Establish IPSec VPN connection between Cyberoam and Watchguard
Applicable Version: 10.00 onwards
Scenario
The information in this article is based on Cyberoam Version 10.00 onwards and Watchguard XTM530.
This article demonstrates how to set up a Site-to-Site IPSec VPN connection between Cyberoam and WatchGuard, using preshared key, to authenticate VPN peers. Throughout the article we have used network parameters as shown in the diagram below.
This article consists of Two (2) sections:
- WatchGuard Configuration
- Cyberoam Configuration
WatchGuard Configuration
This configuration is to be done from the WatchGuard User Interface (UI) using administrator credentials.
Step 1: Create Gateway for VPN Connection
• Go to VPN > Branch Office VPN under Gateways and click Add.
• Under General Settings, select Credential Method as Use Pre-Shared Key and specify the Key alongside. Add a Gateway Endpoint by clicking Add under Gateway Endpoint.
• Under Local Gateway tab, specify Local Gateway details as follows:
Parameter
Value
Specify the gateway ID for tunnel authentication.
By IP Address
IP Address
4.2.2.2
External Interface
External
• Switch to Remote Gateway tab. Specify details as given below.
Parameter
Value
Specify the remote gateway IP address for the tunnel: Static IP Address
82.178.233.182
Specify the remote gateway ID address for tunnel Authentication: By IP Address
8.8.8.8
Click OK to save Endpoint settings.
• Switch to Phase 1 Settings tab and configure parameters as given below. Add Transform Settings by clicking Add under Transform Settings.
Parameter
Value
Mode
Main
NAT Traversal
Enable
Keep-alive Interval
20
Dead Peer Detection
Enable
Traffic Idle timeout
20
Max-retries
5
• Specify Transform Settings as below.
Parameter
Value
Authentication
SHA1
Encryption
3DES
SA Life
8 Hours
Key Group
DH Group 2
Click OK to save Transform Settings.
• Click Save to save Gateway configuration.
Step 2: Create VPN Tunnel
• Once Gateway settings are saved, click Add under Tunnels.
• Specify the Tunnel Name and, under Addresses tab, click Add to add Tunnel Route Settings, as shown below.
Parameter
Value
Local IP
Choose Type
Network IPv4
Network IP
192.0.0.0/24
Remote IP
Choose Type
Network IPv4
Network IP
192.168.1.0/24
Click OK to save settings.
• Switch to Phase 2 Settings tab. Under Perfect Forward Secrecy, check Enable Perfect Forward Secrecy and specify PFS as DH Group 2. Under IPSec Proposals, add the required proposals.
Click Save to save the tunnel configuration.
The above steps configure IPSec VPN in WatchGuard Appliance.
Cyberoam Configuration
After configuration of VPN connection on WatchGuard, configure IPSec connection in Cyberoam. You can configure IPSec in Cyberoam by following the steps given below. Configuration is to be done from the Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features.
Step 1: Create VPN Policy
Create VPN Policy according tonegotiation parameters configured in WatchGuard. Go to VPN > Policy > Policy and click Add to add a new policy.
Parameter
Value
Description
Name
CR_WG
Specify a name to identify the VPN Policy.
Keying Method
Automatic
Keying Method defines how the keys for the connection are to be managed.Select Keying Method from the available options.
Available Options:
- Automatic
- Manual
Allow Re-Keying
Enable
Enable Re-Keying to start the negotiation process automatically before key expiry.
Key Negotiation Tries
0
Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.
Authentication Mode
Main Mode
Select Authentication Mode. Authentication Mode is used for exchanging authentication information.
Available Options:
- Main Mode
- Aggressive Mode
Pass Data in Compressed Format
Enable
Enable to pass data in compressed format to increase throughput.
Perfect Forward Secrecy (PFS)
Enable
Enable to generate new key for every negotiation on key expiry and disable to use same key for every negotiation.
Phase 1
Encryption Algorithm
3DES
Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Authentication Algorithm
SHA1
Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
DH Group (Key Group)
2(DH1024)
Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
Key Life
3600
Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.
Re-Key Margin
120
Specify Re-Key Margin. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.
Randomize Re-Keying Margin By
0
Specify Randomize Re-Keying time.
