VPN Management Guide Version 9 Document version 9410-1.0-06/01/2007
VPN ManagementGuide
Version 9Document version 9410-1.0-06/01/2007
IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER’S LICENSE The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.
RESTRICTED RIGHTS Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice
CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad – 380015, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com , www.cyberoam.com
VPN Management Guide
Contents
Guide Sets ..........................................................................................................................5 Technical Support ..............................................................................................................6 Typographic Conventions..................................................................................................7
Overview................................................................................................................................8 Introduction to VPN...............................................................................................................8 Cyberoam and VPN ...............................................................................................................8 Policy .....................................................................................................................................9
Encryption and Authentication method .............................................................................9 Preshared Key ................................................................................................................9 Digital Certificates .......................................................................................................10 Public Key....................................................................................................................10
Policy Parameters.............................................................................................................10 Create VPN Policy...........................................................................................................13 Update VPN Policy..........................................................................................................17 Delete VPN policy ...........................................................................................................21
Certificate Authority ............................................................................................................22
Generate Certificate Authority.....................................................................................22 Import external Certificate Authority ..........................................................................24 Upload Certificate........................................................................................................25 Generate Self signed certificate ...................................................................................26 Generate Certificate Signing Request..........................................................................28 Download Certificate ...................................................................................................30 Delete Certificate .........................................................................................................31
Certificate Revocation List ..................................................................................................32
Revoke certificate ........................................................................................................32 Download CRL ............................................................................................................34 Upload CRL.................................................................................................................34 Delete CRL ..................................................................................................................36
IPSec Connection.................................................................................................................37
Create Transport mode IPSec Connection.......................................................................38 Create Road Warrior IPSec connection ...........................................................................41 Create Net to Net IPSec connection.................................................................................44 Create Host to Host IPSec connection .............................................................................47 Manage IPSec Connection...............................................................................................51
Activate/Deactivate Connection ..................................................................................51 Export Connection configuration file (only for Road warrior connection) .................52 Delete Connection........................................................................................................52
L2TP Connection.................................................................................................................53
L2TP configuration..........................................................................................................53 Create L2TP connection ..................................................................................................55 Manage L2TP connection ................................................................................................57
3
VPN Management Guide
Delete L2TP connection ..............................................................................................60 PPTP Connection .................................................................................................................61
PPTP Configuration .........................................................................................................61
4
VPN Management Guide
Guide Sets
Guide Describes
User Guide Console Guide Console Management Windows Client Guide Installation & configuration of Cyberoam
Windows Client Linux Client Guide Installation & configuration of Cyberoam Linux
Client HTTP Client Guide Installation & configuration of Cyberoam HTTP
Client Analytical Tool Guide Using the Analytical tool for diagnosing and
troubleshooting common problems LDAP Integration Guide Configuration for integrating LDAP with
Cyberoam for external authentication ADS Integration Guide Configuration for integrating ADS with
Cyberoam for external authentication PDC Integration Guide Configuration for integrating PDC with
Cyberoam for authentication RADIUS Integration Guide Configuration for integrating RADIUS with
Cyberoam for external authentication High Availability Configuration Guide
Configuration of High Availability (HA)
Data transfer Management Guide Configuration and Management of user based data transfer policy
VPN Management Implementing and managing VPN Multi Link Manager User Guide Configuration of Multiple Gateways, load
balancing and failover Cyberoam IDP Implementation Guide
Configuring, implementing and managing Intrusion Detection and Prevention
Cyberoam Anti Virus Implementation Guide
Configuring and implementing anti virus solution
Cyberoam Anti Spam Implementation Guide
Configuring and implementing anti spam solution
5
VPN Management Guide
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26462200 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: [email protected] site: www.elitecore.com Visit www.cyberoam.com for the regional and latest contact information.
6
VPN Management Guide
Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.
Item Convention Example
Server Machine where Cyberoam Software - Server component is installed
Client Machine where Cyberoam Software - Client component is installed
User The end user Username Username uniquely identifies the user of the system Part titles Bold and
shaded font typefaces Report
Topic titles Shaded font typefaces Introduction
Subtitles Bold & Black typefaces Notation conventions
Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab
Name of a particular parameter / field / command button text
Lowercase italic type
Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked
Cross references
Hyperlink in different color
refer to Customizing User database Clicking on the link will open the particular topic
Notes & points to remember
Bold typeface between the black borders
Note
Prerequisites Bold typefaces between the black borders
Prerequisite • Prerequisite details
7
VPN Management Guide
Overview Welcome to the Cyberoam’s – VPN Management Guide. Cyberoam’s integrated Internet security solution is purpose-built to meet the unified threat management needs of corporate, government organizations and educational institutions. It also provides assistance in improving Bandwidth management, increasing Employee productivity and reducing legal liability associated with undesirable Internet content access. Guide provides a basic introduction to VPN and gives some fundamental information of those technologies that are relevant to the way Cyberoam implements VPN. It outlines how VPNs are actually created and gives a detailed picture of the different settings that can be used to adjust the VPN policies using Cyberoam. VPN management module is an add-on module which needs to be registered before use. Refer to Cyberoam Installation and Registration guide for more details.
Introduction to VPN A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint system to another over a public network such as the Internet without the traffic being aware that there are intermediate hops between the endpoints or the intermediate hops being aware they are carrying the network packets that are traversing the tunnel. The tunnel may optionally compress and/or encrypt the data, providing enhanced performance and some measure of security. VPN allows you to pretend you are using a leased line or a direct telephone call to communicate between the endpoints. VPNs allow users and telecommuters to connect to their corporate intranets or extranets. VPNs are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This not only reduces overhead costs associated with traditional remote access methods, but also improves flexibility and scalability.
Cyberoam and VPN For all business people traveling or working from home, connecting securely to the corporate network is essential. With Cyberoam, setting up a VPN is almost effortless. The two endpoints in Cyberoam VPN are referred to as: Local - First endpoint is the local machine itself Remote - Second endpoint is the remote peer - the machine you are trying to establish a VPN connection to, or the machine which is trying to establish a VPN connection with you. Cyberoam VPN automatically encrypts the data and sends it to the remote site over the Internet, where it is automatically decrypted and forwarded to the intended destination. By encrypting, the integrity and confidentiality of data is protected even when transmitted over the untrusted public network. Cyberoam uses IPSec standard i.e. IPSec protocol to protect traffic. In IPSec, the identity of communicating users is checked with the user authentication based on digital certificates, public keys or preshared keys.
