address
Remote Internal Specify IP addresses and netmask of remote network which is
Network allowed to connect to the Cyberoam server through VPN tunnel
Only if NAT
Traversal is At a time only one connection can be established behind one NAT-
enabled box

Click Add to add network


Remote ID Displays ID if remote certificate is selected else specify ID specified
in the certificate used by peer

For preshared key, select any type of id and specify it’s value

For preshared key, DER ASN1 DN is not applicable


User Authentication
User Authentication Specify whether user authentication is required at the time of
connection or not

Click Disable if user authentication is not required


If enabled as client, specify username and password
If enabled as server, Click Add to select and add all the users which
are to be allowed to connect
Quick Mode Selectors
Allow Protocols Select the protocol for negotiations.

Tunnel will pass only that data which uses the above specified
protocol
Local port Specify local port
Only for TCP
protocol
Remote port Specify remote port
Only for TCP
protocol
Create button Creates the connection

Click to create
Cancel button Cancels the current operation
Table - Create Transport mode IPSec Connection screen elements

40
VPN Management Guide

Create Road Warrior IPSec connection

Select VPN → IPSec Connection → Create Connection

Screen – Create Road Warrior IPSec Connection

Screen Elements Description


Connection details
Name Assign name to connection. Choose a name that best describes the
connection to be created

41
VPN Management Guide

Screen Elements Description


Description Specify full description of connection
Policy Name Select policy to be used for connection
Action on Restart Select the action for the connection

Deactive – Keep connection deactive mode till the user activates.


Active – Activate connection on system/service start so that the
connection can be established whenever required
Connect – Connect as soon as the system/service starts
Mode Select Tunnel mode

Refer to IPSec modes for details


Connection Type Specify connection type. Authentication of user depends on the
connection type.

Select ‘Road warrior’

Refer to Connection types for details


Authentication details
Authentication Type Specify Authentication type. Authentication of user depends on the
connection type.

Preshared key
An authentication mechanism whereby a single key is used for
encryption and decryption. Both the peers should possess the
preshared key. Remote peer uses the preshared key for decryption.

Digital Certificate
An authentication mechanism whereby sender and receiver both
uses the digital certificate issued by the Certificate Authority. Both
sender and receiver must have each other’s Certificate Authority.
Preshared key Specify the preshared key to be used. This preshared key will have
Only if to be shared or communicated to the peer at the remote end. At the
Authentication remote end, client will have to specify this key for authentication.
Type is ‘Preshared Refer to VPN Client guide, Phase 1 Configuration.
key’
If there is mismatch in the key, user will not be able to establish the
connection.
Local Certificate Select the local certificate that should be used for authentication by
Only if Cyberoam
Authentication
Type is ‘Digital
Certificate’
Remote Certificate Select the remote certificate that should be used for authentication by
Only if remote peer
Authentication
Type is ‘Digital
Certificate’
Local Network Details
Local Server Specify IP address of local server

Click to select
Local Internal Specify IP address and netmask of the local network which is allowed
Network to access remote peer through VPN connection
Local ID Displays ID and its value specified in the Local certificate

For preshared key, select local id and specify it’s value

42
VPN Management Guide

Screen Elements Description

For preshared key, DER ASN1 DN is not applicable


Remote Network
Remote Host Specify IP address of remote peer
Allow NAT Enable if a NAT device is located between your VPN endpoints i.e.
Traversal remote peer has an private IP address
Remote Internal Specify IP addresses and netmask of remote network which is
Network allowed to connect to the Cyberoam server through VPN tunnel
Only if NAT
Traversal is At a time only one connection can be established behind one NAT-
enabled box

Click Add to add network


Specify 0.0.0.0/0 to allow all the networks
Remote ID Specify ID specified in the Remote certificate

For preshared key, select any type of id and specify it’s value

For preshared key, DER ASN1 DN is not applicable


User Authentication
User Authentication Specify whether user authentication is required at the time of
connection or not

Click Disable if user authentication is not required


If enabled as server, Click Add to select and add all the users which
are to be allowed to connect
Quick Mode Selectors
Allow Protocols Select the protocol for negotiations

Tunnel will pass only that data which uses the above specified
protocol
Local port Specify local port
Only for TCP
protocol
Remote port Specify remote port
Only for TCP
protocol
Create button Creates the connection

Click to create
Cancel button Cancels the current operation
Table – Create Road Warrior IPSec Connection screen elements

43
VPN Management Guide

Create Net to Net IPSec connection

Select VPN → IPSec Connection → Create Connection

Screen - Create Net to Net IPSec connection

Screen Elements Description


Connection details
Name Assign name to connection. Choose a name that best describes the

44
VPN Management Guide

Screen Elements Description


connection to be created
Description Specify full description of connection
Policy Name Select policy to be used for connection
Action on Restart Select the action for the connection

Deactive – Keep connection deactive mode till the user activates.


