Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm



Similar documents
Radius Integration Guide Version 9

Cyberoam IPSec VPN Client Configuration Guide Version 4

HTTP Client Installation Guide Version 9

High Availability Configuration Guide Version 9

IPSec VPN Client Installation Guide. Version 4

ADS Integration Guide

Cyberoam Multi link Implementation Guide Version 9

Virtual LAN Configuration Guide Version 9

SSL VPN Client Installation Guide Version 9

Version: 4.10 Build 010 Date: April, 2008

VPNC Interoperability Profile

Chapter 4 Virtual Private Networking

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

SOFTWARE LICENSE LIMITED WARRANTY

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Cyberoam Anti Spam Implementation Guide Version 9

Chapter 8 Virtual Private Networking

CYBEROAM WINDOWS DOMAIN CONTROLLER INTEGRATION GUIDE VERSION:

CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad , INDIA

CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad , INDIA

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

Cyberoam Anti Spam Configuration Guide Version 9

Cyberoam Anti Virus Implementation Guide Version 9

SSL VPN Management Guide Version 10

ISG50 Application Note Version 1.0 June, 2011

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Cyberoam Anti Spam Implementation Guide Version 9

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Chapter 6 Basic Virtual Private Networking

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Chapter 5 Virtual Private Networking Using IPsec

IPSec Pass through via Gateway to Gateway VPN Connection

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

User Guide Version 9 Document version /03/2007

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

IPsec VPN Application Guide REV:

How To Industrial Networking

How To Configure Apple ipad for Cyberoam L2TP

VPN Wizard Default Settings and General Information

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

VPN. VPN For BIPAC 741/743GE

Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015

Shrew Soft VPN Client Configuration for GTA Firewalls

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

Configure VPN between ProSafe VPN Client Software and FVG318

Cyberoam Virtual Security Appliance - Installation Guide for XenServer. Version 10

Spotlight Management Pack for SCOM

Configuring a VPN between a Sidewinder G2 and a NetScreen

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

VPN SECURITY POLICIES

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Configure IPSec VPN Tunnels With the Wizard

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Installing the IPSecuritas IPSec Client

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

V310 Support Note Version 1.0 November, 2011

How To Configure L2TP VPN Connection for MAC OS X client

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

CITRIX SYSTEMS, INC. SOFTWARE LICENSE AGREEMENT

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Unified Threat Management

User Guide Version 9.5.8

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

GNAT Box VPN and VPN Client

FortiOS Handbook IPsec VPN for FortiOS 5.0

Copy Tool For Dynamics CRM 2013

Windows XP VPN Client Example

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Configuring GTA Firewalls for Remote Access

Symantec AntiVirus Corporate Edition Patch Update

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Introduction. Quick Configuration Guide (QCG) Configuring a VPN for Multiple Subnets in AOS

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Self Help Guides. Create a New User in a Domain

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

IP Office Technical Tip

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Global VPN Client Getting Started Guide

Gateway to Gateway VPN Connection

Internet. SonicWALL IP SEV IP IP IP Network Mask

Application Note: Integrate Cisco IPSec or SSL VPN with Gemalto SA Server. January

ios Deployment Simplified FileMaker How To Guide

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TDVPNWGSOHO

VPN Tracker for Mac OS X

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

McAfee Firewall Enterprise 8.2.1

DME-N Network Driver Installation Guide for LS9

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Transcription:

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm Document Version:2.0-12/07/2007

IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER S LICENSE The Appliance described in this document is furnished under the terms of Elitecore s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore s or its supplier s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages. RESTRICTED RIGHTS Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad 380015, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com, www.cyberoam.com

Contents Scenario 1: Gateway-to-Gateway with preshared secrets... 4 Step-by-Step Configuration Gateway A... 5 Diagnostics... 6 Scenario 2: Gateway-to-Gateway with Digital Certificates... 7 Case I: Peers are using different CAs i.e. Gateway A and Gateway B are using different CAs... 8 Step-by-Step Configuration of Gateway A... 8 Diagnostics... 9 Case II: Peers are using trusted third party CA e.g. Verisign, Microsoft... 10 Step-by-Step Configuration of Gateway A... 10 Diagnostics... 11