8
VPN Management Guide
Cyberoam can be used to establish VPN connection between sites, LAN-to-LAN and Client-to-LAN connection. VPN is the bridge between Local & Remote networks/subnets. Cyberoam supports following protocols to authenticate and encrypt traffic: • Internet Protocol Security (IPSec) • Layer Two Tunneling Protocol (L2TP)
Policy
Encryption and Authentication method
Authentication of communicating parties and integrity of exchanged data is crucial for the reliable implementation of VPN. Encryption is used to provide confidentiality of data during the negotiation. Cyberoam supports 3DES encryption algorithm which is extensively tested public algorithm and uses hash functions - message digest MD5 algorithm for Data integrity. 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the Application of the DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard AES offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Serpent: Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be either 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm. Serpent is faster than DES and more secure than Triple DES. Blowfish: Blowfish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. Blowfish is also a block cipher which divides a message into fixed length blocks during encryption and decryption. Blowfish has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm Twofish: Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Preshared Key
An authentication mechanism whereby the key is used in encryption is exchanged before hand/prior to negotiation with another system. Preshared key authentication is the process by which two systems prove their identity to each other where each system encrypts some unpredictable, arbitrary data with a key that has been exchanged beforehand. If they can successfully decrypt the message, it is assumed that the sender is valid. A single shared key is used for encryption and decryption. The data is encrypted by a key and send to the recipient over the Internet. At the receiving end, the data is decrypted with the exact same key that was used for encryption.
9
VPN Management Guide
Digital Certificates
Digital Certificates are yet another authentication method employing digital signatures and public key cryptography. A digital certificate is a document that guarantees the identity of a person or entity and is issued by the trusted third party Certificate Authority (CA). Digital certificate holders have a public or private key pair which can be used to authenticate the sender and decrypt the incoming message ensuring that only the certificate holder can decode the message. A certificate is used to associate a public/private key pair with a given IP address or host name and issued by CA for a specific period of time. A CA can be in-house CA, run by your own organization, or a public CA. To use certificates for negotiation, both peers have to generate public/private key pairs, request and receive public key certificates, and are configured to trust the CA that issues the certificates. Users can download and install certificate from Cyberoam.
Public Key
Public key authentication uses two keys – public key available to anyone and a private key held by only one individual. The sender encrypts the data with the recipient’s public key. Only the recipient can decrypt the data, being the only one who possesses the corresponding private key.
Policy Parameters
Policy describes the security parameters that are used for negotiations to establish and maintain a secure tunnel between two peers. Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the policy parameters for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels. Authentication mode To ensure secure communication, there are two phases to every IKE (Internet Key Exchange) negotiation - Phase 1 (Authentication) and Phase 2 (Key exchange). The Phase 1 negotiation establishes a secure channel between peers and determines a specific set of cryptographic protocols, exchanges shared secret keys and encryption and authentication algorithm that will be used for generating keys. The Phase 2 negotiation establishes a secure channel between peers to protect data. During Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after which to negotiate. Key life Lifetime of key is specified as Key life. Once the connection is established after exchanging authenticated and encrypted keys, connection is not dropped till the key life. If the key life of both the peers is not same then negotiation will take place whenever the key life of any one peer is over. This means intruder has to decrypt only one key to break in your system. Key generation and key rotation are important because the longer the life of the key, the larger the
10
VPN Management Guide
amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis. Perfect Forward Secrecy (PFS) It becomes difficult for a network intruder to get the big picture if keys are changing and they have to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting PFS, new key will be generated for every negotiation and a new DH key exchange is included. So every time intruder will have to break yet another key even though he already knows the key. This enhances security. Diffie-Hellman (DH) Group (IKE group) Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret over an insecure communications channel. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt the data. The Diffie-Hellmann group describes the key length used in encryption. Group number also termed as Identifiers.
DH Group Key length (bits) 1 768 2 1024 5 1536 14 2048 15 3072 16 4096
If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched during the negotiation. Re-key Margin Time before the next key exchange. Time is calculated by subtracting the time elapsed since the last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts automatically without interrupting service before key expiry. Dead Peer detection settings Use to check whether Cyberoam is able to connect the IP address or not. Set time interval after which the status of peer is to be checked and what action to take, if peer is not alive. Tunnel Negotiation Negotiation process starts to establish the connection when local or remote peer wants to communicate with each other. Depending on the connection parameters defined, the key is generated which is used for negotiations. Lifetime of key is specified as Key life. Once the connection is established, connection is alive/active and data can be transferred up to the specified key life. Connection will be closed/deactivated once the key expires. If the connection is to be activated again then the entire negotiation process is to be started all over again. Negotiation process can be started again automatically by either local or remote peer only if Allow Re-keying is set to ‘Yes’. Set the re-keying time in terms of the remaining key life when negotiation is to be started automatically without interrupting the communication before key expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes of key usage. Negotiation process will generate new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’.
11
VPN Management Guide
PFS will generate a new key from scratch and there will be no dependency between old and new key.
Re-keying Result Yes Local and remote peer both will be able to initiate request for
connection. Depending on PFS, negotiation process will use same key or generate a new key.
No Only remote peer will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.
12
VPN Management Guide
Create VPN Policy
Cyberoam provides the default policy and you can also create a customized policy to meet your organization’s requirement. Select VPN Policy Create Policy to open the create policy page
Screen – Create VPN policy
Screen Elements Description
VPN policy details Name Assign name to policy. Choose a name that best describes the policy to
be created Description Click to enter the full description of policy Using Template Select a template if you want to create a new policy based on an
13
VPN Management Guide
Screen Elements Description
existing policy and want to inherit all the parameters from the existing policy Select ‘None’ template, if you want to create a fresh policy. After creation you can always customize according to the requirement.
Following options are available only if policy is created based on ‘None’ template Keying Method Keying method defines how the keys for the connection are to be
managed. Select keying method: Automatic or Manual Manual key exchange is not supported for L2TP connection
Allow Re-keying Specify whether the negotiation process is to be started automatically before key expiry or not. Process will start automatically at the specified time in re-key margin. If it is set to ‘Yes’, negotiation process can be initiated by both the local or remote peer. Depending on PFS, negotiation process will use same key or generate a new key.
