VPN Management Guide - docs.sophos.com 10.x/10.6.6/Guides... · VPN Management Guide Page 4 of 98...
Transcript of VPN Management Guide - docs.sophos.com 10.x/10.6.6/Guides... · VPN Management Guide Page 4 of 98...
Cyberoam VPN Management Guide Version 10
Document version 1.0 – 10.6.6.042 - 24/11/2017
VPN Management Guide
Page 2 of 98
Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.
USER’S LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.
You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam UTM Appliances at http://kb.cyberoam.com.
RESTRICTED RIGHTS
Copyright 1999 - 2015 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.
Corporate Headquarters
Cyberoam House,
Saigulshan Complex, Opp. Sanskruti,
Beside White House, Panchwati Cross Road,
Ahmedabad - 380006, GUJARAT, INDIA.
Tel: +91-79-66216666
Fax: +91-79-26407640
Web site: www.cyberoam.com
VPN Management Guide
Page 3 of 98
Contents
Preface ............................................................................................................................ 4 Introduction..................................................................................................................... 6 Appliance Administrative Interfaces............................................................................... 7
Web Admin Console.................................................................................................................. 7 Command Line Interface (CLI) Console ..................................................................................... 8 Cyberoam Central Console (CCC)............................................................................................. 8
Web Admin Console .................................................................................................................... 9 Web Admin Language ............................................................................................................... 9 Supported Browsers ................................................................................................................ 10 Login procedure ...................................................................................................................... 11 Log out procedure ................................................................................................................... 12 Menus and Pages ................................................................................................................... 13 Page ....................................................................................................................................... 15 Icon bar ................................................................................................................................... 16 List Navigation Controls........................................................................................................... 17 Tool Tips ................................................................................................................................. 18 Status Bar ............................................................................................................................... 18 Common Operations ............................................................................................................... 19
Introduction to VPN ...................................................................................................... 21 Cyberoam VPN .............................................................................................................. 22
Policy ......................................................................................................................................... 23 Policy ...................................................................................................................................... 25
IPSec .......................................................................................................................................... 34 Manage IPSec Connection ...................................................................................................... 35 Failover Group ........................................................................................................................ 80
CISCO™ VPN Client .................................................................................................................. 83 L2TP ........................................................................................................................................... 86
Configuration........................................................................................................................... 86 Manage L2TP Connection ....................................................................................................... 89
PPTP .......................................................................................................................................... 94 Live Connections....................................................................................................................... 97
IPSec Connections .................................................................................................................. 97 SSL VPN Users ...................................................................................................................... 98
VPN Management Guide
Page 4 of 98
Preface
Welcome to the Cyberoam’s – VPN Management Guide.
This Guide provides information on how to configure Cyberoam VPN connections (IPSec, L2TP and PPTP) and helps you manage and customize the Appliance to meet your organization’s various requirements for remote users.
Cyberoam’s integrated Internet security solution is purpose-built to meet the unified threat management needs of corporate, government organizations and educational institutions. It also provides assistance in improving Bandwidth management, increasing Employee productivity, and reducing legal liability associated with undesirable Internet content access.
Guide provides a basic introduction to VPN and gives some fundamental information of those technologies that are relevant to the way Cyberoam implements VPN. It outlines how VPN tunnel is actually created and gives a detailed picture of the different settings that can be used to adjust the VPN policies using the Appliance.
The Appliances use Layer 8 technology to help organizations maintain a state of readiness against today's blended threats and offer real-time protection.
Note Default Web Admin Console username is ‘admin’ and password is ‘admin’. We recommend you to change the default password immediately after installation to avoid unauthorized access. All the screen shots in the Cyberoam User Guides are taken from NG series of Appliances. The feature and functionalities however remains unchanged across all Cyberoam Appliances.
VPN Management Guide
Page 5 of 98
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
Cyberoam House,
Saigulshan Complex, Opp. Sanskruti,
Beside White House, Panchwati Cross Road,
Ahmedabad - 380006, GUJARAT, INDIA.
Tel: +91-79-66216666
Fax: +91-79-26407640
Web site: www.cyberoam.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-66216565
Email: [email protected]
Web site: www.cyberoam.com
Visit www.cyberoam.com for the regional and latest contact information.
VPN Management Guide
Page 6 of 98
Introduction
The Appliances use Layer 8 technology to help organizations maintain a state of readiness against today's blended threats and offer real-time protection.
Unified Threat Management Appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband. Analog modem support can be used as either Active or Backup WAN connection for business continuity.
The Appliance integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti- Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Web Application Firewall, Bandwidth Management, Multiple Link Management and Comprehensive Reporting over a single platform.
The Appliance has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity.
The Appliance accelerates unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an ‘IPv6 Ready’ Gold logo provide Appliance the readiness to deliver on future security requirements.
The Appliances provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.
Layer 8 Security:
The Appliance’s features are built around its patent pending Layer 8 technology. The Layer 8 technology implements the human layer of networking by allowing organizations control traffic based on users instead of mere IP Addresses. Layer 8 technology keeps organizations a step ahead of conventional security solutions by providing full business flexibility and security in any environment including WI-FI and DHCP.
Note All the screen shots in this Guide are taken from NG series of Appliances. The feature and functionalities however remains unchanged across all Cyberoam Appliances.
VPN Management Guide
Page 7 of 98
Appliance Administrative
Interfaces
Appliance can be accessed and administered through:
1. Web Admin Console
2. Command Line Interface Console
3. Cyberoam Central Console
Administrative Access An administrator can connect and access the Appliance through HTTP, HTTPS, telnet, or SSH services. Depending on the Administrator login account profile used for access, an administrator can access number of Administrative Interfaces and Web Admin Console configuration pages.
Appliance is shipped with two administrator accounts and four administrator profiles.
Administrator Type
Login Credentials Console Access Privileges
Super Administrator
admin/admin Web Admin Console
CLI console
Full privileges for both the consoles. It provides read-write permission for all the configuration performed through either of the consoles.
Default cyberoam/cyber Web Admin console only
Full privileges. It provides read-write permission for all the configuration pages of Web Admin console.
Note We recommend that you change the password of both the users immediately on deployment.
Web Admin Console
Web Admin Console is a web-based application that an Administrator can use to configure, monitor, and manage the Appliance.
You can connect to and access Web Admin Console of the Appliance using HTTP or a HTTPS connection from any management computer using web browser:
1. HTTP login: http://<LAN IP Address of the Appliance>
2. HTTPS login: https://<LAN IP Address of the Appliance>
For more details, refer section Web Admin Console.
VPN Management Guide
Page 8 of 98
Command Line Interface (CLI) Console
Appliance CLI console provides a collection of tools to administer, monitor and control certain Appliance component. The Appliance can be accessed remotely using the following connections:
1. Remote login Utility – TELNET login
To access Appliance from command prompt using remote login utility – Telnet, use command TELNET <LAN IP Address of the Appliance>. Use default password “admin”.
2. SSH Client (Serial Console)
SSH client securely connects to the Appliance and performs command-line operations. CLI console of the Appliance can be accessed via any of the SSH client using LAN IP Address of the Appliance and providing Administrator credentials for authentication.
Note Start SSH client and create new Connection with the following parameters: Host – <LAN IP Address of the Appliance> Username – admin Password – admin
Use CLI console for troubleshooting and diagnose network problems in details. For more details, refer version specific Console Guide available on http://docs.cyberoam.com/.
Cyberoam Central Console (CCC)
Distributed Cyberoam Appliances can be centrally managed using a single Cyberoam Central Console (CCC) Appliance, enabling high levels of security for Managed Security Service Provider (MSSPs) and large enterprises. To monitor and manage Cyberoam using CCC Appliance you must:
1. Configure CCC Appliance in Cyberoam
2. Integrate Cyberoam Appliance with CCC using: Auto Discovery or Manually
Once you have added the Appliances and organized them into groups, you can configure single Appliance or groups of Appliances.
For more information, please refer CCC Administrator Guide.
VPN Management Guide
Page 9 of 98
Web Admin Console
CyberoamOS uses a Web 2.0 based easy-to-use graphical interface termed as Web Admin Console to configure and manage the Appliance.
You can access the Appliance for HTTP and HTTPS web browser-based administration from any of the interfaces. Appliance when connected and powered up for the first time, it will have a following default Web Admin Console Access configuration for HTTP and HTTPS services.
Services Interface/Zones Default Port
HTTP LAN, WAN TCP Port 80
HTTPS WAN TCP Port 443
The administrator can update the default ports for HTTP and HTTPS services from System > Administration > Settings.
Web Admin Language
The Web Admin Console supports multiple languages, but by default appears in English. To cater to its non-English customers, apart from English, Chinese-Simplified, Chinese-Traditional, Hindi, Japanese and French languages are also supported. Administrator can choose the preferred GUI language at the time of logging on.
Listed elements of Web Admin Console will be displayed in the configured language:
• Dashboard Doclet contents
• Navigation menu
• Screen elements including field & button labels and tips
• Error messages
VPN Management Guide
Page 10 of 98
Supported Browsers
You can connect to the Web Admin Console of the Appliance using HTTP or a secure HTTPS connection from any management computer using one of the following web browsers:
The minimum screen resolution for the management computer is 1024 X 768 and 32-bit true xx-color.
Browser Supported Version
Microsoft Internet Explorer Version 8+
Mozilla Firefox Version 3+
Google Chrome All versions
Safari 5.1.2(7534.52.7)+
Opera 15.0.1147.141+
The Administrator can also specify the description for firewall rule, various policies, services and various custom categories in any of the supported languages.
All the configuration done using Web Admin Console takes effect immediately. To assist you in configuring the Appliance, the Appliance includes a detailed context-sensitive online help.
VPN Management Guide
Page 11 of 98
Login procedure
The log on procedure authenticates the user and creates a session with the Appliance until the user logs-off.