Dead Peer Detection
Enable
Enable to check at regular interval whether peer is live or not.
Check Peer After Every
30
Specify time after which the peer should be checked for its status.
Wait For Response Upto
120
Specify till what time (seconds) initiated peer should wait for the status response.
Action When Peer Unreachable
Re-Initiate
Specify what action should be taken if peer is not active.
Available Options:
Hold– Holds the connection.
Disconnect– Closes the connection.
Re-initiate– Re-establishes the connection.
Phase 2
Encryption Algorithm
AES128
AES128
Select Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Authentication Algorithm
MD5
SHA1
Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
PFS Group (DH Group)
Same as Phase-1
Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
Key Life
3600
Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.
Click OK to save policy.
Step 2: Configure IPSec Connection
Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below.
Parameter Description
Parameter
Value
Description
Name
BO_to_HO
Name to identify the IPSec Connection
Connection Type
Site to Site
Select Type of connection.
Available Options:
Remote Access
Site to Site
Host to Host
Policy
CR_WG(created in step 1)
Select policy to be used for connection
Action on VPN Restart
Initiate
Select the action for the connection.
Available options:
Respond Only
Initiate
Disable
Authentication details
Authentication Type
Preshared Key
Select Authentication Type. Authentication of user depends on the connection type.
Preshared Key
<Same as mentioned in WatchGuard Appliance>
Preshared key should be the same as that configured in WatchGuard Appliance.
Endpoints Details
Local
PortB-82.178.233.182
Select local port which acts as end-point to the tunnel
Remote
188.135.32.1
Specify IP address of WatchGuard’s Gateway.
Local Network Details
Local Subnet
192.168.1.0/24
Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button
Local ID
IP Address: 8.8.8.8
Specify the Local ID
Remote Network Details
RemoteLAN Network
192.0.0.0/24
Select IP addresses and netmaskbehind WatchGuard Appliance.
Remote ID
IP Address: 4.2.2.2
Specify the Remote ID
Click OK to create the connection.
Step 3: Activate IPSec Connection
Go to VPN > IPSec > Connection and click
under Active and Connection headsagainst BO_to_HO connection, created in step 2.
Under the Active status indicates that the connection is successfully activated.
Under the Connection status indicates that the connection is successfully established.
Applicable Version: 10.00 onwards
Scenario
The information in this article is based on Cyberoam Version 10.00 onwards and Watchguard XTM530.
This article demonstrates how to set up a Site-to-Site IPSec VPN connection between Cyberoam and WatchGuard, using preshared key, to authenticate VPN peers. Throughout the article we have used network parameters as shown in the diagram below.
This article consists of Two (2) sections:
- WatchGuard Configuration
- Cyberoam Configuration
WatchGuard Configuration
This configuration is to be done from the WatchGuard User Interface (UI) using administrator credentials.
Step 1: Create Gateway for VPN Connection
• Go to VPN > Branch Office VPN under Gateways and click Add.
• Under General Settings, select Credential Method as Use Pre-Shared Key and specify the Key alongside. Add a Gateway Endpoint by clicking Add under Gateway Endpoint.
• Under Local Gateway tab, specify Local Gateway details as follows:
Parameter
Value
Specify the gateway ID for tunnel authentication.
By IP Address
IP Address
4.2.2.2
External Interface
External
• Switch to Remote Gateway tab. Specify details as given below.
Parameter
Value
Specify the remote gateway IP address for the tunnel: Static IP Address
82.178.233.182
Specify the remote gateway ID address for tunnel Authentication: By IP Address
8.8.8.8
Click OK to save Endpoint settings.
• Switch to Phase 1 Settings tab and configure parameters as given below. Add Transform Settings by clicking Add under Transform Settings.
Parameter
Value
Mode
Main
NAT Traversal
Enable
Keep-alive Interval
20
Dead Peer Detection
Enable
Traffic Idle timeout
20
Max-retries
5
• Specify Transform Settings as below.
Parameter
Value
Authentication
SHA1
Encryption
3DES
SA Life
8 Hours
Key Group
DH Group 2
Click OK to save Transform Settings.
• Click Save to save Gateway configuration.
Step 2: Create VPN Tunnel
• Once Gateway settings are saved, click Add under Tunnels.