Key Negotiations tries Specify maximum negotiation trials allowed and must be greater than 0 Authentication mode Authentication mode is used to support key exchange. Currently only
Main mode is supported. Depending on Authentication mode, the phase 1 parameters are exchanged for authentication purpose. In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
Pass Data In Compress Format
Enable to pass data in compressed format to increase throughput
Perfect Forward Secrecy
Specify whether new key should be generated for every negotiation on key expiry. Set ‘Yes’ to generate new key for every negotiation on key expiry Set ‘No’ to use same key for every negotiation
Phase 1 Encryption and Authentication algorithm
Select the encryption and authentication algorithm that would be used by communicating parties for integrity of exchanged data fpr phase 1. Supported Encryption algorithms: 3DES, AES, TwoFish, BlowFish, Serpent 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Supported Authentication algorithms: MD5, SHA1 Maximum three combination of encryption and authentication algorithm
14
VPN Management Guide
Screen Elements Description
can be selected. The remote peer must be configured to use at least one of the defined combinations. Click to add more than one combination of encryption and authentication algorithm.
DH Group DH group specifies the key length used for encryption. • DH Group 1 uses 768-bit encryption • DH Group 2 uses 1024-bit encryption • DH Group 5 uses 1536-bit encryption • DH Group 14 uses 2048-bit encryption • DH Group 15 uses 3072-bit encryption • DH Group 16 uses 4096-bit encryption
Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16 The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
Key Life Key life is the amount of time that will be allowed to pass before the key expires. Specify keylife in terms of seconds
Re-Key Margin Re-key margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry. Set time in terms of the remaining key life. For example, if key life is 8 hours and re-key margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of key life. Specify in terms of minutes
Randomize Re-Keying Time by
Randomizes re-key time. For example, if key life is 8 hours, re-key margin is 10 minutes and randomize re-keying time is 20% then the re-key margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.
Enable Dead Peer Detection
Enable to check whether peer is live or not.
Check Peer After Every (Only if Dead Peer Detection option is ‘Enabled’ )
Once the connection is established, peer which initiated the connection checks whether another peer is live or not. Specify time when the peer should be checked for its status.
Wait for Response unto (Only if Dead Peer Detection option is ‘Enabled’ )
Specify till what time initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive. Specify in terms of seconds
Action when Peer is not active (Only if Dead Peer Detection option is ‘Enabled’ )
Specify what action should be taken if peer is not active. Hold – hold the connection Clear – close the connection Restart – reestablish the connection
Phase 2
15
VPN Management Guide
Screen Elements Description
Encryption and Authentication algorithm
Select the encryption and authentication algorithm that would be used by communicating parties for integrity of exchanged data fpr phase 2. Supported Encryption algorithms: DES, 3DES, AES, TwoFish, BlowFish, Serpent DES, 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Supported Authentication algorithms: MD5, SHA1 Maximum three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations. Click to add more than one combination of encryption and authentication algorithm.
PFS Group PFS group specifies the key length used for encryption. • Group 1 uses 768-bit encryption • Group 2 uses 1024-bit encryption • Group 5 uses 1536-bit encryption • Group 14 uses 2048-bit encryption • Group 15 uses 3072-bit encryption • Group 16 uses 4096-bit encryption
Select one of group from 1, 2, 5, 14, 15 or 16 If ‘Same as Phase 1’ is selected PFS group specified at connection initiator’s end will be used If No PFS is selected, this security parameter can not be added for Phase 2 The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
Key Life Key life is the amount of time that will be allowed to pass before the key expires. Specify keylife in terms of seconds
Create button Creates the policy Click to create
Cancel button Cancels the current operation and return to Manage VPN policy page
Table – Create VPN policy screen elements
Note Policies with the same name cannot be created
16
VPN Management Guide
Update VPN Policy
Select VPN → Policy → Manage policy and Click Policy name to be modified
Screen – Manage VPN Policy
Screen Elements Description
VPN policy details Name Displays policy name
Cannot be modified
Description Displays policy description, modify if required Keying Method Select keying method: Automatic or Manual Allow Re-keying Displays whether re-keying is allowed or not. Modify if required.
Set ‘Yes’, if negotiation process can be initiated by both the local and remote peer automatically before key expires
17
VPN Management Guide
Screen Elements Description
Depending on PFS, negotiation process will use same key or a new key will be generated.
Key Negotiations tries
Displays maximum negotiation trials allowed, modify if required
Pass Data In Compress Format
Enable to pass data in compressed format to increase throughput
Perfect Forward Secrecy
Displays whether new key will be generated or not for every negotiation on key expiry, modify if required. Set ‘Yes’ to generate new key for every negotiation on key expiry Set ‘No’ to use same key for every negotiation
Phase 1 Encryption and Authentication algorithm
Select the encryption and authentication algorithm that would be used by communicating parties for integrity of exchanged data fpr phase 1. Supported Encryption algorithms: 3DES, AES, TwoFish, BlowFish, Serpent 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Supported Authentication algorithms: MD5, SHA1 Maximum three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations. Click to add more than one combination of encryption and authentication algorithm.
DH Group DH group specifies the key length used for encryption. • DH Group 1 uses 768-bit encryption • DH Group 2 uses 1024-bit encryption • DH Group 5 uses 1536-bit encryption • DH Group 14 uses 2048-bit encryption • DH Group 15 uses 3072-bit encryption • DH Group 16 uses 4096-bit encryption
Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16 The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
Key Life Displays key life, modify if required Key life is the amount of time that will be allowed to pass before the key expires and can be specified in terms of hours or minutes Keylife cannot be less than 2 minutes and at least 1 minute greater
18
VPN Management Guide
Screen Elements Description
than Re-Key margin Re-Key Margin Displays re-key margin, modify if required
Re-key margin time is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry. Set time in terms of the remaining key life. For example, if key life is 8 hours and Re-key margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of key life. Specify in terms of minutes
Randomize Re-Keying Time by
Randomizes re-key margin For example, if key life is 8 hours, re-key margin is 10 minutes and randomize re-keying time is 20% then the re-key margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.
Pass Data In Compress Format
Displays whether data is passed in the compressed format or not, modify if required.
Enable Dead Peer Detection
Enable to check whether peer is live or not.
Check Peer After Every(Only if Dead Peer Detection option is ‘Enabled’)
Displays time when the peer that initiated the connection checks for whether another peer is live or not. Modify if required.