To get to the login window, open the browser and type the LAN IP Address of Cyberoam in the browser’s URL box. A dialog box appears prompting you to enter username and password.
Screen – Login Screen
Screen Element Description
Username
Enter user login name.
If you are logging on for the first time after installation, use the default username.
Password
Specify user account password.
Dots are the placeholders in the password field.
If you are logging on for the first time after installation with the default username, use the default password.
Language
Select the language. The available options are Chinese-Simplified, Chinese-Traditional, English, French, and Hindi.
Default – English
Log on to
To administer Cyberoam, select ‘Web Admin Console’
To view logs and reports, select “Reports”.
To login into your account, select “My Account”.
Login button Click to log on the Web Admin Console.
Table – Login Screen
The Dashboard appears as soon as you log on to the Web Admin Console. It provides a quick and fast overview of all the important parameters of your Appliance.
VPN Management Guide
Page 12 of 98
Log out procedure
To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will end the session and exit from Cyberoam.
To log off from the Appliance, click the button located at the top right of any of the Web
Admin Console pages.
VPN Management Guide
Page 13 of 98
Menus and Pages
The Navigation bar on the leftmost side provides access to various configuration pages. This menu consists of sub-menus and tabs. On clicking the menu item in the navigation bar, related management functions are displayed as submenu items in the navigation bar itself. On clicking submenu item, all the associated tabs are displayed as the horizontal menu bar on the top of the page. To view a page associated with the tab, click the required tab.
The left navigation bar expands and contracts dynamically when clicked on without navigating to a submenu. When you click on a top-level heading in the left navigation bar, it automatically expands that heading and contracts the heading for the page you are currently on, but it does not navigate away from the current page. To navigate to a new page, first click on the heading, and then click
on the submenu you want navigate to. On hovering the cursor upon the up-scroll icon or the
down-scroll icon , automatically scrolls the navigation bar up or down respectively.
The navigation menu includes following modules:
• System – System administration and configuration, firmware maintenance, backup - restore
• Objects – Configuration of various policies for hosts, services, schedules and file type
• Networks – Network specific configuration viz., Interface speed, MTU and MSS settings, Gateway, DDNS
• Identity – Configuration and management of User and user groups
VPN Management Guide
Page 14 of 98
• Firewall – Firewall Rule Management
• VPN – VPN and SSL VPN access configuration
• IPS – IPS policies and signature
• Web Filter – Web filtering categories and policies configuration
• Application Filter – Application filtering categories and policies configuration
• WAF – Web Application Filtering policies configuration. Available in all the models except CR15iNG and CR15wiNG.
• IM – IM controls
• QoS – Policy management viz., surfing quota, QoS, access time, data transfer
• Anti Virus – Antivirus filtering policies configuration
• Anti Spam – Anti Spam filtering policies configuration
• Traffic Discovery – Traffic monitoring
• Logs & Reports – Logs and reports configuration
Note Use F1 key for page-specific help. Use F10 key to return to Dashboard.
Each section in this guide shows the menu path to the configuration page. For example, to reach the Zone page, choose the Network menu, then choose Interface sub-menu from the navigation
bar, and then choose Zone tab. Guide mentions this path as Network > Interface > Zone.
VPN Management Guide
Page 15 of 98
Page
A typical page looks as shown in the below given image:
Screen – Page
VPN Management Guide
Page 16 of 98
Icon bar
The Icon bar on the upper rightmost corner of every page provides access to several commonly used functions like:
1. Dashboard – Click to view the Dashboard
2. Wizard – Opens a Network Configuration Wizard for a step-by-step configuration of the network parameters like IP Address, subnet mask and default gateway for your Appliance.
3. Report – Opens a Reports page for viewing various usage reports. Integrated Logging and Reporting solution - iView, to offer wide spectrum of 1000+ unique user identity-based reporting across applications and protocols and provide in-depth network visibility to help organizations take corrective and preventive measures.
This feature is not available for CR15xxxx series of Appliances.
4. Console – Provides immediate access to CLI by initiating a telnet connection with CLI without closing Web Admin console.
5. Logout – Click to log off from the Web Admin Console.
6. More Options – Provides options for further assistance. The available options are as follows:
• Support – Opens the customer login page for creating a Technical Support Ticket. It is fast, easy and puts your case right into the Technical Support queue.
• About Product – Opens the Appliance registration information page.
• Help – Opens the context – sensitive help page.
• Reset Dashboard – Resets the Dashboard to factory default settings.
• Lock – Locks the Web Admin Console. Web Admin Console is automatically locked if the Appliance is in inactive state for more than 3 minutes. To unlock the Web Admin Console you need to re-login. By default, Lock functionality is disabled. Enable Admin Session Lock from System > Administration > Settings.
• Reboot Appliance – Reboots the Appliance.
• Shutdown Appliance – Shut downs the Appliance .
VPN Management Guide
Page 17 of 98
List Navigation Controls
The Web Admin Console pages display information in the form of lists that are spread across the multiple pages. Page Navigation Control Bar on the upper right top corner of the list provides navigation buttons for moving through the list of pages with a large number of entries. It also includes an option to specify the number entries/records displayed per page.
VPN Management Guide
Page 18 of 98
Tool Tips
To view the additional configuration information use tool tip. Tool tip is provided for many
configurable fields. Move the pointer over the icon to view the brief configuration summary.
Status Bar
The Status bar at the bottom of the page displays the action status.
VPN Management Guide
Page 19 of 98
Common Operations
Adding an Entity
You can add a new entity like policy, group, user, rule, ir host by clicking the Add button available on most of the configuration pages. Clicking this button either opens a new page or a pop-up window.
Editing an Entity
All the editable entities are hyperlinked. You can edit any entity by clicking either the hyperlink or
the Edit icon under the Manage column.
Deleting an Entity
You can delete an entity by selecting the checkbox and clicking the Delete button or Delete icon.
To delete multiple entities, select individual entity and click the Delete button.
VPN Management Guide
Page 20 of 98
To delete all the entities, select in the heading column and click the Delete button.
Sorting Lists
To organize a list spread over multiple pages, sort the list in ascending or descending order of a column attribute. You can sort a list by clicking a column heading.
• Ascending Order icon in a column heading indicates that the list is sorted in ascending order of the column attribute.
• Descending Order icon in a column heading indicates that the list is sorted descending order of the column attribute.
Filtering Lists
To search specific information within the long list spread over multiple pages, filter the lists. Filtering criteria vary depending on a column data and can be a number or an IP address or part of an address, or any text string combination.
To create filter, click the Filter icon in a column heading. When a filter is applied to a column,
the Filter icon changes to .
Configuring Column Settings
By default on every page all columnar information is displayed but on certain pages where a large number of columnar information is available, all the columns cannot be displayed. It is also possible that some content may not be of use to everyone. Using column settings, you can configure to display only those numbers of columns which are important to you.
To configure column settings, click Select Column Settings and select the checkbox against the columns you want to display and clear the checkbox against the columns which you do not want to display. All the default columns are greyed and not selectable.
VPN Management Guide
Page 21 of 98
Introduction to VPN
A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint system to another over a public network such as the Internet without the traffic being aware that there are intermediate hops between the endpoints or the intermediate hops being aware that they are carrying the network packets that are traversing the tunnel. The tunnel may optionally compress and/or encrypt the data, providing enhanced performance and some measure of security.
VPN allows you to pretend that you are using a leased line or a direct telephone call to communicate between endpoints.
VPN allow users and telecommuters to connect to their corporate intranets or extranets and are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This not only reduces overhead costs associated with traditional remote access methods, but also improves flexibility and scalability.
VPN Management Guide
Page 22 of 98
Cyberoam VPN
For all corporates traveling or working from home, connecting securely to the corporate network is essential. With Cyberoam, setting up a VPN is almost effortless.
The two endpoints in Cyberoam VPN are referred to as:
• Local – First endpoint is the local machine itself.
• Remote – Second endpoint is the remote peer - the machine you are trying to establish a VPN connection to, or the machine which is trying to establish a VPN connection with you.
Cyberoam VPN automatically encrypts the data and sends it to the remote site over the Internet, where it is automatically decrypted and forwarded to the intended destination. By encrypting, the integrity and confidentiality of data is protected even when transmitted over the un-trusted public network. Cyberoam uses standard IPSec protocol to protect network traffic. In IPSec, the identity of communicating users is checked with the user authentication based on Digital Certificates, Public Keys or Preshared Keys.
The Appliance ensures that all the VPN traffic passing through the VPN tunnels is threat free. All the Firewall Rules and policies are applicable to the traffic going into the VPN tunnels and coming out of the VPN tunnels. The Appliance inspects all the traffic passing through VPN tunnels and makes sure that there are no viruses, worms, Spam, and inappropriate content or intrusion attempts in the VPN traffic. As VPN traffic is, by default subjected to the DoS inspection, Cyberoam provides a facility by which one can bypass scanning of traffic coming from certain hosts from VPN zone. The above functionality is achieved by adding an additional zone called the VPN zone. VPN traffic passes through VPN zone and the Firewall Rule can be applied to VPN zone.
The Appliance can be used to establish VPN connection between sites, LAN-to-LAN and Client-to-LAN connection. VPN is the bridge between Local & Remote networks/subnets.
The Appliance supports the following protocols to authenticate and encrypt traffic:
• Internet Protocol Security (IPSec)
• Layer Two Tunneling Protocol (L2TP)
• Point-to-Point Tunneling Protocol (PPTP)
• Secure Socket Layer (SSL)
Note VPN is not supported when the Appliance is deployed as a Bridge. Hence when you change the deployment mode from Gateway to Bridge mode, the Appliance will delete all the custom and default Firewall Rules pertaining to VPN zone, dynamic hosts and hosts groups, virtual hosts mapped to VPN zone, VPN zone from Local ACL. Firewall Rules and scanning is applicable to IPSec, L2TP and PPTP traffic.
