Cyberoam VPN Config

Published on June 2016 | Categories: Documents | Downloads: 37 | Comments: 0 | Views: 332
of 25
Download PDF   Embed   Report

cyberoam vpn discribtion

Comments

Content


Establish Site-to-Site IPSec Connection using Preshared key
Applicable Version: 10.00 onwards
Overview
IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol
Suite. It is used in protecting data flows between a pair of hosts (host-to-host), between a pair of
security gateways (network-to-network), or between a security gateway and a host (network-to-
host).

Cyberoam’s IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote
connectivity, eliminating the need for expensive private remote access networks like leased
lines, Asynchronous Transfer Mode (ATM) and Frame Relay. This article describes a detailed
configuration example that demonstrates how to set up a site-to-site IPSec VPN connection
between the two networks using preshared key to authenticate VPN peers.
Scenario
Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps
given below. In this article, we have used the following parameters to create the VPN
connection.


Network Parameters
Local Network details
Local Server (WAN IP address) – 14.15.16.17
Local LAN address – 10.5.6.0/24
Remote Network details
Remote VPN server (WAN IP address) – 22.23.24.25
Remote LAN Network – 172.23.9.0/24




Site A Configuration
The configuration is to be done from Site A’s Cyberoam Web Admin Console using profile
having read-write administrative rights for relevant feature(s).
Step 1: Create IPSec Connection
To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create
the connection using the following parameters.










Parameter Description

Parameter Value Description
Name SiteA_to_SiteB Name to identify the IPSec Connection
Connection Type Site to Site
Select Type of connection.
Available Options:
- Remote Access
- Site to Site
- Host to Host
Policy DefaultHeadOffice Select policy to be used for connection
Action on VPN Restart Respond Only
Select the action for the connection.
Available options:
- Respond Only
- Initiate
- Disable
Authentication details
Authentication Type Preshared Key
Select Authentication Type. Authentication of user
depends on the connection type.
Preshared Key 123456789
Preshared key should be the same as that configured in
remote site.
Endpoints Details
Local PortB-14.15.16.17 Select local port which acts as end-point to the tunnel
Remote 22.23.24.25 Specify IP address of the remote endpoint.
Local Network Details
Local Subnet 10.5.6.0/24
Select Local LAN Address. Add and Remove LAN
Address using Add Button and Remove Button
Remote Network Details
RemoteLAN Network 172.23.9.0/24
Select Remote LAN Address. Add and Remove LAN
Address using Add Button and Remove Button



Click OK to create IPSec connection.

Step 2: Activate Connection
On clicking OK, the following screen is displayed showing the connection created above.





Click under Status (Active) to activate the connection.





Site B Configuration

The configuration is to be done from Site B’s Cyberoam Web Admin Console using profile
having read-write administrative rights for relevant feature(s).
Step 1: Create IPSec Connection
To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create
the connection using the following parameters.



Parameter Description

Parameter Value Description
Name SiteB_to_SiteA Name to identify the IPSec Connection
Connection Type Site to Site
Select Type of connection.
Available Options:
- Remote Access
- Site to Site
- Host to Host
Policy DefaultBranchOffice Select policy to be used for connection
Action on VPN
Restart
Initiate
Select the action for the connection.
Available options:
- Respond Only
- Initiate
- Disable
Authentication details
Authentication Type Preshared Key
Select Authentication Type. Authentication of user
depends on the connection type.
Preshared Key 123456789
Preshared key should be the same as that configured in
remote site.
Endpoints Details
Local PortB-22.23.24.25 Select local port which acts as end-point to the tunnel
Remote 14.15.16.17 Specify IP address of the remote endpoint.
Local Network Details
Local Subnet 172.23.9.0/24
Select Local LAN Address. Add and Remove LAN
Address using Add Button and Remove Button
Remote Network Details
Remote LAN Network 10.5.6.0/24
Select Remote LAN Address. Add and Remove LAN
Address using Add Button and Remove Button


Step 2: Activate and Establish Connection
On clicking OK, the following screen is displayed showing the connection created above.







Click under Status (Active) and Status (Connection).




The above configuration establishes an IPSec connection between Two (2) sites.

Note:

• Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.

• In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel
initiator and Head Office acts as a responder due to
following reasons:
- Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to
initiate the connection.
- As there can be many Branch Offices, to reduce the load on Head Office it is a good
practise that Branch Offices retries the connection
instead of the Head Office retrying all the branch office connections.












Allow download of specific file types from selected website(s) only
Applicable to Version: 10.00 onwards

Scenario

Allow file type categories like .mpeg, .mp3, .exe for website www.example.com, while
blocking the file types for other websites.

Prerequisite

Web and Application Filter Module Subscribed.

Configuration
You must be logged on to the Web Admin Console as an administrator with Read-Write
permission for relevant feature(s).
Step 1: Create a Custom Web Category
Create a Custom Web Category to add the required URL: www.example.com. To create a
web category, go to Web Filter > Category > Category and click Add to create a new
category. Specify the category parameters along with the Domain value
aswww.example.com, refer screen below.


Click OK and the Custom Web Category AllowFileDownload will be created successfully.

