How To Establish Site-to-Site IPSec Connection between Cyberoam and Cisco Router (through Command Line) using How To Establish Site-to-Site Preshared IPSec Connection key between CR and Cisco Router using Preshared Key Applicable Version: 10.00 onwards Scenario Set up a Site-to-Site IPSec VPN connection between Cyberoam and Cisco Router using Preshared Key to authenticate VPN peers. Throughout the article we have used network parameters as shown in the diagram below. This article has Two (2) sections: Cisco Configuration Cyberoam Configuration Cisco Configuration Configure Cisco Router by following the steps given below. Step 1: Logon to the CLI of Cisco Router with Enable privilege Cisco> en Password: ****** Cisco# conf t
Step 2: Configuring IKE Parameters crypto isakmp policy 10 encryption 3des hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key 12abcde34 address 223.255.246.212 You can verify the IKE Parameters you configured by executing the following command: show crypto isakmp policy Step 3: Define Access-list to allow IPSec tunnel traffic access-list 100 permit ip 172.50.50.0 0.0.0.255 172.16.16.0 0.0.0.255 Step 4: Configuring IPSec Parameters crypto ipsec transform-set dlhtransform ESP-3des ESP-md5-hmac crypto map dhhmap 10 ipsec-isakmp match address 100 set peer 202.134.168.202 set transform-set dlhtransform set pfs group2 set security-association lifetime seconds 86400 Note: This new crypto map will remain disabled until a peer and a valid access-list has been configured. You can view the crypto map by executing the following command: show crypto map Step 5: Apply cryptomap on WAN interface cisco(config)# interface fastethernet 0/1
Cisco (config-if) #crypto map dhhmap Once the configuration is done, the following message is displayed %crypto-6-isakmp_on_off: ISAKMP is ON You can check the IPSec negotiation by executing the following commands: debug crypto isakmp debug crypto ipsec Cyberoam Configuration After configuration of VPN connection on Cisco Router, configure IPSec connection in Cyberoam. You can configure IPSec in Cyberoam by following the steps given below. Logon to Cyberoam Web Admin Console as an administrator having read-write permission for relevant features. Step 1: Configure IPSec Connection Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below. Parameter Description Parameter Value Description Name CR_to_Cisco Name to identify the IPSec Connection Connection Type Policy Site to Site Select Type of connection. Available Options: - Remote Access - Site to Site - Host to Host DefaultBranchOffice Select policy to be used for connection
Action on VPN Restart Initiate Authentication details Authentication Type Preshared Key Endpoints Details Local Preshared Key Select the action for the connection. Available options: - Respond Only - Initiate - Disable Select Authentication Type. Authentication of user depends on the connection type. <Same as Preshared key should be the same as that configured in mentioned in Cisco WatchGuard Appliance. Router> PortB- 202.134.168.202 Select local port which acts as end-point to the tunnel Remote 202.134.168.208 Specify IP address of WatchGuard s Gateway. Local Network Details Local Subnet 172.16.16.0/24 Remote Network Details Remote LAN Network 172.50.50.0/24 Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button Select IP addresses and netmask behind WatchGuard Appliance.
Click OK to create the connection.
Step 2: Activate IPSec Connection Go to VPN > IPSec > Connection and click CR_to_Cisco connection, created in step 1. under Active and Connection heads against Under the Active status indicates that the connection is successfully activated. Under the Connection status indicates that the connection is successfully established. Document Version: 1.0 5 August, 2014