VPN Management Guide
Page 23 of 98
Policy
Encryption and Authentication method
Authentication of communicating parties and integrity of exchanged data is crucial for the reliable implementation of VPN.
Encryption is used to provide confidentiality of data during negotiation. The Appliance supports 3DES encryption algorithm which is an extensively tested public algorithm and uses hash functions - message digest MD5 algorithm for Data integrity.
3DES: Triple (Data Encryption Standard) DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the Application of the DES standard where three keys are used in succession to provide additional security.
AES: Advanced Encryption Standard AES offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits.
This security system supports a number of encryption algorithms.
Serpent: Serpent is a 128-bit block cipher that encrypts and decrypts data in chunks of 128 bits with a variable key length of 128,192 or 256 bits.. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
BlowFish: BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere between 32 bits to 448 bits and uses 16 rounds of the main algorithm
TwoFish: TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Preshared Key
An authentication mechanism whereby the key is used in encryption is exchanged beforehand/prior to negotiation with another system.
Preshared Key authentication is the process by which two systems prove their identity to each other where each system encrypts some unpredictable, arbitrary data with a key that has been exchanged beforehand. If they can successfully decrypt the message, it is assumed that the sender is valid.
A single shared key is used for encryption and decryption. The data is encrypted by a key and sent to the recipient over the Internet. At the receiving end, the data is decrypted with the exact same key that was used for encryption.
Digital Certificates
Digital Certificates is yet another authentication method that employs digital signatures and public key cryptography.
A Digital Certificate is a document that guarantees the identity of a person or entity and is issued by the trusted third party Certificate Authority (CA). Digital Certificate holders have a public or private key pair which can be used to authenticate the sender and decrypt the incoming message
VPN Management Guide
Page 24 of 98
ensuring that only the certificate holder can decode the message.
A certificate is used to associate a public/private key pair with a given IP Address or Host name and issued by CA for a specific period of time. A CA can be in-house CA, run by your own organization, or a public CA. To use certificates for negotiation, both peers have to generate public/private key pairs, request, and receive public key certificates, and are configured to trust the CA that issues the certificates.
Users can download and install certificate from Cyberoam.
Public Key
Public Key authentication uses two keys – public key available to anyone and a private key held by only one individual. The sender encrypts data with the recipient’s public key. Only the recipient can decrypt the data, being the only one who possesses the corresponding private key.
VPN Management Guide
Page 25 of 98
Policy
Policy describes the security parameters that are used for negotiations to establish and maintain a secure tunnel between two peers.
Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the policy parameters for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels.
Authentication mode
To ensure secure communication, there are two phases to every IKE (Internet Key Exchange) negotiation - Phase 1 (Authentication) and Phase 2 (Key exchange).
The Phase 1 negotiation establishes a secure channel between peers and determines a specific set of cryptographic protocols, exchanges shared secret keys and encryption and authentication algorithm that will be used for generating keys.
The Phase 2 negotiation establishes a secure channel between peers to protect data. During Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after which to negotiate.
Key life
Lifetime of a key is specified as Key life.
Once the connection is established after exchanging authenticated and encrypted keys, the connection is not dropped till the key life expires. If the key life of both the peers is not same then renegotiation will take place whenever the key life of any one peer is over. This means intruder has to decrypt only one key to break in your system.
Key generation and key rotation are important because the longer the life of the key, larger the amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis.
Perfect Forward Secrecy (PFS)
It becomes difficult for a network intruders to get the big picture if keys are changing and they have to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting PFS, new key will be generated for every negotiation and a new (Diffie-Hellman) DH key exchange is included. So every time the intruder will have to break yet another key even though he already knows the key. This enhances security.
Diffie-Hellman (DH) Group (IKE group)
Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret over an insecure communication channel. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt the data.
The Diffie-Hellmann Group describes the key length used in encryption. Group number is also termed as Identifiers.
DH Group Key length (bits)
1 768
VPN Management Guide
Page 26 of 98
2 1024
5 1536
14 2048
15 3072
16 4096
Negotiation fails if same groups are not specified on each peer. The group cannot be switched during negotiation.
Re-key Margin
This is the time before the next key is exchanged and is calculated by subtracting the time elapsed since the last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts automatically without interrupting the service before key expiry.
Dead Peer Detection settings
Is used to check whether the Appliance is able to connect the IP Address or not. Set time interval after which the status of peer is to be checked and what action to take, if peer is not alive.
Tunnel Negotiation
Negotiation process starts to establish the connection when local or remote peers want to communicate with each other. Depending on the connection parameters defined, the key is generated which is used for negotiations. Lifetime of key is specified as Key life. Once the connection is established, connection is alive/active and data can be transferred up to the specified key life. Connection will be closed/deactivated once the key expires.
If the connection is to be activated again then the entire negotiation process is to be started all over again. Negotiation process can be started again automatically by either the local or remote peer only if Allow Re-keying is set to ‘Yes’. Set the re-keying time in terms of the remaining key life when negotiation is to be started automatically without interrupting the communication before key expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes of key usage.
Negotiation process will generate a new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’. PFS will generate a new key from scratch and there is no dependency between the old and new key.
Re-keying Result
Yes Local and remote peer both will be able to initiate a request for
connection.
Depending on PFS, negotiation process will use same key or generate a new key.
No Only the remote peer will be able to initiate request for connection.
Depending on PFS, negotiation process will use the same key or generate a new key.
Cyberoam provides 5 default policies and you can also create a custom policy to meet your
VPN Management Guide
Page 27 of 98
organization’s requirement.
To make VPN connection configuration an easy task, following five preconfigured VPN policies are included for the frequently used VPN deployment scenarios:
• Road warrior
• L2TP
• Head Office connectivity
• Branch Office connectivity
• Default
Manage VPN Policies
To manage custom VPN policies, go to VPN > Policy> Policy.
• Duplicate – Click the duplicate icon in the Manage column against the VPN Policy to be duplicated. Add VPN Policy window is displayed which has the same values for parameters as the existing policy. Click OK to add a new policy with modification in values for parameters.
Note Default policy can be updated but cannot be deleted.
Screen – Manage VPN Policies
Screen Elements Description
Name Displays a name for the VPN Policy.
Keying Method Displays the Keying method.
Authentication Mode Displays the Authentication Mode selected: Main or Aggressive Mode.
Compress Displays whether compression is enabled or not.
PFS Displays whether Perfect Forward Secrecy is enabled or not.
Encryption-Authentication Algorithm
Displays the Encryption and Authentication Algorithm used for Phase1 and Phase2.
Re-Key Displays whether Re-Keying is enabled or not.
VPN Management Guide
Page 28 of 98
Key Negotiation Tries Displays the number of times “Key Negotiation Tries” is allowed.
DPD Displays whether Dead Peer Detection is enabled or not.
Action on Active Peer Displays the Action selected when Dead Peer Detection
is activated: Hold, Disconnect, Re-initiate.
Duplicate Icon Duplicate the VPN Policy.
Table – Manage VPN Policies screen elements
VPN Policy Parameters
To add, edit or duplicate policies, go to VPN > Policy > Policy. Click the Add Button to add a
new policy or Edit Icon in the Manage column against the policy to be modified.
Screen – Add VPN Policy
Screen Elements Description
General Settings
Name Specify a name to identify the VPN Policy.
Description Provide description for the VPN Policy.
Allow Re-Keying Enable Re-Keying to start the negotiation process
automatically before key expiry. Process will start automatically at the specified time in re-key margin.
If enabled, negotiation process can be initiated by both the local or remote peer. Depending on PFS, the negotiation process will use same key or generate a new
VPN Management Guide
Page 29 of 98
key.
Key Negotiation Tries Specify maximum key negotiation trials allowed. Set 0 for
unlimited number of trials.
Authentication Mode Select the mode of Authentication. Authentication Mode is used for exchanging authentication information.
Available Options:
• Main Mode
• Aggressive Mode – With Aggressive Mode, tunnel can be established faster than using Main Mode as less number of messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use Aggressive Mode when remote peer has dynamic IP Addresses.
Depending on Authentication Mode, the phase 1 parameters are exchanged for authentication purpose.
In Main Mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information while in Aggressive Mode phase1 parameters are exchanged in single message without encrypted information.
Pass Data in Compressed
Format
Disable to pass data in uncompressed format.
To increase the throughput, we recommend to keep it enabled so the data is passed in compressed form.
Default – Enable
Note When you create Site-to-Site IPSec Connection with Amazon VPC, make sure that the option is disabled.
PHASE 1
Encryption Algorithm Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.
3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security
VPN Management Guide
Page 30 of 98
system supports a number of encryption algorithms.
Serpent – Serpent is a 128-bit block cipher that encrypts and decrypts data in chunks of 128 bits with a variable key length of 128,192 or 256 bits The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere between 32 bits to 448 bits and uses 16 rounds of the main algorithm.
TwoFish – Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Authentication Algorithm
Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Supported Authentication algorithms: MD5, SHA1
A maximum of three combination(s) of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click to add more than one combination of encryption and authentication algorithm.
DH Group (Key Group) Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. The DH Group specifies the key length used for encryption.
DH Group 1 uses 768-bit encryption
DH Group 2 uses 1024-bit encryption
DH Group 5 uses 1536-bit encryption
DH Group 14 uses 2048-bit encryption
DH Group 15 uses 3072-bit encryption
DH Group 16 uses 4096-bit encryption
The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
Key Life Specify the Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.
Re-key Margin Specify the Re-Key Margin. Set the time in terms of the remaining Key Life. Re-Key Margin is the time when the negotiation process should be started automatically
VPN Management Guide
Page 31 of 98
without interrupting the communication before key expiry.
For example, if the Key Life is 8 hours and Re-key Margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of Key Life.
Randomize Re-Keying Margin By
Specify the Randomize Re-Keying time.
For example, if Key Life is 8 hours, Re-Key Margin is 10 minutes and Randomize re-Keying time is 20% then the Re-Key Margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.
Dead Peer Detection Enable (Dead Peer Detection) DPD to check at regular intervals whether a peer is live or not.
Check Peer After Every Specify time after which the peer should be checked for
its status. (Only if DPD option is “Enabled”). Once the connection is established, the peer which initiated the connection checks whether another peer is live or not.
Wait For Response Upto
Specify till what time (seconds) initiated peer should wait for the status response. (Only if Dead Peer Detection option is “Enabled”). If the response is not received within the specified time, the peer is considered to be inactive.
Action When Peer
Unreachable
Specify what action should be taken if the peer is
inactive. (Only if DPD option is ‘Enabled’ )
Available Options:
• Hold – Holds the connection.
• Disconnect – Closes the connection.
• Re-initiate – Re-establishes the connection.
PHASE 2
Encryption Algorithm Select the Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported Encryption Algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.
3DES – Triple DES is a symmetric strong Encryption Algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of Encryption Algorithms.
Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.
VPN Management Guide
Page 32 of 98
Serpent is faster than DES and more secure than Triple DES.
BlowFish – BlowFish is a symmetric Encryption Algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.
TwoFish – Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Authentication Algorithm
Select the Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported Authentication Algorithms: MD5, SHA1
A maximum of three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click to add more than one combination of encryption and authentication algorithm
PFS Group (DH Group) Select one DH group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
DH Group 1 uses 768-bit encryption
DH Group 2 uses 1024-bit encryption
DH Group 5 uses 1536-bit encryption
DH Group 14 uses 2048-bit encryption
DH Group 15 uses 3072-bit encryption
DH Group 16 uses 4096-bit encryption
The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
If “Same as Phase 1” is selected PFS group specified at connection initiator’s end will be used.
If No PFS is selected, this security parameter cannot be added for Phase 2.
Key Life Specify the Key Life in terms of seconds.
Key Life is the amount of time that will be allowed to pass before the key expires.
Default time is 3600 seconds.
VPN Management Guide
Page 33 of 98
If Manual Keying method is selected
Local SPI Enter the value of the Local SPI.
Remote SPI Enter the value of the Remote SPI.
Encryption Algorithm Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256.
3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.
Inbound Encryption Key
Enter the hexadecimal (hex) value of the Inbound Encryption Key based on the Encryption Algorithm selected.
Outbound Encryption
Key
Enter the hexadecimal (hex) value of the Outbound
Encryption Key based on the Encryption Algorithm selected.
Authentication Algorithm
Select the Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported Authentication Algorithms: MD5, SHA1
A maximum of three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click to add more than one combination of encryption and authentication algorithm
Inbound Authentication Key (Hex)
Enter the hexadecimal (hex) value of the Inbound Authentication Key based on the Authentication Algorithm selected.
Outbound
Authentication Key (Hex)
Enter the hexadecimal (hex) value of the Inbound
Authentication Key based on the Authentication Algorithm selected.
Table – Add VPN Policy screen elements
VPN Management Guide
Page 34 of 98
IPSec
(IP Security) IPSec is a suite of protocols designed to assist cryptographically secure communications at the IP layer (layer 3).
IPSec protocols:
• Authentication Header (AH) – Used for the authentication of packet senders and for ensuring the integrity of packet data. The AH protocol checks the authenticity and integrity of packet data. In addition, it checks if the sender and receiver IP Addresses have not been changed in transmission. Packets are authenticated using a checksum created by using a (Hash-based Message Authentication Code) HMAC in connection with a key.
• Encapsulating Security Payload (ESP) – Used for encrypting the entire packet and for authenticating its contents. In addition to the encryption, the ESP offers the ability to authenticate senders and verify packet contents.
IPSec modes:
• Transport Mode – The original IP packet is not encapsulated in another packet. The original IP header is retained, and the rest of the packet is sent either in clear text (AH) or encrypted (ESP). Either the complete packet can be authenticated with AH, or the payload can be encrypted and authenticated using ESP. In both cases, the original header is sent over the WAN in clear text. Use Transport Mode where both endpoints understand IPSec directly. Transport Mode is used between peers supporting IPSec, or between a host and a gateway, if the gateway is being treated as a host.
• Tunnel Mode – The complete packet – header and payload – is encapsulated in a new IP packet. An IP header is added to the IP packet, with the destination address set to the receiving tunnel endpoint. The IP Addresses of the encapsulated packets remain unchanged. The original packet is then authenticated with AH or encrypted and authenticated using ESP. Tunnel Mode is primarily used for interoperability with gateways or end systems that do not support L2TP/IPSec or PPTP VPN site-to-site connections.
IPSec connections types (for Tunnel mode only):
• Remote Access – This type of VPN is a user-to-internal network connection via a public or shared network. Many large companies have employees that need to connect to the Internal network while they are on-field. These field agents access the Internal network by using remote computers and laptops without static IP Address.
• Site-to-Site – A Site-to-Site VPN connects an entire network (such as a LAN or WAN) to a remote network by way of a network-to-network connection. A network-to-network connection requires routers on each side of the connecting networks to transparently process and route information from one node on a LAN to a node on a remote LAN.
• Host-to-Host – Host-to-Host VPN connects one desktop or workstation to another by the way of a host-to-host connection. This type of connection uses the network to which each host is connected to create the secure tunnel to each other.
• Connection
• Failover Group
VPN Management Guide
Page 35 of 98
Manage IPSec Connection
To manage IPSec connections, go to VPN > IPSec > Connection.
Note IPSec connection – On deletion of the connection, the Appliance does not delete its related hosts and Firewall Rules related to the connection. Manual intervention is required to delete them. Remote Access connection – On deletion of the connection, the Appliance deletes all the dynamically created hosts and Firewall Rules related to the connection. IPSec connection can be established on IP Aliases created for WAN interfaces. Deleting Alias would delete the associated IPSec VPN connection.
Screen – Manage IPSec Connections
Screen Elements Description
Name Displays the name for the IPSec Connection.
Group Name Displays the name for Failover Group.
Policy Displays the name of the VPN Policy selected.
Point to the policy link to view or edit the policy details.
Connection Type Displays the type of Connection selected: Remote Access, Site-to-Site or Host-to-Host.
Status (Active/Connection)
Displays status of the Connection.
– Activated and Disconnected. Click to initiate the connection.
– Activated and Connected. Click to disconnect the connection. When you disconnect, connection will be deactivated and to re-establish the connection, activate connection.
– Activated but Partially connected. Click to disconnect the connection. When multiple subnets are
VPN Management Guide
Page 36 of 98
configured for LAN and/or remote network, the Appliance creates a sub-connection for each subnet. Connection Status in Yellow color indicates that one of the sub-connection is not active.
Clicking any of the above icon will toggle its status from Activated and Connected to Activated and Disconnected and vise-versa. A confirmation pop up prompting the same will be displayed.
Remote Gateway Displays the Remote VPN Server IP Address selected as the Remote Gateway.
Local Subnet Displays an IP Host selected as Local Subnet.
X-Auth Displays the Authentication Mode selected: Enabled as Server, Enabled as Client or Disabled.
Remote Subnet Displays an IP Host selected as Remote Subnet.
Remote ID Displays a value for Remote ID selected.
For Preshared Key and RSA Key, DER ASN1 DN (X.509) is not applicable.
Authentication Type Displays the type of Authentication selected – Preshared
Key, Digital Certificate or RSA Key.
Authentication of user depends on the connection type.
Action on VPN Restart Displays the Action taken on the connection when VPN
services or Appliance restarts – Respond Only, Initiate or Disable.
Local ID Displays the value for local ID selected - DNS, IP Address, Email Address or DER ASN1 DN (X.509).
For Preshared Key and RSA Key, DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.
Export Icon Click the Export Icon to export the connection configuration file.
Export icon is available for Remote Access connection only.
Table – Manage IPSec Connections screen elements
IPSec Connection Parameters
To add or edit VPN connections, go to VPN > IPSec > Connection. Click the Add Button to
add a new connection or Edit Icon in the Manage column against the connection to be modified.
VPN Management Guide
Page 37 of 98
Following are the VPN connection modes/types in Cyberoam.
VPN Management Guide
Page 38 of 98
Parameters – Remote Access VPN Connection
Screen – Add Remote Access IPSec Connection
Screen Elements Description
General Settings
Name Specify a name to identify the IPSec Connection.
Description Provide description for the IPSec Connection.
Connection Type Remote Access.
Policy Select the policy to be used for connection.
Policy can also be added by clicking “Add Policy” link.
VPN Management Guide
Page 39 of 98
Action on VPN Restart Select the Action to be taken on the connection when VPN services or the Appliance restarts.
Available Options:
• Respond Only – Keep connection ready to respond to any incoming request.
• Disable – Keep connection disabled till the user activates.
Authentication Details
Authentication Type
Select Authentication Type. Authentication of user depends on the connection type.
Available Options:
• Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess this Preshared Key. Remote peer uses the same Preshared Key for decryption. On selecting this option the user will be required to provide the following details:
Preshared Key – Specify the Preshared Key to be used. Preshared Key should be of minimum 5 characters.
Confirm Preshared Key – Provide the same Preshared Key to confirm it.
This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
• Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.
Local Certificate – Select the local certificate that
VPN Management Guide
Page 40 of 98
should be used for authentication by Cyberoam.
Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.
Endpoints Details
Local Select Local WAN port from the list.
IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote Specify an IP Address or domain name of the remote peer.
Network Detail
IP Family IP family will be enabled automatically according to the IP selected in Local WAN port.
Local
Local Subnet Select Local LAN Address.
Add and Remove LAN Address using Add Button and Remove Button.
VPN Management Guide
Page 41 of 98
Local ID For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.
Remote
Allow
NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.
At a time only one connection can be established behind one NAT-box.
Remote LAN Network Select IP Hosts from the list of IP Hosts available.
You can also add a new IP Host and include it in the list by clicking “Add IP Host” link.
Remote ID For Preshared Key, select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
DER ASN1 DN (X.509) is not applicable.
User Authentication
VPN Management Guide
Page 42 of 98
User Authentication Mode
Select whether User Authentication is required at the time of connection or not from the available options.
Available Options:
• Disabled – Click Disable if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
Quick Mode Selectors
Protocol Select all the protocols that are to be allowed for negotiations.
The Tunnel will pass only that data which uses the specified protocol.
Available Options:
• All
• ICMP
• UDP
• TCP
Local Port Specify Local Port for TCP or UDP.
Remote Port Specify Remote Port for TCP or UDP.
Advanced Settings
Disconnect when tunnel
is idle
Click this option to allow Cyberoam to delete an Idle VPN
Session if it exceeds the specified Idle session time interval.
Default - Disable
Idle session time
interval
(Only if Disconnect when tunnel is idle option is “Enabled”)
Specify the time limit after which an Idle VPN Session will
be deleted by Cyberoam.
Acceptable Range – 120 to 999
Table – Add Remote Access VPN Connection screen elements
VPN Management Guide
Page 43 of 98
Parameters – Site-to-Site VPN Connection
Screen – Add Site to Site IPSec Connection
Screen Elements Description
General Settings
Name Specify a name to identify the IPSec Connection.
Description Provide description for the IPSec Connection.
Connection Type Site-to-Site.
Bind With An Interface Enable to bind the IPSec VPN tunnel with an interface for configuring Route-based VPN.
In Route-based VPN approach, routing decides which packets to route through the VPN tunnel.
On creation of an interface-based tunnel, a virtual tunnel interface will be created which will be displayed along with other interfaces for configuring Static and Dynamic routes.
VPN Management Guide
Page 44 of 98
Policy Select the policy to be used for the connection.
Action on VPN Restart Select the Action to be taken on the connection when VPN services or the Appliance restarts.
Available Options:
• Respond Only – Keep connection disabled till the user responds.
• Initiate – Activate connection on system/service start so that the connection can be established whenever required.
• Disable – Keep connection disabled till the user activates.
Route based IP Address Details (Only if “Bind With an Interface” is enabled)
Local IP Address
Specify local IP Address for the tunnel interface.
You must configure this interface detail, if you want to use the interface in configuring dynamic routing.
Remote IP Address Specify remote IP Address for the tunnel interface.
You must configure this interface detail, if you want to use the interface in configuring dynamic routing.
Authentication Details
Authentication Type
Select Authentication Type. Authentication of user depends on the connection type.
Available Options:
• Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess this Preshared Key. Remote peer uses the same Preshared Key for decryption. On selecting this option the user will be required to provide the following details:
Preshared Key – Specify the Preshared Key to be used. Preshared Key should be of minimum 5 characters.
Confirm Preshared Key – Provide the same Preshared Key to confirm it.
This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN
VPN Management Guide
Page 45 of 98
Client guide, Phase 1 Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
• Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.
Local Certificate – Select the local certificate that should be
used for authentication by Cyberoam
Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.
• RSA Key authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption.
Local RSA Key – known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified.
A Local RSA key can be regenerated from CLI Console. Refer to Console guide for more details.
Remote RSA Key – Administrator will be required to provide the RSA Key.
Endpoints Details
Local Select Local WAN port from the list.
IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote Specify IP Address or domain name of the remote peer.
Click Add icon against the option “Remote” to add new endpoint pairs or click Remove icon to remove the endpoint pairs.
Name Specify a name for connection.
Failover Group Name Specify a name for Failover Group.
Failover Mail
Notification
Enable Mail Notification to receive Connection failure notification
in case of connection failure. Notification is mailed on the Email Address configured in the Email Settings from the Notification Configuration Wizard.
Failover Condition IF
Specify Failover Condition. The Appliance checks for connection failure after every 60 seconds and if failure is detected, VPN traffic is transferred through the subsequent connection specified in the Connection Group. The Appliance considers connection as
VPN Management Guide
Page 46 of 98
Failed if:
• Remote server does not reply – for Site-to-Site connection.
Specify communication Protocol (TCP, UDP, PING). Select the protocol depending on the service to be tested on the remote server or local gateway depending on the type of connection.
A request on the specified port is sent and if it is not responding, the Appliance considers the Connection as failed and shifts the traffic to the subsequent connection.
Failover time can be configured from Network > Gateway.
Failover Condition is not applicable if:
• Connection is manually disconnected from either of the ends.
• Connection is not included in any Group.
Network Detail
IP Family Select IP family to configure IPSec VPN tunnels with mixed IP
families.
Available Options:
• IPv4
• IPv6
By default, IPv4 will be selected.
Four types of IPSec VPN tunnels can be created:
• 4 in 4 (IPv4 subnets with IPv4 gateway)
• 6 in 6 (IPv6 subnets with IPv6 gateway)
• 4 in 6 (IPv4 subnets with IPv6 gateway)
• 6 in 4 (IPv6 subnets with IPv4 gateway)
Local
VPN Management Guide
Page 47 of 98
Local Subnet Select Local LAN Address.
Add and Remove LAN Address using Add Button and Remove Button.
Select “NAT Local LAN” if private address is to be.
NATed LAN
(only if NAT Local LAN is configured)
Select IP Host or Network Host from the available list.
IP Host can also be added by clicking on the “Add IP Host” link.
Local ID For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
DER ASN1 DN (X.509) is not applicable.
VPN Management Guide
Page 48 of 98
In case of Local Certificate, the ID and its value is displayed automatically as specified in the Local Certificate.
Remote
Allow
NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.
At a time only one connection can be established behind one NAT-box.
Remote LAN Network Select IP Addresses and Netmask of the remote network which is allowed to connect to the Appliance server through VPN tunnel. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list.
Remote ID For Preshared Key, select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
DER ASN1 DN (X.509) is not applicable.
In a single connection, same subnet for LAN and Remote Network cannot be configured.
User Authentication
User Authentication Mode
Select whether User Authentication is required at the time of connection or not from the available options.
Available Options:
• Disabled – Click Disable if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
VPN Management Guide
Page 49 of 98
Quick Mode Selectors
Protocol Select the protocols that are to be allowed for negotiations.
Tunnel will pass only that data which uses the specified protocol.
Available Options:
• All
• ICMP
• UDP
• TCP
Local Port Specify Local Port for TCP or UDP.
Remote Port Specify Remote Port for TCP or UDP.
Advanced Settings
Disconnect when tunnel is idle
Click this option to allow Cyberoam to delete an Idle VPN Session if it exceeds the specified Idle session time interval.
Default - Disable
Idle session time interval
(Only if Disconnect when tunnel is idle option is “Enabled”)
Specify the time limit after which an Idle VPN Session will be deleted by Cyberoam.
Acceptable Range – 120 to 999
Table – Add Site to Site VPN Connection screen elements
VPN Management Guide
Page 50 of 98
Parameters – Host-to-Host VPN Connection
Screen – Add Host-to-Host IPSec Connection
Screen Elements Description
General Settings
Name Specify a name to identify the IPSec Connection.
Description Provide IPSec Connection Description.
Connection Type Host-to-Host.
Policy Select policy to be used for connection.
VPN Management Guide
Page 51 of 98
Action on VPN Restart Select the Action to be taken on the connection when VPN services or Appliance restarts.
Available Options:
• Respond Only – Keep connection in disabled till the user responds.
• Initiate – Activate connection on system/service start so that the connection can be established whenever required.
• Disable – Keep connection disabled till the user activates.
Authentication Details
Authentication Type Select Authentication Type. Authentication of user depends on the connection type.
Available Options:
• Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user will be required to provide the following details:
Preshared Key – Specify the preshared key to be used. Preshared Key should be of minimum 5 characters.
Confirm Preshared Key – Provide the same Preshared Key to confirm it.
This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
• Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.
Local Certificate – Select the local certificate that should be used for authentication by Cyberoam
Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.
• RSA Key authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption.
VPN Management Guide
Page 52 of 98
Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified.
Local RSA key can be regenerated from CLI Console. Refer to Console guide for more details.
Remote RSA Key – Administrator shall require to provide the RSA Key.
Endpoints Details
Local Select Local WAN port from the list.
IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote Specify IP Address or domain name of the remote peer.
Click Add icon against the option Remote to add new endpoint pairs or click Remove icon to remove the endpoint pairs.
Name Specify a name for connection.
Failover Group Name Specify a name for Failover Group.
Failover Mail Notification
Enable Mail Notification to receive Connection in case of connection failure Notification is mailed on the Email Address configured in Email Settings from the Notification Configuration Wizard.
Failover Condition Specify Failover Condition. The Appliance checks for connection failure after every 60 seconds and if failure is detected, VPN traffic is transferred through the subsequent connection specified in the Connection Group. The Appliance considers connection as Failed connection if:
• Remote server does not reply – for Site-to-Site connection.
Specify communication Protocol (TCP, UDP, PING). Select the protocol depending on the service to be tested on the remote server or local gateway depending on type of connection.
A request on the specified port is sent and if it is not responding,the Appliance considers the Connection as failed and shifts the traffic to the subsequent connection.
Failover time can be configured from Network > Gateway.
Failover Condition is not applicable if:
• Connection is manually disconnected from either of the ends.
• Connection is not included in any Group.
VPN Management Guide
Page 53 of 98
Network Detail
IP Family IP family will be enabled automatically according to the IP selected in Local WAN port.
Local
Local ID For Preshared Key and RSA Key, select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.
Remote Network Details
Allow NAT Traversal Enable NAT traversal if a NAT device is located between
your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.
At a time only one connection can be established behind one NAT-box.
Default - Enabled
Remote LAN Network Select IP Addresses and Netmask of the remote network which is allowed to connect to the Appliance. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available on the Web Admin Console.
You can also add a new IP Host.
Remote ID For Preshared Key, select any type of ID from the available
options and specify its value.
Available Options:
• DNS
• IP Address
VPN Management Guide
Page 54 of 98
• DER ASN1 DN (X.509)
DER ASN1 DN (X.509) is not applicable.
User Authentication
User Authentication Mode
Select whether User Authentication is required at the time of connection or not from the available options.
Available Options:
• Disabled – Click Disable if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
Quick Mode Selectors
Protocol Select all the protocols that are to be allowed for negotiations.
Tunnel will pass only that data which uses the specified protocol.
Available Options:
• All
• ICMP
• UDP
• TCP
Local Port Specify Local Port for TCP or UDP.
Remote Port Specify Remote Port for TCP or UDP.
Advanced Settings
Disconnect when tunnel is idle
Click this option to allow Cyberoam to delete an Idle VPN Session if it exceeds the specified Idle session time interval.
Default - Disable
Idle session time interval
(Only if Disconnect when tunnel is idle option is “Enabled”)
Specify the time limit after which an Idle VPN Session will be deleted by Cyberoam.
Acceptable Range – 120 to 999
Table – Add Host-to-Host VPN Connection screen elements
VPN Management Guide
Page 55 of 98
VPN Connection Wizard
The VPN Connection Wizard walks you step-by-step through the configuration of a VPN connection on the Appliance. After the configuration is completed, the wizard creates a new VPN connection.
The Wizard is divided into two panels – Configuration panel and Help panel. The Configuration parameters are to be entered in the Configuration panel while the Help panel on left-most side provides the help on the configuration parameters.
The first screen of the wizard provides the overview of the configuration steps. You can create three types of connections through wizard:
1. Remote Access
2. Site to Site
3. Host to Host
IPSec connections can also be configured using the Wizard Button other than directly configuring
through the Add option. To configure IPSec connection using Wizard, go to VPN > IPSec >
Connection and click Wizard Button.
Add Remote Access Connection
Screen 1 – IPSec Connection using Wizard
Screen Elements Description
Name Specify a name to identify the IPSec Remote Access Connection.
Description Specify IPSec Connection Description.
Table – VPN Connection Wizard screen elements
VPN Management Guide
Page 56 of 98
Screen 2 – Select Connection Type
Screen Elements Description
Connection Type Select Remote Access.
Policy All the policies defaults’ as well as custom policies will be
available for selection.
Action Select the action for the connection.
Available Options:
• Respond Only - Keep connection disabled till the user responds
• Disable - Keep connection disabled till the user activates
Table – Select Connection Type screen elements
VPN Management Guide
Page 57 of 98
Screen 3 – Remote Access: Authentication Details
Screen Elements Description
Authentication Details
Authentication Type Select Authentication Type. Authentication of the user depends on the connection type.
Available Options:
• Preshared key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user will be required to provide
Preshared Key – Specify the preshared key to be used. Preshared key should be of minimum 5 characters.
Confirm Preshared Key – Provide the same preshared key to confirm it.
This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.
If there is a mismatch in the key, the user will not be
VPN Management Guide
Page 58 of 98
able to establish the connection.
• Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. On selecting this option the user shall require to provide
Local Certificate – Select the local certificate that should be used for authentication by the Appliance.
Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.
Table – Remote Access: Authentication Details screen elements
Screen 4 – Remote Access: Local Network Details
Screen Elements Description
Local Network Details
Local WAN Port Select the WAN Port which will act as an end-point of the tunnel.
IP Family IP family will be enabled automatically according to the IP
selected in Local WAN port.
Local Subnet Select Local LAN Address.
VPN Management Guide
Page 59 of 98
Local ID For Preshared Key select any type of ID and specify its value.
DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.
Table – Remote Access: Local Network Details screen elements
Screen 5 – Remote Access: Remote Network Details
Screen Elements Description
Remote Network Details
Remote VPN Server Select IP Address of remote peer/host.
VPN Management Guide
Page 60 of 98
Specify * for any IP Address.
Allow
NAT Traversal
Enable NAT traversal if a NAT device is located between
your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.
At a time only one connection can be established behind one NAT-box.
IP Family IP family will be enabled automatically according to the IP
selected in Local WAN port.
Remote Subnet Select IP Hosts from the list of IP Hosts available.
Remote ID For Preshared Key, select any type of ID and specify its value, DER ASN1 DN (X.509) is not applicable.
Table – Remote Access: Remote Network Details screen elements
VPN Management Guide
Page 61 of 98
Screen 6 – Remote Access: User Authentication
Screen Elements Description
User Authentication
User Authentication
Mode
Select whether User Authentication is required at the time
of connection or not from the available options.
Available Options:
• Disabled – Click Disable if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
Table – Remote Access: User Authentication screen elements
After completion of the IPSec connection configuration, Summary of the same shall be displayed on the consecutive page.
If the connection is successfully added then it will be added on the Connection page and Successful message will be displayed.
Screen 7 – Remote Access: IPSec Connection Summary
VPN Management Guide
Page 62 of 98
Screen 8 – Created Remote Access Connection
VPN Management Guide
Page 63 of 98
Add Site to Site Connection
Screen 1 – IPSec Connection using Wizard
Screen Elements Description
Name Specify a name to identify the IPSec Site to Site Connection.
Description Specify IPSec Connection Description.
Table – VPN Connection Wizard screen elements
VPN Management Guide
Page 64 of 98
Screen 2 – Select Connection Type
Screen Elements Description
Connection Type Select Site to Site.
Select Base Location Base Location is the location from where the connection will be established.
Available Options:
• Head Office
• Branch Office
Policy All the policies, default as well as custom will be available for selection.
Action Select Action for connection from the available options.
Available Options:
• Respond Only – Keep connection in disabled till the user responds.
• Initiate – Activate connection on system/service start so that the connection can be established whenever required.
• Disable – Keep connection disabled till the user activates.
Table – Site To Site: Select Connection Type screen elements
VPN Management Guide
Page 65 of 98
Screen 3 – Site To Site: Authentication Details
Screen Elements Description
Authentication Details
Authentication Type Select Authentication Type. Authentication of user
depends on the connection type.
Available Options:
• Preshared key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On Selecting this option the user will be required to provide
Preshared Key – Specify the preshared key to be used. Preshared Key should be of minimum 5 characters.
Confirm Preshared Key – Provide the same preshared key to confirm it.
This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.
If there is mismatch in the key, the user will not be able to establish the connection.
VPN Management Guide
Page 66 of 98
• Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. On selecting this certificate the option the user shall require to provide
Local Certificate – Select the local certificate that should be used for authentication by Cyberoam
Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.
• RSA Key authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption.
Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified. Local RSA Key can be regenerated from CLI Console. Refer to Console guide for more details.
Remote RSA Key – Administrator shall require to provide the RSA Key.
Table – Site To Site: Authentication Details screen elements
VPN Management Guide
Page 67 of 98
Screen 4 – Site To Site: Local Network Details
Screen Elements Description
Local Network Details
Local WAN Port Select the WAN Port which will act as an end point of the
tunnel.
IP Family Select IP family to configure IPSec VPN tunnels with mixed IP families.
Local Subnet Select Local LAN Address.
VPN Management Guide
Page 68 of 98
Local ID For Preshared Key and RSA Key, select any type of ID and specify its value.
DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.
Table – Site To Site: Local Network Details screen elements
Screen 5 – Site to Site: Remote Network Details
Screen Elements Description
Remote Network Details
Remote VPN Server Specify the IP Address of remote peer/host. Specify * for any IP Address.
IP Family IP family will be enabled automatically according to the IP
selected in Local WAN port.
Remote Subnet Select IP Addresses and Netmask of remote network which is allowed to connect to the Appliance server through the VPN tunnel. Multiple subnets can be specified. Select the IP Hosts from the list available. You can also add a new IP Host and include it in the list.
VPN Management Guide
Page 69 of 98
Remote ID For a Preshared Key, select any type of ID and specify its value, DER ASN1 DN (X.509) is not applicable.
In a single connection, same subnet for LAN and Remote network cannot be configured.
Table – Site To Site: Remote Network Details screen elements
Screen 6 – Site to Site: User Authentication
Screen Elements Description
User Authentication
User Authentication Select whether User Authentication is required at the time
VPN Management Guide
Page 70 of 98
Mode of connection or not from the available options.
Available Options:
Disabled – Click Disable if User Authentication is not required.
Enable as Client – If enabled as client, specify Username and Password.
Enable as Server – If Enabled as Server, add all the users which are to be allowed to connect.
Table – Site To Site: User Authentication screen elements
After completion of the IPSec connection configuration, Summary of the same shall be displayed on the consecutive page.
If the connection is successfully added then it will be added on the Connection page and a message prompting the same will be displayed.
VPN Management Guide
Page 71 of 98
Screen 7 – Site To Site: IPSec Connection Summary
Screen 8 – Created Site To Site Connection
VPN Management Guide
Page 72 of 98
Add Host to Host Connection
Screen 1 – IPSec Connection using Wizard
Screen Elements Description
Name Specify a name to identify the IPSec Connection.
Description Specify IPSec Connection Description.
Table – VPN Connection Wizard screen elements
VPN Management Guide
Page 73 of 98
Screen 2 – Select Connection Type
Screen Elements Description
Connection Type Select Host to Host.
Policy All the policies, default as well as custom will be available for selection.
Action Select the action for connection from the available options.
Available Options:
• Respond Only – Keep connection disabled till the user responds.
• Initiate – Activate connection on system/service start so that the connection can be established whenever required.
• Disable – Keep connection disabled till the user activates.
Table – Select Connection Type screen elements
VPN Management Guide
Page 74 of 98
Screen 3 – Host To Host: Authentication Details
Screen Elements Description
Authentication Details
Authentication Type Select Authentication Type. Authentication of the user
depends on the connection type.
Available Options:
• Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On Selecting this option the user will be required to provide
Preshared Key – Specify the Preshared Key to be used. Preshared Key should be of minimum 5 characters.