Scenario 1: Gateway-to-Gateway with preshared secrets The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication. Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A. The IKE Phase 1 parameters used in Scenario 1 are: Main mode TripleDES SHA-1 MODP group 2 (1024 bits) pre-shared secret of "hr5xb84l6aa9r6" SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are: TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kbytes rekeying Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets

Step-by-Step Configuration Gateway A Log on to Gateway A using Web Admin Console and follow the steps: Step 1: Create VPN Policy Go to VPN Policy Create Policy and create VPN policy with following values: Policy Name: CRA-2-CRB Using Template: None Keying Method: Automatic Allow Re-keying: Yes Key Negotiation Tries: 3 Pass Data in Compressed Format: No Perfect Forward Secrecy (PFS): Yes Phase 1 Encryption Algorithm: 3DES Authentication Algorithm: SHA1 DH Group (Key Group): 2 (DH1024) Key life: 28800 sec Phase 2 Encryption Algorithm: 3DES Authentication Algorithm: SHA1 DH Group (Key Group): 2 (DH1024) Key life: 3600 sec Step 2: Create IPSec connection Go to VPN IPSec Connection Create Connection and create connection with the following values: Connection name: n2n_crb Policy: CRA-2-CRB Action on restart: Active Mode: Tunnel Connection Type: Net to Net Authentication Type: Preshared Key Preshared Key: hr5xb84l6aa9r6 Local server IP address (WAN IP address): 14.15.16.17 Local Internal Network: 10.5.6.0/24 Remote server IP address (WAN IP address): 22.23.24.25 Remote Internal Network: 172.23.9.0/24 User Authentication Mode: Disabled Protocol: All Step 3: Activate Connection Go to VPN IPSec Connection Manage Connection and click against the n2n_crb connection.

Under the Connection status indicates that the connection is successfully activated Step 4: Establish Connection To establish connection from Gateway A, go to VPN IPSec Connection Manage Connection and click against the connection under the Connection status indicates that the connection is successfully established. Diagnostics If you are not able to establish the connection, check VPN log from Telnet Console. 1. Log on to Telnet Console using command: telnet <Gateway IP address> 2. Type 8 in Select Menu number field to go to option VPN Management 3. Type 3 in Select Menu number field to go to option View VPN Logs Refer to http://kb.cyberoam.com/default.asp?id=305&lang=1&sid= for understanding logs and troubleshooting.

Scenario 2: Gateway-to-Gateway with Digital Certificates The following is a typical gateway-to-gateway VPN that uses a digital certificate for authentication. Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A. The IKE Phase 1 parameters used in Scenario 1 are: Main mode TripleDES SHA-1 MODP group 2 (1024 bits) Authentication with signatures authenticated by PKIX certificates; both Gateway A and Gateway B have end-entity certificates that chain to a root authority called "Trusted Root CA" SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are: TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kbytes rekeying

Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets Following sections are included: Case I Peers using different CA Case II Peers using Same CA Case I: Peers are using different CAs i.e. Gateway A and Gateway B are using different CAs Step-by-Step Configuration of Gateway A Log on to Gateway A using Web Admin Console and follow the steps: Step 1. Generate CA Go to VPN Certificate Authority Manage Certificate Authority and Click Default certificate authority. If you are generating CA for the first time, enter complete details as required else modify details if required. Click Generate/Re-generate Step 2. Download CA generated in step 1 and forward to the Gateway B. Go to VPN Certificate Authority Manage Certificate Authority Click Default certificate authority Click Download. CA is downloaded in tar.gz format. One can unzip the file using winzip or winrar. This CA is to be uploaded at Gateway B. Step 3. Obtain and Upload Remote Certificate Authority i.e. CA of Gateway B Unzip the CA received from the Remote user to extract two files: default.pem and default.der Go to VPN Certificate Authority Upload Certificate Authority Step 4. Generate Local Certificate Go to VPN Certificate New Certificate and click Self Signed Certificate to create certificate. Create certificate with the following value: Certificate name: AHMD_cert Valid upto: Specify as per your requirement Key length: Specify as per your requirement Password: Specify as per your requirement Certificate ID (Email): john@e*******.com Step 5. Download Default CRL and forward to Gateway B Go to VPN Certificate Authority Manage CRL Click Download This CRL is to be uploaded at Gateway B. Step 6. Obtain and Upload CRL of Gateway B Go to VPN Certificate Authority Upload CRL CRL Name: Specify as per your requirement CRL File: Provide file path of the CRL of Gateway B