Wait for Response unto(Only if Dead Peer Detection option is ‘Enabled’)
Displays response wait time, modify if required It specifies till what time initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive. Specify in terms of seconds
Action when Peer is not active(Only if Dead Peer Detection option is ‘Enabled’)
Displays what action will be taken if peer is not active, modify if required Hold – hold the connection Clear – close the connection Restart – restart the connection
Phase 2 Encryption and Authentication algorithm
Select the encryption and authentication algorithm that would be used by communicating parties for integrity of exchanged data fpr phase 2. Supported Encryption algorithms: DES, 3DES, TwoFish, BlowFish, Serpent DES, 3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security. AES: Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are
19
VPN Management Guide
Screen Elements Description
128, 192 and 256 Bits. This security system supports a number of encryption algorithms. Supported Authentication algorithms: MD5, SHA1 Maximum three combination of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations. Click to add more than one combination of encryption and authentication algorithm.
PFS Group PFS group specifies the key length used for encryption. • Group 1 uses 768-bit encryption • Group 2 uses 1024-bit encryption • Group 5 uses 1536-bit encryption • Group 14 uses 2048-bit encryption • Group 15 uses 3072-bit encryption • Group 16 uses 4096-bit encryption
Select one of group from 1, 2, 5, 14, 15 or 16 If ‘Same as Phase 1’ is selected PFS group specified at connection initiator’s end will be used If No PFS is selected, this security parameter can not be added for Phase 2 The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
Key Life Key life is the amount of time that will be allowed to pass before the key expires. Specify keylife in terms of seconds
Update button Updates the policy Click to update and save
Cancel button Cancels the current operation and return to Manage VPN policy page
Table – Manage VPN policy screen elements
Note Default policy cannot be updated
20
VPN Management Guide
Delete VPN policy
Prerequisite • Not assigned for any connection
Select VPN → Policy → Manage policy to view the list of policies
Screen – Delete VPN policy
Screen Elements Description
Del Select policy for deletion Click Del to select More than one policy can also be selected
Select All Select all the policies for deletion Click Select All to select all the policies
Delete button Deletes all the selected policy/policies Table – Delete VPN policy screen elements
Note Default policy cannot be deleted
21
VPN Management Guide
Certificate Authority Digital Certificates are used for authentication purpose. Certificates are generated by the third party trusted Certificate Authorities. They create certificates by signing public keys and identify the information of the communicating parties with their own private keys. This way it is possible to verify that a public key really belongs to the communicating party only and not been forged by someone with malicious intentions. A certificate signed by a CA identifies the owner of a public key. Each communicating party may be required to present its own certificate signed by a CA verifying the ownership of the corresponding private key. Additionally, the communicating parties need to have a copy of the CA’s public key. In case private key is lost or stolen or the information is changed CA is responsible for revoking the certificate. Cyberoam provides a facility to generate a local certificate authority as well as import certificates, signed by commercial providers, such as VeriSign.
Generate Certificate Authority
Select VPN → Certificate Authority → Manage Certificate Authority and click Default
22
VPN Management Guide
Screen – Generate Certificate Authority
Screen Elements Description
Certificate Authority Details Certificate Authority Name
Displays certificate authority name
Country Name Select the Country for which the Certificate will be used. Generally this would be the name of the country where Cyberoam is installed.
State/Province Name
Select the State/Province for which the Certificate will be used. Generally this would be the name of the state where Cyberoam is installed.
Locality Name Specify the locality/City. Generally this would be the name of the city where Cyberoam is installed.
Organization Name Specify your organization name Organizational Unit Name
Specify department/section name which will use this certificate
Common Name Specify domain name. This domain will be certified to use the Certificate.
Email Address Specify Email address CA Password Specify password and confirm by re-typing the password Generate button Generates the certificate with the above specified details
Click to generate If the certificate is already generated, it will re-generate the certificate with the above specified details
Cancel button Cancels the current operation
Table – Generate Certificate Authority screen elements
23
VPN Management Guide
Import external Certificate Authority
Select VPN → Certificate Authority → Upload Certificate Authority
Screen – Define external Certificate Authority
Screen Elements Description
Certificate Certificate Authority Name
Specify Certificate authority name
Certificate Format Cyberoam supports certificates in two formats: PEM and DER PEM (Privacy Enhanced Mail): A format encoding the certificate in ASCII code. The certificate, request, and private key are stored in separate files. DER: A binary format for encoding certificates. The certificate, request, and private key are stored in separate files.
Certificate Specify certificate to be uploaded Use Browse to select the complete path
Upload button Uploads the specified certificate Cancel button Cancels the current operation
Table – Define external Certificate Authority screen elements
24
VPN Management Guide
Upload Certificate
Select VPN → Certificate → New Certificate
Screen – Upload Certificate
Screen Elements Description
Certificate Action Select Upload Certificate Certificate Name Specify certificate name Password Specify password and confirm by re-typing the password Certificate Specify certificate to be uploaded
Use Browse to select the complete path
Private key Specify private key for the certificate Use Browse to select the complete path
Upload button Uploads the specified certificate Cancel button Cancels the current operation
Table – Upload Certificate screen elements
25
VPN Management Guide
Generate Self signed certificate
You can use Cyberoam to act as a certificate authority and sign its own certificates. This eliminates the need of having your own certificate authority.
Prerequisite • Certificate Authority generated
Select VPN → Certificate → New Certificate
Screen – Generate Self Signed Certificate
Screen Elements Description
Certificate Action Select Generate Self Signed Certificate Certificate Name Specify Certificate name Valid upto Specify certificate validity period using Calendar
Validity period is the certificate life i.e. period up to which the certificate will be considered as valid Minimum validity period is one day
Key Length Select key length Displays the number of bits used to construct the key. Generally the larger the key, the less chance that it will be compromised but requires more time to encrypt and decrypt data than smaller keys.
Password Specify password and confirm by re-typing Password must be at least 10 character long
Certificate ID Specify certificate ID. You can specify any one of the following: • DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate) Generate button Generates certificate with the specified details
26
VPN Management Guide
Screen Elements Description
Click to generate
Cancel button Cancels the current operation
27
VPN Management Guide
Generate Certificate Signing Request
If you are using third party CA, you have to submit the request to CA, CA will verify the details then sign and send the signed certificate. Cyberoam provides a way for you to generate the request. Select VPN → Certificate → New Certificate
Screen – Generate CSR
Screen Elements Description
Certificate Action Select Generate Certificate Signing Request (CSR) Certificate Name Specify Certificate name Valid upto Specify certificate validity period using Calendar
Validity period is the certificate life i.e. period up to which the certificate will be considered as valid Minimum validity period is one day
Key Length Select key length Displays the number of bits used to construct the key. Generally the larger the key, the less chance that it will be compromised but requires more time to encrypt and decrypt data than smaller keys.
Password specify password and confirm by re-typing
28
VPN Management Guide
Screen Elements Description
Password must be at least 10 character long Certificate ID Specify certificate ID. You can specify any one of the following:
• DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate) Country Name Select the Country for which the Certificate will be used.