• Specify the Tunnel Name and, under Addresses tab, click Add to add Tunnel Route Settings, as shown below.
Parameter
Value
Local IP
Choose Type
Network IPv4
Network IP
192.0.0.0/24
Remote IP
Choose Type
Network IPv4
Network IP
192.168.1.0/24
Click OK to save settings.
• Switch to Phase 2 Settings tab. Under Perfect Forward Secrecy, check Enable Perfect Forward Secrecy and specify PFS as DH Group 2. Under IPSec Proposals, add the required proposals.
Click Save to save the tunnel configuration.
The above steps configure IPSec VPN in WatchGuard Appliance.
Cyberoam Configuration
After configuration of VPN connection on WatchGuard, configure IPSec connection in Cyberoam. You can configure IPSec in Cyberoam by following the steps given below. Configuration is to be done from the Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features.
Step 1: Create VPN Policy
Create VPN Policy according tonegotiation parameters configured in WatchGuard. Go to VPN > Policy > Policy and click Add to add a new policy.
Parameter
Value
Description
Name
CR_WG
Specify a name to identify the VPN Policy.
Keying Method
Automatic
Keying Method defines how the keys for the connection are to be managed.Select Keying Method from the available options.
Available Options:
- Automatic
- Manual
Allow Re-Keying
Enable
Enable Re-Keying to start the negotiation process automatically before key expiry.
Key Negotiation Tries
0
Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.
Authentication Mode
Main Mode
Select Authentication Mode. Authentication Mode is used for exchanging authentication information.
Available Options:
- Main Mode
- Aggressive Mode
Pass Data in Compressed Format
Enable
Enable to pass data in compressed format to increase throughput.
Perfect Forward Secrecy (PFS)
Enable
Enable to generate new key for every negotiation on key expiry and disable to use same key for every negotiation.
Phase 1
Encryption Algorithm
3DES
Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Authentication Algorithm
SHA1
Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
DH Group (Key Group)
2(DH1024)
Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
Key Life
3600
Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.
Re-Key Margin
120
Specify Re-Key Margin. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.
Randomize Re-Keying Margin By
0
Specify Randomize Re-Keying time.
Dead Peer Detection
Enable
Enable to check at regular interval whether peer is live or not.
Check Peer After Every
30
Specify time after which the peer should be checked for its status.
Wait For Response Upto
120
Specify till what time (seconds) initiated peer should wait for the status response.
Action When Peer Unreachable
Re-Initiate
Specify what action should be taken if peer is not active.
Available Options:
Hold– Holds the connection.
Disconnect– Closes the connection.
Re-initiate– Re-establishes the connection.
Phase 2
Encryption Algorithm
AES128
AES128
Select Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Authentication Algorithm
MD5
SHA1
Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
PFS Group (DH Group)
Same as Phase-1
Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
Key Life
3600
Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.
Click OK to save policy.
Step 2: Configure IPSec Connection
Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below.
Parameter Description
Parameter
Value
Description
Name
BO_to_HO
Name to identify the IPSec Connection
Connection Type
Site to Site
Select Type of connection.
Available Options:
Remote Access
Site to Site
Host to Host
Policy
CR_WG(created in step 1)
Select policy to be used for connection
Action on VPN Restart
Initiate
Select the action for the connection.
Available options:
Respond Only
Initiate
Disable
Authentication details
Authentication Type
Preshared Key
Select Authentication Type. Authentication of user depends on the connection type.
Preshared Key
<Same as mentioned in WatchGuard Appliance>
Preshared key should be the same as that configured in WatchGuard Appliance.
Endpoints Details
Local
PortB-82.178.233.182
Select local port which acts as end-point to the tunnel
Remote
188.135.32.1
Specify IP address of WatchGuard’s Gateway.
Local Network Details
Local Subnet
192.168.1.0/24
Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button
Local ID
IP Address: 8.8.8.8
Specify the Local ID
Remote Network Details
RemoteLAN Network
192.0.0.0/24
Select IP addresses and netmaskbehind WatchGuard Appliance.
Remote ID
IP Address: 4.2.2.2
Specify the Remote ID
Click OK to create the connection.
Step 3: Activate IPSec Connection
Go to VPN > IPSec > Connection and click
Last edited: