How To - Establish Net-to-Net IPSec Connection between Cyberoam and Cisco Router using Preshared key How To Establish Net-to-Net IPSec VPN Connection between Cyberoam and Cisco Router using Product: The information in this article is based on Cyberoam Version 95314 and Cisco Router. This article describes a detailed configuration example that demonstrates how to set up a net-tonet IPSec VPN connection between Cyberoam and Cisco Router using preshared key to authenticate VPN peers. Throughout the article we will use the network parameters as shown in the below given network diagram. Cyberoam is installed at AHMD branch while Cisco Router is installed at DLH branch. In the hypothetical example considered in this article, static IP address is configured for Cyberoam but depending on the network requirement it is also possible that dynamic IP address is configured for Cyberoam. Article includes network diagram and details on the information to be gathered before configuration and covers following scenarios when Cyberoam is configured for: 1. Aggressive mode Authentication 2. Main mode Authentication Static IP address is assigned to Cyberoam Dynamic IP address is assigned to Cyberoam Each scenario includes: Cyberoam configuration steps Cisco Router configuration steps We will establish VPN connection from AHMD branch to DLH branch therefore: For AHMD branch: Cyberoam is the Local server. Cisco Router is the Remote server. For DLH branch: Cisco Router is the Local server. Cyberoam is the Remote server. Network Diagram
. Information to be gathered before configuration Before configuring for IPSec connection, gather the following information about the Remote server: 1. Connection details - Encryption algorithm, Authentication Algorithm and DH/PFS Group 2. Preshared Key 3. Server IP addresses 4. Internal Network Subnet Configuration Table Please note: Phase 1 and Phase 2 parameters: Encryption algorithm, Authentication Algorithm and DH/PFS Group must be same for both the peers Cyberoam and Cisco Router VPN servers. Configuration Parameters IPSec Connection (Net-to-Net) Cyberoam Local Network details Cyberoam WAN IP address 182.7.7.254 Cisco Router Local Network details Cisco Router IP address 125.16.7.254 Local Internal Network 192.168.1.0/24 Local Internal Network 192.168.2.0/24 Preshared Key - 0123456789 Preshared Key 0123456789 Remote Network details Remote VPN server IP address 125.16.7.254 Remote Internal Network 192.168.2.0/24 Remote Network details Remote VPN server IP address 182.7.7.254 Remote Internal Network 192.168.1.0/24
Cyberoam Configuration Applicable to version: 9.5.8 onwards Task list 1. Define VPN policy configure Phase 1 & Phase 2 parameters to authenticate the remote peer and establish a secure connection 2. Define VPN connection parameters Case I Aggressive mode Authentication Step 1: Create VPN Policy Go to VPN Policy Create Policy and create VPN policy with following values: Policy Name: CR_2_Cisco Allow Re-keying: Yes Authentication Mode: Aggressive mode Phase 1 Encryption Algorithm: 3DES Authentication Algorithm: MD5 DH Group (Key Group): 2 (DH1024) Phase 2 Encryption Algorithm: 3DES Authentication Algorithm: MD5 DH Group (Key Group): Same as Phase 1
Step 2: Create IPSec connection Go to VPN IPSec Connection Create Connection and create connection with the following values: Connection name: n2n_ahmd Policy: CR_2_Cisco (created in step 1) Action on restart: As required Mode: Tunnel Type: Net to Net Authentication Type Preshared Key Preshared Key: 0123456789 Local server IP address (WAN IP address) 182.7.7.254 Local Internal Network 192.168.1.0/24
Remote server IP address (WAN IP address) 125.16.7.254 Remote Internal Network 192.168.2.0/24 User Authentication Mode: Disabled Protocol: As required Step 3: Activate Connection Go to VPN IPSec Connection Manage Connection and click connection. against the n2n_ahmd Under the Connection status indicates that the connection is successfully activated
Note At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error unable to activate connection hence you need to deactivate all other connections. Cisco Router Configuration Step 1. Logon to Cisco Router with Enable privilege Router> en Password: ****** Router# conf t Step 2. Configuring IKE Parameters as follows: crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 crypto isakmp key 0123456789 address 182.7.7.254 Step 3. Verify the IKE Parameters using below given commands show isakmp show isamp policy Step 4. Define Access-list to allow IPSec tunnel traffic access-list dlhtoahmd permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list dlhtoahmd permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 Step 5. Configuring IPSec Parameters
crypto ipsec transform-set dlhtransform esp-3des esp-md5-hmac crypto map dlhmap ipsec-isakmp description Tunnel to CR set peer 182.7.7.254 set transform-set dlhtransform set pfs group2 match address dlhtoahmd Step 6. Enabling the IPSec on External Interface of Cisco Router Interface fastethernet0/1 (external interface of Cisco router) crypto map dlhmap Case II Main mode Authentication and Cyberoam configured with static IP address Step 1: Create VPN Policy Go to VPN Policy Create Policy and create VPN policy with following values: Policy Name: CR_2_Cisco Allow Re-keying: Yes Authentication Mode: Main mode Phase 1 Encryption Algorithm: 3DES Authentication Algorithm: MD5 DH Group (Key Group): 2 (DH1024) Phase 2 Encryption Algorithm: 3DES Authentication Algorithm: MD5 DH Group (Key Group): Same as Phase 1
Step 2: Create IPSec connection Go to VPN IPSec Connection Create Connection and create connection with the following values: Connection name: n2n_ahmd Policy: CR_2_Cisco (created in step 1) Action on restart: As required Mode: Tunnel Type: Net to Net Authentication Type Preshared Key Preshared Key: 0123456789 Local server IP address (WAN IP address) 182.7.7.254 Local Internal Network 192.168.1.0/24
Remote server IP address (WAN IP address) 125.16.7.254 Remote Internal Network 192.168.2.0/24 User Authentication Mode: Disabled Protocol: As required Step 3: Activate Connection Go to VPN IPSec Connection Manage Connection and click connection. against the n2n_ahmd Under the Connection status indicates that the connection is successfully activated
Note At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error unable to activate connection hence you need to deactivate all other connections. Cisco Router Configuration Step 1. Logon to Cisco Router with Enable privilege Router> en Password: ****** Router# conf t Step 2. Configuring IKE Parameters as follows: crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 crypto isakmp key 0123456789 address 182.7.7.254 Step 3. Verify the IKE Parameters using below given commands show isakmp show isamp policy Step 4. Define Access-list to allow IPSec tunnel traffic access-list dlhtoahmd permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list dlhtoahmd permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 Step 5. Configuring IPSec Parameters crypto ipsec transform-set dlhtransform esp-3des esp-md5-hmac
crypto map dlhmap ipsec-isakmp description Tunnel to CR set peer 182.7.7.254 set transform-set dlhtransform set pfs group2 match address dlhtoahmd Step 6. Enabling the IPSec on External Interface of Cisco Router Interface fastethernet0/1 (external interface of Cisco router) crypto map dlhmap Case III Main mode Authentication and Cyberoam configured with dynamic IP address Step 1: Create VPN Policy Go to VPN Policy Create Policy and create VPN policy with following values: Policy Name: CR_2_Cisco Allow Re-keying: Yes Authentication Mode: Main mode Phase 1 Encryption Algorithm: 3DES Authentication Algorithm: MD5 DH Group (Key Group): 2 (DH1024) Phase 2 Encryption Algorithm: 3DES Authentication Algorithm: MD5 DH Group (Key Group): Same as Phase 1
Step 2: Create IPSec connection Go to VPN IPSec Connection Create Connection and create connection with the following values: Connection name: n2n_ahmd Policy: CR_2_Cisco (created in step 1) Action on restart: As required Mode: Tunnel Type: Net to Net Authentication Type Preshared Key Preshared Key: 0123456789 Local server IP address (WAN IP address) Dynamic IP address assigned to the Cyberoam WAN interface
Local Internal Network 192.168.1.0/24 Remote server IP address (WAN IP address) 125.16.7.254 Remote Internal Network 192.168.2.0/24 User Authentication Mode: Disabled Protocol: As required Step 3: Activate Connection Go to VPN IPSec Connection Manage Connection and click connection. against the n2n_ahmd
Under the Connection status indicates that the connection is successfully activated Note At a time only one connection can be active if both the types of connection - Digital Certificate and Preshared Key - are created with the same source and destination. In such situation, at the time of activation, you will receive error unable to activate connection hence you need to deactivate all other connections. Cisco Router Configuration Step 1. Logon to Cisco Router with Enable privilege Router> en Password: ****** Router# conf t Step 2. Configuring IKE Parameters as follows: crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 crypto isakmp key 0123456789 hostname elite.elitecore.com no-xauth Step 3. Verify the IKE Parameters using below given commands show isakmp show isamp policy Step 4. Define Access-list to allow IPSec tunnel traffic access-list dlhtoahmd permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list dlhtoahmd permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Step 5. Configuring IPSec Parameters crypto ipsec transform-set dlhtransform esp-3des esp-md5-hmac crypto map dlhmap ipsec-isakmp description Tunnel to CR set peer elite.elitecore.com (With CR on DDNS) set transform-set dlhtransform set pfs group2 match address dlhtoahmd Step 6. Enabling the IPSec on External Interface of Cisco Router Interface fastethernet0/1 (external interface of Cisco router) crypto map dlhmap Document version: 1.0-24/12/2008