Active – Activate connection on system/service start so that the
connection can be established whenever required
Connect – Connect as soon as the system/service starts
Mode Select Tunnel mode

Refer to IPSec modes for details


Connection Type Specify connection type. Authentication of user depends on the
connection type.

Select ‘Net to Net’

Refer to Connection types for details


Authentication details
Authentication Type Specify Authentication type. Authentication of user depends on the
connection type.

Select Preshared key


An authentication mechanism whereby a single key is used for
encryption and decryption. Both the peers should possess the
preshared key. Remote peer uses the preshared key for decryption.

Select Digital Certificate


An authentication mechanism whereby sender and receiver both
uses the digital certificate issued by the Certificate Authority. Both
sender and receiver must have each other’s Certificate Authority.

Select RSA key


An Authentication mechanism whereby two keys - Public and Private
- are used for encryption and decryption. Private key is known only to
the owner and never transmitted over network.
Preshared key Specify the preshared key to be used. This preshared key will have
Only if to be shared or communicated to the peer at the remote end. At the
Authentication remote end, client will have to specify this key for authentication.
Type is ‘Preshared Refer to VPN Client guide, Phase 1 Configuration.
key’
If there is mismatch in the key, user will not be able to establish the
connection.
Local Certificate Select the local certificate that should be used for authentication by
Only if Cyberoam
Authentication
Type is ‘Digital
Certificate’
Remote Certificate Select the remote certificate that should be used for authentication by
Only if remote peer.
Authentication
Type is ‘Digital Select ‘External Certificate’, if the remote certificate is not available
Certificate’
Local RSA Key Displays automatically generated key which cannot be modified.
Only if
Authentication Local Public key can be regenerated from Text based Administration

45
VPN Management Guide

Screen Elements Description


Type is ‘RSA Key’ (Telnet) Console. Refer to Console guide for more details.
Remote RSA Key Specify the public key which is to be used by the remote peer.
Only if
Authentication
Type is ‘RSA Key’
Local Network Details
Local Server Specify IP address of local server

Click to select
Local Internal Specify IP address and netmask of the local network which is allowed
Network to access to remote network through VPN connection
Local ID Displays ID and its value specified in the Local certificate

For preshared key, select local id and specify it’s value

For preshared key, DER ASN1 DN is not applicable


Remote Network
Remote Host Specify IP address of remote peer
Remote Internal Specify IP addresses and netmask of remote network which is
Network allowed to connect to the Cyberoam server through VPN tunnel

At a time only one connection can be established behind one NAT-


box

Click Add to add network


Remote ID Displays ID if remote certificate is selected else specify ID specified
in the certificate used by peer

For preshared key, select any type of id and specify it’s value

For preshared key, DER ASN1 DN is not applicable


User Authentication
User Authentication Specify whether user authentication is required at the time of
connection or not

Click Disable if user authentication is not required


If enabled as client, specify username and password
If enabled as server, Click Add to select and add all the users which
are to be allowed to connect
Quick Mode Selectors
Allow Protocols Select the protocol for negotiations

Tunnel will pass only that data which uses the above specified
protocol.
Local port Specify local port
Only for TCP
protocol
Remote port Specify remote port
Only for TCP
protocol
Create button Creates the connection

Click to create
Cancel button Cancels the current operation

46
VPN Management Guide

Table - Create Net to Net IPSec connection screen elements

Create Host to Host IPSec connection

Select VPN → IPSec Connection → Create Connection

Screen - Create Host to Host IPSec connection

Screen Elements Description


Connection details

47
VPN Management Guide

Screen Elements Description


Name Assign name to connection. Choose a name that best describes the
connection to be created
Description Specify full description of connection
Policy Name Select policy to be used for connection
Action on Restart Select the action for the connection

Deactive – Keep connection deactive mode till the user activates.


Active – Activate connection on system/service start so that the
connection can be established whenever required
Connect – Connect as soon as the system/service starts
Mode Select Tunnel mode

Refer to IPSec modes for details


Connection Type Specify connection type. Authentication of user depends on the
connection type.

Select ‘Host to Host’

Refer to Connection types for details


Authentication details
Authentication Type Specify Authentication type. Authentication of user depends on the
connection type.

Select Preshared key


An authentication mechanism whereby a single key is used for
encryption and decryption. Both the peers should possess the
preshared key. Remote peer uses the preshared key for decryption.

Select Digital Certificate


An authentication mechanism whereby sender and receiver both uses
the digital certificate issued by the Certificate Authority. Both sender
and receiver must have each other’s Certificate Authority.

Select RSA key


An Authentication mechanism whereby two keys - Public and Private -
are used for encryption and decryption. Private key is known only to the
owner and never transmitted over network.
Preshared key Specify the preshared key to be used. This preshared key will have to
Only if be shared or communicated to the peer at the remote end. At the
Authentication remote end, client will have to specify this key for authentication. Refer
Type is ‘Preshared to VPN Client guide, Phase 1 Configuration.
key’
If there is mismatch in the key, user will not be able to establish the
connection.
Local Certificate Select the local certificate that should be used for authentication by
Only if Cyberoam
Authentication
Type is ‘Digital
Certificate’
Remote Certificate Select the remote certificate that should be used for authentication by
Only if remote peer
Authentication
Type is ‘Digital Select ‘External Certificate’, if the remote certificate is not available
Certificate’
Local RSA Key Displays automatically generated key which cannot be modified.
Only if

48
VPN Management Guide

Screen Elements Description


Authentication Local Public key can be regenerated from Text based Administration
Type is ‘RSA Key’ (Telnet) Console. Refer to Console guide for more details.
Remote RSA Key Specify the public key which is to be used by the remote peer.
Only if
Authentication
Type is ‘RSA Key’
Local Network Details
Local Server Specify public IP address of local server

Click to select
Local ID Displays ID and its value specified in the Local certificate

For preshared key, select local id and specify it’s value

For preshared key, DER ASN1 DN is not applicable


Remote Network
Remote Host Specify IP address of remote peer
Allow NAT Enable if a NAT device is located between your VPN endpoints i.e.
Traversal remote peer has an private IP address
Remote Internal Specify IP addresses and netmask of remote network which is allowed
Network to connect to the Cyberoam server through VPN tunnel
Only if NAT
Traversal is At a time only one connection can be established behind one NAT-box
enabled
Click Add to add network
Remote ID Displays ID if remote certificate is selected else specify ID specified in
the certificate used by peer

For preshared key, select any type of id and specify it’s value

For preshared key, DER ASN1 DN is not applicable


User Authentication
User Authentication Specify whether user authentication is required at the time of
connection or not

Click Disable if user authentication is not required


If enabled as client, specify username and password
If enabled as server, Click Add to select and add all the users which
are to be allowed to connect
Quick Mode Selectors
Allow Protocols Select the protocol for negotiations

Tunnel will pass only that data which uses the above specified protocol
Local port Specify local port
Only for TCP
protocol
Remote port Specify remote port
Only for TCP
protocol
Create button Creates the connection

Click to create
Cancel button Cancels the current operation
Table - Create Host to Host IPSec connection screen elements

49
VPN Management Guide

50
VPN Management Guide

Manage IPSec Connection

Use to
• Activate, Deactivate, Initiate and disconnect connection
• Export Connection Configuration file
• Update connection details
• Delete connection

Activate/Deactivate Connection

1. Select VPN → IPSec Connection → Manage IPSec Connection to display the list
of connections
2. Under Connection status, Active column

Click to deactivate the connection

Click to activate the connection

Once disconnected, Road Warrior connection can be re-established from the remote peer
only after activating connection from the local server.

3. Under Connection status, Connection column

Click to initiate connection.

Click to disconnect connection. When you disconnect, connection will be deactivated and
to re-establish connection the connection, activate connection.

Note
If connection is created using manual keying policy, both the peers need to initiate the connection

Local peer cannot initiate the connection if remote peer is using dynamic IP address

Local peer cannot initiate the connection if Authentication mode is ‘Enable as Server’

Only one connection can be active at a time if two connections with different authentication types
(preshared key authentication and digital certification) are created for the same destination.

All similar connections should have same authentication mode

Screen – Activate/Deactivate Connection

51
VPN Management Guide

Export Connection configuration file (only for Road warrior connection)

Select VPN Æ IPSec Connection Æ Manage IPSec Connection to view the list of
connections and click ‘Export’ against the Connection Name whose configuration is to be exported.
Configuration file will be created in .tbg format which can directly be imported in Cyberoam VPN
Client.

Delete Connection

Select VPN → IPSec Connection → Manage IPSec Connection to display list of


connections

Screen – Delete IPSec Connection

Screen Elements Description


Del Select connection for deletion

Click Del to select

More than one connection can also be selected


Select All Select all the connections for deletion

Click Select All to select all the connections(s)


Delete button Deletes all the selected connection(s)
Table – Delete IPSec Connection screen elements

52
VPN Management Guide

L2TP Connection
L2TP configuration
You can use Layer 2 Tunneling Protocol (L2TP) to create VPN tunnel over public networks such
as the Internet. For authentication, currently Cyberoam supports only Password Authentication
Protocol (PAP) algorithm.

Select VPN → L2TP Configuration

Screen – L2TP Configuration

Screen Elements Description


L2TP Configuration
Local IP Address Displays IP address that will be assigned to L2TP server
Assign IP from Specify IP address range if L2TP server has to lease the IP address
Client Information
DNS server Specify IP address of your DNS server and alternate DNS server
WINS server Specify IP address of your WINS server and alternate WINS server
Save Saves the details

Click to save
Add Users button Click to add L2TP user. Displays list of users which are migrated or
created in Cyberoam.

Click Select against the Names that are to be allowed L2TP access
i.e. only the selected users will be allowed L2TP connection

Click Select All to allow L2TP access to all the users.

53
VPN Management Guide

Screen Elements Description

Click Add
Add Groups button Click to add L2TP user group. Displays list of user groups created in
Cyberoam.

Click Select against the Group Names that are to be allowed L2TP
access i.e. only the selected user groups will be allowed L2TP
connection

Click Select All to allow L2TP access to all the user groups.

Click Add. All the users in the selected groups will be allowd L2TP
access
Delete Users & To delete user/groups:
Groups button Click Del against the names to deleted
Click Delete Users & Groups button
Table – L2TP Configuration screen elements

54
VPN Management Guide

Create L2TP connection

Select VPN → L2TP Connection → Create Connection to open the create page

Screen – Create L2TP Connection

55
VPN Management Guide

Screen Elements Description


Connection details
Name Assign name to connection. Choose a name that best describes the
connection to be created
Description Specify full description of connection
Policy Name Select policy to be used for connection
Action on Restart Select the action for the connection

Deactive – Keep connection deactive mode till the user activates.


Active – Activate connection on system/service start so that the
connection can be established whenever required
Local Network Details
Local Server Specify public IP address of local VPN server/peer

Click to select
Gateway of Local Select Gateway of the local VPN server
VPN server
Local ID Specify local ID
You can specify any one of the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate)
Remote Network
Remote Host Specify IP address of remote peer

Remote ID Specify remote ID. You can specify any one of the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate)
Authentication details
Authentication Type Specify Authentication type. Authentication of user depends on the
connection type.

Preshared key
An authentication mechanism whereby a single key is used for
encryption and decryption. Both the peers should possess the
preshared key. Remote peer uses the preshared key for decryption.

Digital Certificate
An authentication mechanism whereby sender and receiver both
uses the digital certificate issued by the Certificate Authority. Both
sender and receiver must have each other’s Certificate Authority.
Preshared key Specify the preshared key to be used. This preshared key will have
Only if to be shared or communicated to the peer at the remote end. At the
Authentication remote end, client will have to specify this key for authentication.
Type is ‘Preshared Refer to VPN Client guide, Phase 1 Configuration.
key’
If there is mismatch in the key, user will not be able to establish the
connection.
Local Certificate Displays the local certificate which will be used for authentication

56
VPN Management Guide

Screen Elements Description


Only if
Authentication
Type is ‘Digital
Certificate’
Quick Mode Selectors
Local port Specify local port
Remote port Specify remote port
Create button Creates the connection

Click to create
Cancel button Cancels the current operation
Table – Create L2TP Connection screen elements

Note
L2TP and IPSec connection name cannot be same

You may receive ‘Connection name already exists’ message while creating connection, if the name with
which you are creating the connection is already used for either L2TP or IPSec connection

Manage L2TP connection

Select VPN → L2TP Connection → Manage Connection to view the list of connections

Screen – Manage L2TP Connection

57
VPN Management Guide

Screen – Update L2TP Connection

Screen Elements Description


Connection details
Name Displays Connection name
Description Displays description, modify if required
Policy Name Displays policy that will be used for connection
Action on Restart Displays the action

Deactive – Keep connection deactive mode till the user activates.