Step 2: Create Web Filter Policy
Go to Web Filter > Policy >Policy and click Add to create a new Web Filter Policy
named Example_Custom as shown in the diagram below.



Click OK and the Web Filter Policy Example_Custom will be created successfully.
Step 3: Configure Rules for Web Filter Policy
Select the Policy Example_Custom created inStep 2 and click Add to add the Web Filter
Policy Rules.




Specify Web Filter Policy Rules as shown in the table below.

Rule 1
Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites.
Parameter Value Description
Category Type File Type
Select Category Type for which the rule is to be
added.
Category
Video Files,
Audio Files,
Executable Files
Select the Categories which you want to deny for
all the sites.
HTTP and
HTTPS Action
Deny Select HTTP and HTTPS action.
Schedule All the time Select the Schedule for categories selected.




Click Add and the Web Filter Policy Rule will be added successfully.
Rule 2
Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites, but all these
file types are allowed for www.example.com.
Parameters Value Description
Category Type Web Category Select Web Category from the list of
available categories.
Category AllowFileDownload Select the
CategoryAllowFileDownloadcreated
inStep 1.
HTTP and
HTTPs Action
Allow Select HTTP and HTTPS action.
Schedule All the Time Select the Schedule for categories
selected.




Click Add and the Web Filter Policy Rule will be added successfully.


Note:
AllowFileDownload Category should be on top as rules are executed in top to bottom
sequence.
Step 4: Apply Policy to Firewall Rule or User/User Group
Firewall Rule
You can apply the policy through a Firewall Rule such that it is applied on all traffic that hits
on that rule. To create a Firewall Rule, go toFirewall > Rule > IPv4 Rule and click Add. As
shown below, apply the Policy created in Step 1.




Click OK to apply the Firewall Rule.
User/User Group
You can apply the rule to individual users or user groups. Here, as an example we have
applied the rule on a user named John Smith. To apply the policy on an individual user, go
to Identity > Users > Users and select the user on whom policy is to be applied, i.e., John
Smith. As shown below, apply the Policy created in Step 1.



Click OK to apply policy on the user.









Configure Gateway Load Balancing and Failover
Applicable to Version: 10.00 onwards
Overview
Today organizations require stable, redundant and fast ISP links to run business critical
applications. To achieve constant and secure availability to the Internet and to avoid network
vulnerability, organizations prefer to have multiple ISP links. Multiple ISP links provisions
network administrator to configure failover and load balancing over Internet links.
Cyberoam supports Load Balancing and Failover for multiple ISP links based on number of
WAN ports available in the Appliance. You can terminate multiple ISP links on available
physical interfaces of Cyberoam in the form of Gateways. A Gateway can be configured as an
Active or a Backup Gateway. The Gateways can be setup in Two (2) ways:
Active-Active: Here, all Gateways are in Active State and traffic is Load Balanced between all
Active Gateways. By default, Cyberoam adds a new gateway as an Active Gateway. Hence,
Load Balancing is automatically enabled between the existing and newly added links.
Cyberoam employs weighted round robin algorithm for load balancing to enable maximum
utilization of capacities across the various links.
Active-Backup: Here, One (1) or more Gateways are configured as Backup. This setup allows
Administrator to configure Gateway Failover if any active gateway goes down.

Note:

Load Balancing and Failover is supported both for IPv4 and IPv6 traffic. The Load Balancing
or Failover can be done between Two (2) IPv4 gateways or Two (2) IPv6 gateways.
Scenario
Consider the hypothetical network in which one ISP link is terminated on Port B and
Administrator wants to terminate another ISP link on Port D.


IP Schema
Below given IP schema is configured on Cyberoam.

Parameters Value
Port A
IP Address 10.10.1.1
Subnet Mask 255.255.255.0
Zone LAN
Port B
IP Address 172.16.16.1
Subnet Mask 255.252.240.0
Zone WAN
Gateway Details
ISP Name Default
IP Address 172.16.16.15
Port C
IP Address 10.10.10.1
Subnet Mask 255.255.255.0
Zone DMZ
Port D
Port D is an unbound port so zone type for port D is set to ‘N/A’
DNS Configuration
Primary DNS 4.2.2.2
This article is divided into the following Three (3) sections:
- Add a New Gateway
- Configure Load Balancing
- Configure Gateway Failover
Prerequisites
An unbound physical port should be available on Cyberoam. An unbound port is one, which is
not assigned to any security zone.
Add a New Gateway
You must be logged on to the Web Admin Console as an administrator with Read-Write
permission for relevant feature(s).
To add a gateway, go to Network > Interface > Interface and configure an unbound physical
port according to parameters given below. Here, as an example, we have configured Port D.



Parameters Value
Description
General Settings
Physical Interface PortD Physical Interface for example, Port A, Port B
Network Zone WAN Select Zone to which Interface belongs.
IP Assignment Static Select IP Assignment type.

Available Options:
Static: Static IP Addresses are available for all
the zones.
PPPoE: PPPoE is available only for WAN Zone.
If PPPoE is configured, WAN port is displayed
as the PPPoE Interface.
DHCP:DHCP is available only for WAN Zone.

IP Address 10.10.2.1 Specify IP Address.
Subnet Mask /24 (255.255.255.0) Specify Network Subnet mask.
Primary DNS 203.88.135.194 Specify Primary DNS Server IP Address.
Secondary DNS 4.2.2.2 Specify Secondary DNS Server IP Address.
Gateway Details
Gateway Name PortD_Gateway Specify Gateway Name
IP Address 10.10.2.19 Specify IP Address of Gateway




Click OK to update the interface.
On updating the interface, the gateway is added to the list of Gateways in Network > Gateway
> Gateway.
Configure Load Balancing
Cyberoam allows Load Balancing between 2 or more Active-Active Gateways. By default,
Cyberoam adds a new gateway as an Active Gateway. Hence, Load Balancing is automatically
enabled between the existing and newly added links.
Weighted Round Robin algorithm is used for load balancing wherein each link is assigned a
weight. The traffic that Cyberoam distributes among the links is in proportion to the weight
assigned to them.
To assign weight to a Link, go to Network > Gateway > Gateway and select the required
Gateway.



Mention the Weight, as shown below and click OK.




Configure Gateway Failover
Cyberoam allows Gateway Failover both in Active-Active and Active Backup setup.
In an Active-Active setup, if any one of the active gateways fails, the traffic is redirected to
another active gateway. Administrator can specify Failover Conditions to indicate how the failed
gateway is to be detected.
In Active-Backup setup, one or more of the gateways are configured as backup gateway. If an
Active Gateway fails, the traffic can be redirected to a backup gateway, ensuring Internet
continuity.
Configure Backup Gateway
You can configure a gateway as a Backup gateway by following steps below.
1. Go to Network > Gateway > Gateway and select the required Gateway.


2. Select Gateway Type as Backup and configure Backup Gateway Details as shown
below.


Click OK to save changes.


This setup indicates if any Active Gateway Fails, PortD_Gateway would get activated and
would inherit the weight of the failed gateway.
Configure Failover Condition
By default, on adding a gateway, Cyberoam adds a Failover Rule indicating that if Cyberoam
is not able to PING the gateway, it would be considered down, as shown below.



Click Add to add another rule, or Edit to change the existing rule. Here, as an example, we
have added a Rule that indicates that if Cyberoam is not able to PING the
Gateway 172.16.16.15 and establish a TCP connection on port 80 with 4.2.2.2, the gateway
will be considered down.


Click OK to save the Gateway Failure Rule.
During a link failure, Cyberoam regularly checks the health of a given connection, assuring
fast reconnection when Internet service is restored.
When the connection is restored and gateway is up again, traffic is rerouted through the
Active gateway automatically.






Configure Email Notification

Applicable Version: 10.00 onwards

Overview

Cyberoam allows configuration of Email notifications for certain system-generated events and
reports (as specified by administrator). Such Email notifications can be configured to inform
administrator about:

- Change in gateway status
- Change in HA (high availability) link status (if HA cluster is configured)
- Change in State of IPSec Tunnel(s)
- Various reports (customizable)

Scenario
Configure Email Notifications in Cyberoam.

Configuration
The entire configuration is to be done from the Web Admin Console of Cyberoam. Configuration
requires read-write administrative permission for the relevant features.
Step 1: Configure Mail Server Settings
Configuring Mail Server Settings enables administrator to receive Email notifications for system-
generated events like change in gateway status, change in HA link status and change in state
of IPSec Tunnel. Configure Mail Server by going to System > Configuration >
Notification and setting parameters as shown below.


Parameters Value Description
Mail Server Settings
Mail Server IP
Address/FQDN - Port
172.16.16.24 - 25
Configure your Mail Server IP Address
and port
Authentication Required Enabled
If Enabled, specify authentication
parameters i.e. username and password
Email Setting
From Email Address [email protected]
Specify the email addresses from which
the notification is to be sent.
Send Notifications to
Email Address
[email protected]
Specify the email address to which the
notification is to be sent.




Click Test Mail to check Mail Server Configuration. If test mail is delivered successfully,
click Apply to save configuration.

Step 2: Configure Email notification for reports
You can configure daily or weekly Email notification for the following report groups - Web
Usage, Mail Usage, FTP Usage, Blocked Web Attempts, Attacks, Spam, Virus, Event, Search
Engine, IM Usage, Blocked IM Attempts, Internet Usage, VPN, SSL VPN, Denied SSL VPN
Attempts, Blocked Applications, Applications. Configure Report Notifications by following steps
given below.
• Go to Logs & Reports > View Reports or click Reports Tab available on Icon
Bar on the upper rightmost corner of every
page to access On-Appliance iView.

• In iView, go to System > Configuration > Report Notification and click Add to add report
notification. Here, as an example, we have
configured a daily Email Notification for Search Engine Reports.





Parameters Value
Description
Name Search_Engine_Report Specify report notification name
To Email Address [email protected] Specify Email address of the recipient
Report Group Search Engine Select report category from the Report
Group drop down list
Email Frequency Daily at 11 hours Set Email Frequency




Click Add to add a new notification.

With above configuration, all the Search Engine reports will be mailed everyday at 10 am.



Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close