Step 7. Create IPSec connection Go to VPN IPSec Connection Create Connection and create connection with the following values: Connection name: n2n_ahmd Policy: Default Policy Action on restart: Active Mode: Tunnel Connection Type: Net to Net Authentication Type: Digital Certificate Local Certificate: Select Certificate created in step 4 i.e. AHMD_cert Remote Certificate: Select External Certificate. Alternately if certificate DLH_cert used by Gateway B is available on Gateway A, you can select that certificate. Local server IP address (WAN IP address): 14.15.16.17 Local Internal Network: 10.5.6.0/24 Local ID: Automatically displays ID specified in the Local certificate created in step 4 i.e. john@e******.com Remote server IP address (WAN IP address): 22.23.24.25 Remote Internal Network: 172.23.9.0/24 Remote ID: dean@e*******.com (provided by Gateway B Administrator) User Authentication Mode: Disabled Protocol: All Step 8. Activate Connection Go to VPN IPSec Connection Manage Connection and click connection. against the n2n_ahmd under the Connection status indicates that the connection is successfully activated Step 9. Establish Connection To establish connection from Gateway A, go to VPN IPSec Connection Manage Connection and click against the connection under the Connection status indicates that the connection is successfully established. Diagnostics Same as Scenario 1

Case II: Peers are using trusted third party CA e.g. Verisign, Microsoft Step-by-Step Configuration of Gateway A Log on to Gateway A using Web Admin Console and follow the steps: Step 1. Obtain and upload third party CA Go to VPN Certificate Authority Upload Certificate Authority Certificate Authority Name: Specify as per your requirement Certificate Format: As provided by third party CA Certificate: File path of third party CA Click Upload Step 2. Obtain and Upload Certificate from third party CA Go to VPN Certificate New Certificate and click Upload Certificate Certificate name: Specify as per your requirement Password: Specify as per your requirement Confirm Password: Same as specified in Password field Certificate: File path of Certificate Private Key: File path for Private key Step 3. Obtain and Upload CRL from third party CA Go to VPN Certificate Authority Upload CRL CRL Name: Specify as per your requirement CRL File: File path of the CRL Step 4. Create IPSec connection Go to VPN IPSec Connection Create Connection and create connection with the following values: Connection name: n2n_ahmd Policy: Default Policy Action on restart: Active Mode: Tunnel Connection Type: Net to Net Authentication Type: Digital Certificate Local Certificate: Select Certificate uploaded in step 2 Remote Certificate: Select External Certificate Local server IP address (WAN IP address): 14.15.16.17 Local Internal Network: 10.5.6.0/24 Local ID: Automatically displays ID specified in the Local certificate uploaded in step 2 i.e. john@e*****.com Remote server IP address (WAN IP address): 22.23.24.25

Remote Internal Network: 172.23.9.0/24 Remote ID: dean@e******.com (Provided by Gateway B Administrator) User Authentication Mode: Disabled Protocol: All Step 5. Activate Connection Go to VPN IPSec Connection Manage Connection and click connection. against the n2n_ahmd under the Connection status indicates that the connection is successfully activated Step 6. Establish Connection To establish connection from Gateway A, go to VPN IPSec Connection Manage Connection and click against the connection under the Connection status indicates that the connection is successfully established. Diagnostics Same as Scenario 1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information