Confirm Preshared Key – Provide the same preshared key to confirm it.
This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
VPN Management Guide
Page 75 of 98
• Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. On selecting this certificate the option the user shall require to provide
Local Certificate – Select the local certificate that should be used for authentication by the Appliance.
Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.
• RSA Key authentication is a mechanism whereby two keys – Local and Remote RSA - are used for encryption and decryption.
Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified. Local RSA Key can be regenerated from CLI Console. Refer to Console guide for more details.
Remote RSA Key – Administrator shall require to provide the RSA Key.
Table – Host To Host: Authentication Details screen elements
Screen 4 – Host To Host: Local Network Details
VPN Management Guide
Page 76 of 98
Screen Elements Description
Local Network Details
Local WAN Port Select WAN Port which will act as end point of the tunnel.
IP Family IP family will be enabled automatically according to the IP selected in Local WAN port.
Local ID For a Preshared Key and RSA Key, select any type of ID
and specify its value.
DER ASN1 DN (X.509) is not applicable.
In case of a Local Certificate, the ID and its value is displayed automatically as specified in the Local Certificate.
Table – Host To Host: Local Network Details screen elements
Screen 5 – Host To Host: Remote Network Details
Screen Elements Description
Remote Network Details
Remote VPN Server Select the IP Address of remote peer/host. Specify * for any IP Address.
Allow
NAT Traversal
Enable NAT traversal if a NAT device is located between
your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.
At a time only one connection can be established behind one NAT-box.
VPN Management Guide
Page 77 of 98
Default - Enabled
IP Family IP family will be enabled automatically according to the IP selected in Local WAN port.
Remote Subnet Select the IP Addresses and Netmask of remote network which is allowed to connect to the Appliance server through VPN tunnel. Multiple subnets can be specified. Select the IP Hosts from the list of available Hosts.
You can also add a new IP Host.
Remote ID For a Preshared Key, select any type of ID and specify its value, DER ASN1 DN (X.509) is not applicable.
Table – Host To Host: Remote Network Details screen elements
Screen 6 – Host To Host: User Authentication
VPN Management Guide
Page 78 of 98
Screen Elements Description
User Authentication
User Authentication
Mode
Select whether User Authentication is required at the time
of connection or not from the available options.
Available Options:
• Disabled – Click Disable if user authentication is not required.
• Enable as Client – If enabled as client, specify Username and Password.
• Enable as Server – If Enabled as Server, add all the users which are to be allowed to connect.
Table – Host To Host: User Authentication screen elements
After completion of the IPSec connection configuration, Summary of the same shall be displayed on the consecutive page.
If the connection is successfully added then it will be added on the Connection page and a message prompting the same will be displayed.
VPN Management Guide
Page 79 of 98
Screen 7 – Host To Host: IPSec Connection Summary
Screen 8 – Created Host To Host Connection
VPN Management Guide
Page 80 of 98
Failover Group
Connection Failover
Connection Failover is a feature that enables to provide an automatic backup connection for VPN traffic and provide “Always ON” VPN connectivity for IPSec connection. If the primary connection fails, the subsequent connection in the Group will take over without manual intervention and keep the traffic moving. The entire process is transparent to users. For example if the connection established using 4th Connection in the Group is lost then 5th Connection will take over. Once the 4th Connection is re-stored, 5th connection will automatically fail back on 4th connection
Connection Failback
During a connection failure, appliance checks the health of a primary connection every 60 seconds. When the primary connection is restored without the administrator’s intervention, secondary connection fails back to the primary connection.
Connection Failover Group
To configure connection failover, you have to:
• Create Connections.
• Create Failover Group. Failover Group is the grouping of all the connections that are to be used for failover. The order of connections in the Group defines failover priority of the connection.
• Define Failover condition.
A VPN group is a set of VPN tunnel configurations better known as. IPSec connections. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP Address of the remote gateway. The order of connections in the Group defines failover priority of the connection. Failover to the next connection will not occur if the group is manually deactivated.
The Failover Group containing the connection must be activated for the first time before participating in the failover.
The Appliance considers connection as Failed if:
• Remote peer does not reply - for Net to Net and Host to Host connection.
Connections that are not a part of the Failover Group do not participate in failover/failback process and such connections will not be re-established automatically if lost.
Prerequisites Packets of the protocol specified in failover condition must be allowed from local server to remote server and its reply on both Local and Remote server One connection can be included in one Group only Connection must be ACTIVE to participate in failover
Behavior
1. Once the Connection is added as a member of the group, following parameters will be overridden as
• Policy parameters - DPD as “Disable” and Key Negotiation Tries as 3
• Connection parameter - Action on VPN Restart as “Disable”
Once the Connection is removed from the group, the original Policy and Connection configuration will be considered.
VPN Management Guide
Page 81 of 98
1. If the connection is already established at the time of adding it in the Failover Group, it will get disconnected.
2. On factory reset, failover configuration will not be retained.
Manage Failover Groups
To configure Failover condition for the Failover Groups, go to VPN > IPSec > Failover
Screen – Manage Connection Failover Group
Screen Elements Description
Name Displays a name to identify the Group.
Status Displays status of the Connection.
- Activated and Disconnected.
- Activated and Connected.
- Activated but partially connected.
Connection Displays selected connection for Failover.
Table – Manage Connection Failover Groups screen elements
Failover Group Parameters
To add Failover Groups and failover conditions, go to VPN > IPSec > Failover Group. Click Add Button to add a new group. Failover Group Parameters are given below.
Screen – Add a Connection Failover Group
VPN Management Guide
Page 82 of 98
Screen Elements Description
Connection Group Details
Name Specify a name for connection group.
Select Connection(s) “Available Connections” list displays the list of connections
that can be added to the failover group. Click on the connections to be added to Member connections list. Cyberoam will select the subsequent active connection from Member Connections list if primary connection fails.
Connections having endpoints of different families can also be added to the failover group.
Top down order of connections in the Member Connections list specifies the failover preference i.e. if primary connection fails, the very next connection in the list will be used by Cyberoam to keep the VPN traffic moving.
Once the connection is included in any Group, it will not be displayed in “Available Connection” list.
Remote Access connections will not be listed in “Available Connections” list.
You need to define minimum 2 member connections in a Group.
Mail Notification Enable Mail Notification to receive Connection failure notification incase connection fails. Notification is mailed on the Email Address configured in Email Settings from the Network Configuration Wizard.
Failover Condition
IF Specify Failover Condition. Cyberoam checks for the connection failure after every 60 seconds and if failure is detected, VPN traffic is transferred through the subsequent connection specified in the Connection Group. Cyberoam considers connection as failed connection if Failover Conditions are not met.
Specify communication Protocol (TCP, UDP, PING). Select the protocol depending on the service to be tested on the remote server or local gateway depending on type of connection
A request on the specified port is sent and if it is not responding, The Appliance considers the Connection as Failed and shifts the traffic to the subsequent connection.
Failover time can be configured from Network > Gateway.
Failover Condition is not applicable if:
VPN Management Guide
Page 83 of 98
Connection is manually disconnected from either of the ends.
Connection is not included in any Group.
Table – Add Connection Failover Group screen elements
CISCO™ VPN Client
To configure connection for CISCO™ VPN Client, go to VPN > CISCO™ VPN Client >
CISCO™ VPN Client.
Screen – Manage CISCO™ VPN Client
Screen Element Description
General Settings
CISCO™ VPN Client Select to enable CISCO™ VPN Client.
All the fields will be available for configuration, once CISCO™ VPN Client is enabled.
Default - Disabled
Interface Select an interface from the list of WAN ports.
IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Authentication Type Select Authentication Type. Authentication of user depends on the connection type.
Available Options:
• Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote
VPN Management Guide
Page 84 of 98
peer uses the Preshared Key for decryption. On selecting this option the user will be required to provide:
Preshared Key – Specify the Preshared Key to be used. Preshared Key should be of minimum 5 characters.
Confirm Preshared Key – Provide the same Preshared Key to confirm it.
This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.
If there is mismatch in the key, the user will not be able to establish the connection.
• Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.
Local Certificate – Select the local certificate that should be used for authentication by the appliance.
Remote Certificate – Select the remote certificate that should be used for authentication by remote peer.
Local ID Specify value for local ID selected.
Available Options:
• DNS
• IP Address
• Email Address
• DER ASN1 DN (X.509)
For Preshared Key and RSA Key, DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.
Remote ID Specify value for Remote ID selected.
Available Options:
• DNS
• IP Address
• Email Address
• DER ASN1 DN (X.509)
VPN Management Guide
Page 85 of 98
For Preshared Key and RSA Key, DER ASN1 DN (X.509) is not applicable.
Allowed User Provide all the users, which are to be allowed to connect to
the configured CISCO™ VPN Client for Apple iOS.
Client Information
Name Provide name to be displayed.
Assign IP from Specify the IP Address range. Cyberoam IPSEC server will lease IP Address to the Cisco™ IPSEC client from the specified IP Address range.
Do not specify the same IP Address range in L2TP configuration and PPTP configuration.
Allow leasing IP
Address from Radius server for L2TP, PPTP and CISCO VPN Client
Click to lease IP Address to the L2TP, PPTP and CISCO
VPN Client users through the Radius Server.
Radius is a protocol that allows network devices to authenticate users against a central database. It can also store technical information used by network devices.
If enabled, the configured IP Address is overridden with the IP Address provided by the Radius Server.
Default - Disable
DNS Server 1 Provide a DNS Server IP Address to be pushed to CISCO
VPN Clients.
DNS Server 2 Provide a DNS Server IP Address to be pushed to CISCO VPN Clients.
Advanced Settings
Disconnect when tunnel
is idle
Click this option to allow Cyberoam to delete an Idle VPN Session if it exceeds the specified Idle session time interval.