Generally this would be the name of the country where Cyberoam is installed.
State/Province Name
Select the State/Province for which the Certificate will be used. Generally this would be the name of the state where Cyberoam is installed.
Locality Name Specify the locality/City. Generally this would be the name of the city where Cyberoam is installed.
Organization Name Specify your organization name Organizational Unit Name
Specify department/section name which will use this certificate
Common Name Specify domain name. This domain will be certified to use the Certificate. Domain name has to be unique
Email Address Specify Email address Generate button Generates certificate request with the details specified which you can
send to your CA for Certificate Click to generate
Cancel button Cancels the current operation
Screen – Generate CSR
29
VPN Management Guide
Download Certificate
Select VPN → Certificate → Manage Certificate, click the certificate to be downloaded and follow the screen steps. Certificate Signing Request is downloaded in zip format, unzip the file. It contains three file: certificatename.csr, certificatename.key, password.txt Cyberoam supports certificate in two formats: p12 and pem format. Certificate is downloaded in tar.gz format, unzip the file winzip or winrar. It contains: Certificatename.p12 (certificate in p12 format) Password.txt PEM folder which contains certificate in pem format as: certificatename.pem, certificatename.key
Screen – Download Certificate
30
VPN Management Guide
Delete Certificate
Prerequisite • Not used by any Connection
Select VPN → Certificate → Manage Certificate
Screen – Delete Certificate
Screen Elements Description
Del Select certificate for deletion Click Del to select More than one certificate can also be selected
Select All Select all the certificates for deletion Click Select All to select all the certificate(s)
Delete button Deletes all the selected certificate(s)
Table – Delete Certificate screen elements
Note The deleted certificate will be revoked
31
VPN Management Guide
Certificate Revocation List CA maintains the list of valid and revoked certificates. Certificates which are stolen, lost or updated are revoked by CA. Revocation list is the list of certificates which are revoked by CA.
Revoke certificate
Select VPN → Certificate → Manage Certificate and click the certificate to be revoked
Screen – Revoke Certificate
Screen Elements Description
Certificate Certificate Name Displays Certificate name Valid upto Displays certificate validity period, modify if required.
Validity period is the certificate life i.e. period up to which the certificate will be considered as valid
Key Length Displays key length, modify if required. Displays the number of bits used to construct the key. Generally the larger the key, the less chance that it will be compromised but requires
32
VPN Management Guide
Screen Elements Description
more time to encrypt and decrypt data than smaller keys. Password Displays password
Click Change Password to modify the password Password must be at least 10 character long
Regenerate button Regenerates the certificate Revoke button Revoke certificate if lost, stolen or updated
Click to revoke If the certificate is revoked it is automatically added to the Certificate Revocation List (CRL). You can download and circulate if required.
Cancel button Cancels the current operation
Table – Revoke Certificate screen elements
33
VPN Management Guide
Download CRL
Cyberoam creates the Default CRL the name Default.crl. Once you revoke the certificate, the details of the revoked certificate are added to the default file and regenerated. You can download and distribute if required. Select VPN → Certificate Authority → Manage CRL and to view the list of CRLs. Click Download against the CRL name to be downloaded. It downloads the zip file, unzip the file to check the details.
Upload CRL
If you are using External Certificate Authority, you need to upload the CRL obtained from External Certificate Authority. Select VPN → Certificate Authority → Upload CRL Enter CRL name and specify the full path of the file to be uploaded Click Upload
34
VPN Management Guide
35
VPN Management Guide
Delete CRL
Select VPN → Certificate Authority → Manage CRL and to view the list of CRLs.
Screen – Delete CRL
Screen Elements Description
Del Select CRL for deletion Click Del to select More than one CRLs can also be selected
Select All Select all the CRLs for deletion Click Select All to select all the CRLs
Delete button Deletes all the selected CRLs Table – Delete CRL screen elements
Note The default CRL cannot be deleted
36
VPN Management Guide
IPSec Connection IP Security (IPSec) is a suite of protocols designed for cryptographically secure communication at the IP layer (layer 3). IPSec protocols: • Authentication Header (AH) - Used for the authentication of packet senders and for ensuring
the integrity of packet data. The Authentication Header protocol (AH) checks the authenticity and integrity of packet data. In addition, it checks that the sender and receiver IP addresses have not been changed in transmission. Packets are authenticated using a checksum created using a Hash-based Message Authentication Code (HMAC) in connection with a key.
• Encapsulating Security Payload (ESP) - Used for encrypting the entire packet and for the
authenticating its contents. In addition to encryption, the ESP offers the ability to authenticate senders and verify packet contents.
IPSec modes: • Transport Mode - the original IP packet is not encapsulated in another packet. The original IP
header is retained, and the rest of the packet is sent either in clear text (AH) or encrypted (ESP). Either the complete packet can be authenticated with AH, or the payload can be encrypted and authenticated using ESP. In both cases, the original header is sent over the WAN in clear text.
Use Transport mode where both endpoints understand IPSEC directly. Transport mode is used between peers supporting IPSec, or between a host and a gateway, if the gateway is being treated as a host.
• Tunnel Mode - the complete packet – header and payload – is encapsulated in a new IP
packet. An IP header is added to the IP packet, with the destination address set to the receiving tunnel endpoint. The IP addresses of the encapsulated packets remain unchanged. The original packet is then authenticated with AH or encrypted and authenticated using ESP.
Tunnel mode is primarily used for interoperability with gateways or end systems that do not support L2TP/IPSec or PPTP VPN site-to-site connections.
IPSec connections types (for Tunnel mode only): • Road Warrior - This type of VPN is a user-to-internal network connection via a public or
shared network. Many large companies have employees that need to connect to the Internal network from the field. These field agents access the Internal network by using remote computers and laptops without static IP address.
• Net to Net - A Net-to-Net VPN connects an entire network (such as a LAN or WAN) to a remote network by way of a network-to-network connection. A network-to-network connection requires routers on each side of the connecting networks to transparently process and route information from one node on a LAN to a node on a remote LAN.
• Host to Host - Host-to-Host VPN connects one desktop or workstation to another by way of a host-to-host connection. This type of connection uses the network to which each host is connected to create the secure tunnel to each other.
Note Alias IP address cannot be used for establishing Connection
37
VPN Management Guide
Create Transport mode IPSec Connection
In transport mode only host-to-host connection is supported. Select VPN → IPSec Connection → Create Connection
Screen - Create Transport mode IPSec Connection
Screen Elements Description
Connection details Name Assign name to connection. Choose a name that best describes the
connection to be created Description Specify full description of connection
38
VPN Management Guide
Screen Elements Description
Policy Name Select policy to be used for connection Action on Restart Select the action for the connection
Deactive – Keep connection deactive mode till the user activates. Active – Activate connection on system/service start so that the connection can be established whenever required Connect – Connect as soon as the system/service starts
Mode Select Transport mode Refer to IPSec modes for details
Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the
connection type. Select Preshared key An authentication mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the preshared key. Remote peer uses the preshared key for decryption. Select Digital Certificate An authentication mechanism whereby sender and receiver both uses the digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. Select RSA key An Authentication mechanism whereby two keys - Public and Private - are used for encryption and decryption. Private key is known only to the owner and never transmitted over network.
Preshared key Only if Authentication Type is ‘Preshared key’
Specify the preshared key to be used. This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration. If there is mismatch in the key, user will not be able to establish the connection.
Local Certificate Only if Authentication Type is ‘Digital Certificate’
Select the local certificate that should be used for authentication by Cyberoam
Remote Certificate Only if Authentication Type is ‘Digital Certificate’
Select the remote certificate that should be used for authentication by remote peer
Local RSA Key Only if Authentication Type is ‘RSA Key’
Displays automatically generated key which cannot be modified. Local Public key can be regenerated from Text based Administration (Telnet) Console. Refer to Console guide for more details.
Remote RSA Key Only if Authentication Type is ‘RSA Key’
Specify the public key which is to be used by the remote peer.
Local Network Details Local server Specify public IP address of local server
39
VPN Management Guide
Screen Elements Description
Click to select Local ID Displays ID and its value specified in the Local certificate
For preshared key, select local id and specify it’s value For preshared key, DER ASN1 DN is not applicable
Remote Network Remote Host Specify IP address of remote peer Allow NAT Traversal
Enable if a NAT device is located between your VPN endpoints i.e. remote peer has an private IP address
Remote Internal Network Only if NAT Traversal is enabled
Specify IP addresses and netmask of remote network which is allowed to connect to the Cyberoam server through VPN tunnel At a time only one connection can be established behind one NAT-box Click Add to add network
Remote ID Displays ID if remote certificate is selected else specify ID specified in the certificate used by peer For preshared key, select any type of id and specify it’s value For preshared key, DER ASN1 DN is not applicable
User Authentication User Authentication Specify whether user authentication is required at the time of
connection or not Click Disable if user authentication is not required If enabled as client, specify username and password If enabled as server, Click Add to select and add all the users which are to be allowed to connect
Quick Mode Selectors Allow Protocols Select the protocol for negotiations.
Tunnel will pass only that data which uses the above specified protocol
Local port Only for TCP protocol
Specify local port
Remote port Only for TCP protocol
Specify remote port
Create button Creates the connection Click to create
Cancel button Cancels the current operation Table - Create Transport mode IPSec Connection screen elements
40
VPN Management Guide
Create Road Warrior IPSec connection
Select VPN → IPSec Connection → Create Connection
Screen – Create Road Warrior IPSec Connection
Screen Elements Description
Connection details Name Assign name to connection. Choose a name that best describes the
connection to be created
41
VPN Management Guide
Screen Elements Description
Description Specify full description of connection Policy Name Select policy to be used for connection Action on Restart Select the action for the connection
Deactive – Keep connection deactive mode till the user activates. Active – Activate connection on system/service start so that the connection can be established whenever required Connect – Connect as soon as the system/service starts
Mode Select Tunnel mode Refer to IPSec modes for details
Connection Type
Specify connection type. Authentication of user depends on the connection type. Select ‘Road warrior’ Refer to Connection types for details
Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the
connection type. Preshared key An authentication mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the preshared key. Remote peer uses the preshared key for decryption. Digital Certificate An authentication mechanism whereby sender and receiver both uses the digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.
Preshared key Only if Authentication Type is ‘Preshared key’
Specify the preshared key to be used. This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration. If there is mismatch in the key, user will not be able to establish the connection.
Local Certificate Only if Authentication Type is ‘Digital Certificate’
Select the local certificate that should be used for authentication by Cyberoam
Remote Certificate Only if Authentication Type is ‘Digital Certificate’
Select the remote certificate that should be used for authentication by remote peer
Local Network Details Local Server Specify IP address of local server
Click to select
Local Internal Network
Specify IP address and netmask of the local network which is allowed to access remote peer through VPN connection
Local ID Displays ID and its value specified in the Local certificate For preshared key, select local id and specify it’s value
42
VPN Management Guide
Screen Elements Description
For preshared key, DER ASN1 DN is not applicable
Remote Network Remote Host Specify IP address of remote peer Allow NAT Traversal
Enable if a NAT device is located between your VPN endpoints i.e. remote peer has an private IP address
Remote Internal Network Only if NAT Traversal is enabled
Specify IP addresses and netmask of remote network which is allowed to connect to the Cyberoam server through VPN tunnel At a time only one connection can be established behind one NAT-box Click Add to add network Specify 0.0.0.0/0 to allow all the networks
Remote ID Specify ID specified in the Remote certificate For preshared key, select any type of id and specify it’s value For preshared key, DER ASN1 DN is not applicable
User Authentication User Authentication Specify whether user authentication is required at the time of
connection or not Click Disable if user authentication is not required If enabled as server, Click Add to select and add all the users which are to be allowed to connect
Quick Mode Selectors Allow Protocols Select the protocol for negotiations
Tunnel will pass only that data which uses the above specified protocol
Local port Only for TCP protocol
Specify local port
Remote port Only for TCP protocol
Specify remote port
Create button Creates the connection Click to create
Cancel button Cancels the current operation
Table – Create Road Warrior IPSec Connection screen elements
43
VPN Management Guide
Create Net to Net IPSec connection
Select VPN → IPSec Connection → Create Connection
Screen - Create Net to Net IPSec connection
Screen Elements Description
Connection details Name Assign name to connection. Choose a name that best describes the
44
VPN Management Guide
Screen Elements Description
connection to be created Description Specify full description of connection Policy Name Select policy to be used for connection Action on Restart Select the action for the connection
Deactive – Keep connection deactive mode till the user activates. Active – Activate connection on system/service start so that the connection can be established whenever required Connect – Connect as soon as the system/service starts
Mode Select Tunnel mode Refer to IPSec modes for details
Connection Type
Specify connection type. Authentication of user depends on the connection type. Select ‘Net to Net’ Refer to Connection types for details
Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the
connection type. Select Preshared key An authentication mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the preshared key. Remote peer uses the preshared key for decryption. Select Digital Certificate An authentication mechanism whereby sender and receiver both uses the digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. Select RSA key An Authentication mechanism whereby two keys - Public and Private - are used for encryption and decryption. Private key is known only to the owner and never transmitted over network.
Preshared key Only if Authentication Type is ‘Preshared key’
Specify the preshared key to be used. This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration. If there is mismatch in the key, user will not be able to establish the connection.
Local Certificate Only if Authentication Type is ‘Digital Certificate’
Select the local certificate that should be used for authentication by Cyberoam
Remote Certificate Only if Authentication Type is ‘Digital Certificate’
Select the remote certificate that should be used for authentication by remote peer. Select ‘External Certificate’, if the remote certificate is not available
Local RSA Key Only if Authentication
Displays automatically generated key which cannot be modified. Local Public key can be regenerated from Text based Administration
45
VPN Management Guide
Screen Elements Description
Type is ‘RSA Key’ (Telnet) Console. Refer to Console guide for more details. Remote RSA Key Only if Authentication Type is ‘RSA Key’
Specify the public key which is to be used by the remote peer.
Local Network Details Local Server Specify IP address of local server
Click to select
Local Internal Network
Specify IP address and netmask of the local network which is allowed to access to remote network through VPN connection
Local ID Displays ID and its value specified in the Local certificate For preshared key, select local id and specify it’s value For preshared key, DER ASN1 DN is not applicable
Remote Network Remote Host Specify IP address of remote peer Remote Internal Network
Specify IP addresses and netmask of remote network which is allowed to connect to the Cyberoam server through VPN tunnel At a time only one connection can be established behind one NAT-box Click Add to add network
Remote ID Displays ID if remote certificate is selected else specify ID specified in the certificate used by peer For preshared key, select any type of id and specify it’s value For preshared key, DER ASN1 DN is not applicable
User Authentication User Authentication Specify whether user authentication is required at the time of
connection or not Click Disable if user authentication is not required If enabled as client, specify username and password If enabled as server, Click Add to select and add all the users which are to be allowed to connect
Quick Mode Selectors Allow Protocols Select the protocol for negotiations
Tunnel will pass only that data which uses the above specified protocol.
Local port Only for TCP protocol
Specify local port
Remote port Only for TCP protocol
Specify remote port
Create button Creates the connection Click to create
Cancel button Cancels the current operation
46
VPN Management Guide
Table - Create Net to Net IPSec connection screen elements
Create Host to Host IPSec connection
Select VPN → IPSec Connection → Create Connection
Screen - Create Host to Host IPSec connection
Screen Elements Description
Connection details
47
VPN Management Guide
Screen Elements Description
Name Assign name to connection. Choose a name that best describes the connection to be created
Description Specify full description of connection Policy Name Select policy to be used for connection Action on Restart Select the action for the connection
Deactive – Keep connection deactive mode till the user activates. Active – Activate connection on system/service start so that the connection can be established whenever required Connect – Connect as soon as the system/service starts
Mode Select Tunnel mode Refer to IPSec modes for details
Connection Type
Specify connection type. Authentication of user depends on the connection type. Select ‘Host to Host’ Refer to Connection types for details
Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the
connection type. Select Preshared key An authentication mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the preshared key. Remote peer uses the preshared key for decryption. Select Digital Certificate An authentication mechanism whereby sender and receiver both uses the digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority. Select RSA key An Authentication mechanism whereby two keys - Public and Private - are used for encryption and decryption. Private key is known only to the owner and never transmitted over network.
Preshared key Only if Authentication Type is ‘Preshared key’
Specify the preshared key to be used. This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration. If there is mismatch in the key, user will not be able to establish the connection.
Local Certificate Only if Authentication Type is ‘Digital Certificate’
Select the local certificate that should be used for authentication by Cyberoam
Remote Certificate Only if Authentication Type is ‘Digital Certificate’
Select the remote certificate that should be used for authentication by remote peer Select ‘External Certificate’, if the remote certificate is not available
Local RSA Key Only if
Displays automatically generated key which cannot be modified.
48
VPN Management Guide
Screen Elements Description
Authentication Type is ‘RSA Key’
Local Public key can be regenerated from Text based Administration (Telnet) Console. Refer to Console guide for more details.
Remote RSA Key Only if Authentication Type is ‘RSA Key’
Specify the public key which is to be used by the remote peer.
Local Network Details Local Server Specify public IP address of local server
Click to select
Local ID Displays ID and its value specified in the Local certificate For preshared key, select local id and specify it’s value For preshared key, DER ASN1 DN is not applicable
Remote Network Remote Host Specify IP address of remote peer Allow NAT Traversal
Enable if a NAT device is located between your VPN endpoints i.e. remote peer has an private IP address
Remote Internal Network Only if NAT Traversal is enabled
Specify IP addresses and netmask of remote network which is allowed to connect to the Cyberoam server through VPN tunnel At a time only one connection can be established behind one NAT-box Click Add to add network
Remote ID Displays ID if remote certificate is selected else specify ID specified in the certificate used by peer For preshared key, select any type of id and specify it’s value For preshared key, DER ASN1 DN is not applicable
User Authentication User Authentication Specify whether user authentication is required at the time of
connection or not Click Disable if user authentication is not required If enabled as client, specify username and password If enabled as server, Click Add to select and add all the users which are to be allowed to connect
Quick Mode Selectors Allow Protocols Select the protocol for negotiations
Tunnel will pass only that data which uses the above specified protocol
Local port Only for TCP protocol
Specify local port
Remote port Only for TCP protocol
Specify remote port
Create button Creates the connection Click to create
Cancel button Cancels the current operation Table - Create Host to Host IPSec connection screen elements
49
VPN Management Guide
50
VPN Management Guide
Manage IPSec Connection
Use to • Activate, Deactivate, Initiate and disconnect connection • Export Connection Configuration file • Update connection details • Delete connection
Activate/Deactivate Connection
1. Select VPN → IPSec Connection → Manage IPSec Connection to display the list of connections
2. Under Connection status, Active column
Click to deactivate the connection
Click to activate the connection
Once disconnected, Road Warrior connection can be re-established from the remote peer only after activating connection from the local server.
3. Under Connection status, Connection column
Click to initiate connection.
Click to disconnect connection. When you disconnect, connection will be deactivated and to re-establish connection the connection, activate connection.