Active – Activate connection on system/service start so that the
connection can be established whenever required
Connect – Connect as soon as the system/service starts
Local Network Details
Local Server Displays public IP address of local VPN server/peer

Click to select
Gateway of Local Displays Gateway of the local VPN server

58
VPN Management Guide

Screen Elements Description


VPN server
Local ID Displays local ID, modify if required
You can specify any one of the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate)
Remote Network
Remote Host Displays IP address of remote peer
Remote ID Displays remote ID, modify if required. You can specify any one of
the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate)
Authentication details
Authentication Type Specify Authentication type. Authentication of user depends on the
connection type.

Preshared key
An authentication mechanism whereby a single key is used for
encryption and decryption. Both the peers should possess the
preshared key. Remote peer uses the preshared key for decryption.

Digital Certificate
An authentication mechanism whereby sender and receiver both
uses the digital certificate issued by the Certificate Authority. Both
sender and receiver must have each other’s Certificate Authority.
Preshared key Specify the preshared key to be used. This preshared key will have
Only if to be shared or communicated to the peer at the remote end. At the
Authentication remote end, client will have to specify this key for authentication.
Type is ‘Preshared Refer to VPN Client guide, Phase 1 Configuration.
key’
If there is mismatch in the key, user will not be able to establish the
connection.
Local Certificate Displays the local certificate which will be used for authentication
Only if
Authentication
Type is ‘Digital
Certificate’
Quick Mode Selectors
Local port Displays local port, modify if required
Remote port Displays remote port, modify if required
Update button Saves the modified details

Click to update
Cancel button Cancels the current operation
Table – Update L2TP Connection screen elements

59
VPN Management Guide

Delete L2TP connection

Select VPN → L2TP Connection → Manage Connection to view the list of connections

Screen – Delete L2TP connection

Screen Elements Description


Del Select connection for deletion

Click Del to select

More than one connection can also be selected


Select All Select all the connections for deletion

Click Select All to select all the connections(s)


Delete button Deletes all the selected connection(s)
Table – Delete L2TP connection screen elements

60
VPN Management Guide

PPTP Connection
Cyberoam support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP
clients can establish a PPTP tunnel with a Cyberoam Appliance that has been configured to act as
a PPTP server.

PPTP Configuration
Use to:
• Configure PPTP
• Add and delete PPTP User
• Add and delete PPTP User Groups

Select VPN → PPTP Configuration

Screen – PPTP Configuration

Screen Elements Description


PPTP Configuration
Local IP Address Displays LAN IP address that will be used for PPTP server
Assign IP from PPTP server will lease IP address to the PPTP client from the
specified IP address range. The PPTP client uses the assigned IP
address as its source address for the duration of the connection.

Do not specify the same IP address range in L2TP configuration and


PPTP configuration
Client Information
DNS server Specify IP address of your DNS server and alternate DNS server to
be used at the client end
WINS server Specify IP address of your WINS server and alternate WINS server
61
VPN Management Guide

Screen Elements Description


to be used at the client end
Save Saves the details

Click to save
Add Users button Click to add PPTP user. Displays list of users which are migrated or
created in Cyberoam.

Click Select against the Names that are to be allowed PPTP access
i.e. only the selected users will be allowed PPTP connection

Click Select All to allow PPTP access to all the users.

Click Add
Add Groups button Click to add PPTP user group. Displays list of user groups created in
Cyberoam.

Click Select against the Group Names that are to be allowed PPTP
access i.e. only the selected user groups will be allowed PPTP
connection

Click Select All to allow PPTP access to all the user groups.

Click Add. All the users in the selected groups will be allowd PPTP
access
Delete Users & To delete user/groups:
Groups button Click Del against the names to deleted
Click Delete Users & Groups button
Table – PPTP Configuration Screen elements

62