Default - Disable
Idle session time
interval
(Only if Disconnect when tunnel is idle option is “Enabled”)
Specify the time limit after which an Idle VPN Session will
be deleted by Cyberoam.
Acceptable Range – 120 to 999
Export Connection Click to export Cisco VPN Client Configuration.
This option will be enabled only when Cisco VPN connection is configured.
Reset Click to delete all the client configurations.
Table – Manage CISCO™ VPN Client screen elements
VPN Management Guide
Page 86 of 98
L2TP
You can use Layer 2 Tunnelling Protocol (L2TP) to create VPN tunnel over public networks such as the Internet. For authentication, currently Cyberoam supports only Password Authentication Protocol (PAP) algorithm.
• Configuration
• Connection
Configuration
To manage L2TP configuration, go to VPN > L2TP > Configuration.
Screen – Configure L2TP
Screen Elements Description
Enable L2TP Click to enable L2TP.
General Settings
Assign IP From Specify IP Address range if L2TP server has to lease IP Addresses.
Allow leasing IP
Address from Radius server for L2TP,PPTP and CISCO VPN Client
Click to lease IP Address to the L2TP users through the
Radius Server.
Radius Server is a protocol that allows network devices to authenticate users against a central database. It can also store technical information used by network devices.
If enabled, the configured IP Address is overridden with the IP Address provided by the Radius Server.
Default – Disable
Client Information
Primary DNS Server Select Primary DNS Server from the list.
VPN Management Guide
Page 87 of 98
Alternately, you can also specify DNS Server by choosing “Other” from the list.
Secondary DNS Server Specify Secondary DNS server.
Alternately, you can also specify DNS Server by choosing “Other” from the list.
Primary WINS Server Specify WINS Server.
Secondary WINS
Server Specify Alternate WINS Server.
Table – Configure L2TP screen elements
Add L2TP Members
Click “Add Member(s)” button to add user or user groups to L2TP members list. A pop-up window is displayed to select the users. You can also select multiple users or user groups.
Screen – Add L2TP Members
Select Users or user groups who are to be allowed access through L2TP connection. Click ‘Apply’ button to add these users and user groups to the L2TP members list.
You can also search for users or user groups to be added to the Members list.
View L2TP Members
Click “Show L2TP Members” button to view user or user groups that are in L2TP members list. A pop-up window is displayed to view the users. You can also select multiple users or user groups and delete them.
VPN Management Guide
Page 88 of 98
Screen – View L2TP Members
The page displays the list of L2TP members who are allowed access through L2TP connection. To
delete users, select the users to be deleted and click “Delete” button.
You can also search for users or user groups to be deleted from the Members list.
VPN Management Guide
Page 89 of 98
Manage L2TP Connection
To manage L2TP connections, go to VPN > L2TP > Connection.
Screen – Manage L2TP Connection
Screen Elements Description
Name Displays a name for the L2TP Connection.
Policy Displays a name for the VPN Policy selected.
Point to the policy link to view or edit the policy details.
Authentication Type Displays type of Authentication selected: Preshared Key or Digital Certificate.
Status Displays status of the Connection.
– Activated and Disconnected. Click to initiate the connection.
– Activated and Connected. Click to disconnect the connection. When you disconnect, connection will be deactivated and to re-establish connection the connection, activate connection.
– Activated but Partially connected. Click to disconnect the connection. When multiple subnets are configured for LAN and/or remote network, Cyberoam creates sub-connection for each subnet. Connection Status in Yellow color indicates that one of the sub-connection is not active.
Clicking any of the above icon will toggle its status from Activated and Connected to Activated and Disconnected and vise-versa. A confirmation pop up prompting the same will be displayed.
Table – Manage L2TP Connections screen elements
VPN Management Guide
Page 90 of 98
L2TP Connection Parameters
To add or edit L2TP connections, go to VPN > L2TP > Connection. Click Add Button to add
a new connection or Edit Icon to modify the details of the connection. The L2TP connection Parameters are given below.
Screen – Add a L2TP Connection
Screen Elements Description
General Settings
Name Specify a name to identify the L2TP Connection.
Description Provide description for L2TP connection.
Policy Select policy to be used for L2TP connection.
Action on VPN Restart Select an action for the connection.
VPN Management Guide
Page 91 of 98
Available Options:
• Respond Only – Keep connection disabled till the user responds.
• Initiate – Activate connection on system/service start so that the connection can be established whenever required.
• Disable – Keep connection disabled till the user activates
Authentication Details
Authentication Type Select Authentication Type. Authentication of user depends
on the connection type.
Available Options:
• Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the Preshared Key. Remote peer uses the Preshared Key for decryption. On selecting this option the user will be required to provide the following details:
Preshared Key – Specify the preshared key to be used. Preshared Key should be of minimum 5 characters.
Confirm Preshared Key – Provide the same Preshared Key to confirm it.
This Preshared Key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration.
If there is mismatch in the key, the user will not be able to establish the connection.
• Digital Certificate authentication is a mechanism whereby sender and receiver both use digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.
Select the Local Certificate that should be used for authentication by Cyberoam.
Local Network Details
Local WAN Port Select Local WAN Port.
IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Local ID For a Preshared Key and RSA Key, select any type of ID from the available options and specify its value.
Available Options:
VPN Management Guide
Page 92 of 98
• DNS
• IP Address
• DER ASN1 DN (X.509)
DER ASN1 DN (X.509) is not applicable.
In case of a Local Certificate, ID and its value is displayed automatically as specified in the Local Certificate.
Remote Network Details
Remote Host Specify IP Address of remote peer/host. Specify * for any
IP Address.
Allow NAT Traversal Enable NAT traversal if a NAT device is located between your VPN endpoints. This is observed when the remote peer has a private/non-routable IP address.
At a time only one connection can be established behind one NAT-box.
Default - Enabled
Remote LAN Network Select IP Addresses and Netmask of the remote network
which is allowed to connect to the Appliance. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list.
Remote ID For a Preshared Key, select any type of ID and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
DER ASN1 DN (X.509) is not applicable.
Quick Mode Selectors
Local Port Specify Local Port for TCP or UDP.
VPN Management Guide
Page 93 of 98
Remote Port Specify Remote Port for TCP or UDP.
Advanced Settings
Disconnect when
tunnel is idle
Click this option to allow Cyberoam to delete an Idle VPN
Session if it exceeds the specified Idle session time interval.
Default - Disable
Idle session time
interval
(Only if Disconnect when tunnel is idle option is “Enabled”)
Specify the time limit after which an Idle VPN Session will
be deleted by Cyberoam.
Acceptable Range – 120 to 999
Table – Add L2TP Connections screen elements
VPN Management Guide
Page 94 of 98
PPTP
The Appliance supports PPTP to tunnel PPTP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with an Appliance that has been configured to act as a PPTP server.
PPTP Configuration
To manage PPTP configuration, go to VPN > PPTP > Configuration.
Screen – Configure PPTP
Screen Elements Description
Enable PPTP Click to enable L2TP.
General Settings
Assign IP From Specify the IP Address range. The PPTP server will lease an IP Address to the PPTP client from the specified IP Address range. The PPTP client uses the assigned IP Address as its source address for the duration of the connection.
Do not specify the same IP Address range in L2TP configuration and PPTP configuration.
Allow leasing IP
Address from Radius server for L2TP,PPTP and CISCO VPN Client
Click to lease the IP Address to the PPTP user(s) through
the Radius Server.
Radius Server is a protocol that allows network devices to authenticate users against a central database. It can also store technical information used by network devices.
If enabled, the configured IP Address is overridden with the IP Address provided by the Radius Server.
Default - Disable
Client Information
VPN Management Guide
Page 95 of 98
Primary DNS Server Specify the DNS Server to be used at the client end.
Secondary DNS Server Specify the Alternate DNS server to be used at the client end.
Primary WINS Server Specify the WINS Server to be used at the client end.
Secondary WINS Server
Specify the Alternate WINS Server to be used at the client end.
Table – Configure PPTP screen elements
Add PPTP Members
Click “Add Member(s)” button to add user or user groups to PPTP members list. A pop-up window is displayed to select the users. You can also select multiple users or user groups.
Screen – Add PPTP Members
Select the users or user groups who are to be allowed access through PPTP connection. Click the Apply button to add these users and user groups to the PPTP members list.
You can also search for users or user groups to be added to the Members list.
VPN Management Guide
Page 96 of 98
View PPTP Members
Click the “Show PPTP Members” button to view user or user groups that are in PPTP members list. A pop-up window is displayed to view the users. You can also select multiple users or user groups and delete them.
Screen – View PPTP Members
The page displays a list of PPTP members who are allowed access through PPTP connection. To
delete users, select the users to be deleted and click the “Delete” button.
You can also search for users or user groups to be deleted from the Members list.
VPN Management Guide
Page 97 of 98
Live Connections
Live Connections display live VPN connections in the Appliance. The two different types of live connections can be managed i.e. IPSec and SSL VPN connections.
• IPSec Connections
• SSL VPN Users
IPSec Connections
View the list of all the connected IPSec tunnels from VPN > Live Connections > IPSec Connections.
This page displays a list of all the connected IPSec tunnels and you can filter this list based on the Connection Name, Local Server Name, Local Subnet, User Name, Remote Server/Host or Remote Subnet.
This page allows the Administrator to disconnect any of the IPSec connection. Click the ‘Disconnect’ button to disconnect live connections.
Screen – Live IPSec VPN Connections
VPN Management Guide
Page 98 of 98
SSL VPN Users
This page allows you to the list of all the connected SSL VPN Users from VPN > Live Connections > SSL VPN Users.
This page displays the list of all the currently logged SSL VPN users and you can filter the connections based on Time, User Name, Source IP Address, or Leased IP Address.
The Administrator can disconnect any of the IPSec connection displayed in this list. Click the ‘Disconnect’ button to disconnect live connections.
Screen – Live SSL VPN Connections