Note If connection is created using manual keying policy, both the peers need to initiate the connection Local peer cannot initiate the connection if remote peer is using dynamic IP address Local peer cannot initiate the connection if Authentication mode is ‘Enable as Server’ Only one connection can be active at a time if two connections with different authentication types (preshared key authentication and digital certification) are created for the same destination. All similar connections should have same authentication mode
Screen – Activate/Deactivate Connection
51
VPN Management Guide
Export Connection configuration file (only for Road warrior connection)
Select VPN IPSec Connection Manage IPSec Connection to view the list of connections and click ‘Export’ against the Connection Name whose configuration is to be exported. Configuration file will be created in .tbg format which can directly be imported in Cyberoam VPN Client.
Delete Connection
Select VPN → IPSec Connection → Manage IPSec Connection to display list of connections
Screen – Delete IPSec Connection
Screen Elements Description
Del Select connection for deletion Click Del to select More than one connection can also be selected
Select All Select all the connections for deletion Click Select All to select all the connections(s)
Delete button Deletes all the selected connection(s) Table – Delete IPSec Connection screen elements
52
VPN Management Guide
L2TP Connection
L2TP configuration
You can use Layer 2 Tunneling Protocol (L2TP) to create VPN tunnel over public networks such as the Internet. For authentication, currently Cyberoam supports only Password Authentication Protocol (PAP) algorithm. Select VPN → L2TP Configuration
Screen – L2TP Configuration
Screen Elements Description
L2TP Configuration Local IP Address Displays IP address that will be assigned to L2TP server Assign IP from Specify IP address range if L2TP server has to lease the IP address Client Information DNS server Specify IP address of your DNS server and alternate DNS server WINS server Specify IP address of your WINS server and alternate WINS server Save Saves the details
Click to save
Add Users button Click to add L2TP user. Displays list of users which are migrated or created in Cyberoam. Click Select against the Names that are to be allowed L2TP access i.e. only the selected users will be allowed L2TP connection Click Select All to allow L2TP access to all the users.
53
VPN Management Guide
Screen Elements Description
Click Add
Add Groups button Click to add L2TP user group. Displays list of user groups created in Cyberoam. Click Select against the Group Names that are to be allowed L2TP access i.e. only the selected user groups will be allowed L2TP connection Click Select All to allow L2TP access to all the user groups. Click Add. All the users in the selected groups will be allowd L2TP access
Delete Users & Groups button
To delete user/groups: Click Del against the names to deleted Click Delete Users & Groups button Table – L2TP Configuration screen elements
54
VPN Management Guide
Create L2TP connection
Select VPN → L2TP Connection → Create Connection to open the create page
Screen – Create L2TP Connection
55
VPN Management Guide
Screen Elements Description
Connection details Name Assign name to connection. Choose a name that best describes the
connection to be created Description Specify full description of connection Policy Name Select policy to be used for connection Action on Restart Select the action for the connection
Deactive – Keep connection deactive mode till the user activates. Active – Activate connection on system/service start so that the connection can be established whenever required
Local Network Details Local Server Specify public IP address of local VPN server/peer
Click to select
Gateway of Local VPN server
Select Gateway of the local VPN server
Local ID Specify local ID You can specify any one of the following:
• DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate) Remote Network Remote Host
Specify IP address of remote peer
Remote ID Specify remote ID. You can specify any one of the following: • DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate) Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the
connection type. Preshared key An authentication mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the preshared key. Remote peer uses the preshared key for decryption. Digital Certificate An authentication mechanism whereby sender and receiver both uses the digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.
Preshared key Only if Authentication Type is ‘Preshared key’
Specify the preshared key to be used. This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration. If there is mismatch in the key, user will not be able to establish the connection.
Local Certificate Displays the local certificate which will be used for authentication
56
VPN Management Guide
Screen Elements Description
Only if Authentication Type is ‘Digital Certificate’ Quick Mode Selectors Local port Specify local port Remote port Specify remote port Create button Creates the connection
Click to create
Cancel button Cancels the current operation Table – Create L2TP Connection screen elements
Note L2TP and IPSec connection name cannot be same You may receive ‘Connection name already exists’ message while creating connection, if the name with which you are creating the connection is already used for either L2TP or IPSec connection
Manage L2TP connection
Select VPN → L2TP Connection → Manage Connection to view the list of connections
Screen – Manage L2TP Connection
57
VPN Management Guide
Screen – Update L2TP Connection
Screen Elements Description
Connection details Name Displays Connection name Description Displays description, modify if required Policy Name Displays policy that will be used for connection Action on Restart Displays the action
Deactive – Keep connection deactive mode till the user activates. Active – Activate connection on system/service start so that the connection can be established whenever required Connect – Connect as soon as the system/service starts
Local Network Details Local Server Displays public IP address of local VPN server/peer
Click to select
Gateway of Local Displays Gateway of the local VPN server
58
VPN Management Guide
Screen Elements Description
VPN server Local ID Displays local ID, modify if required
You can specify any one of the following: • DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate) Remote Network Remote Host Displays IP address of remote peer Remote ID Displays remote ID, modify if required. You can specify any one of
the following: • DNS • IP address • Email address • DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate) Authentication details Authentication Type Specify Authentication type. Authentication of user depends on the
connection type. Preshared key An authentication mechanism whereby a single key is used for encryption and decryption. Both the peers should possess the preshared key. Remote peer uses the preshared key for decryption. Digital Certificate An authentication mechanism whereby sender and receiver both uses the digital certificate issued by the Certificate Authority. Both sender and receiver must have each other’s Certificate Authority.
Preshared key Only if Authentication Type is ‘Preshared key’
Specify the preshared key to be used. This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, client will have to specify this key for authentication. Refer to VPN Client guide, Phase 1 Configuration. If there is mismatch in the key, user will not be able to establish the connection.
Local Certificate Only if Authentication Type is ‘Digital Certificate’
Displays the local certificate which will be used for authentication
Quick Mode Selectors Local port Displays local port, modify if required Remote port Displays remote port, modify if required Update button Saves the modified details
Click to update
Cancel button Cancels the current operation Table – Update L2TP Connection screen elements
59
VPN Management Guide
Delete L2TP connection
Select VPN → L2TP Connection → Manage Connection to view the list of connections
Screen – Delete L2TP connection
Screen Elements Description
Del Select connection for deletion Click Del to select More than one connection can also be selected
Select All Select all the connections for deletion Click Select All to select all the connections(s)
Delete button Deletes all the selected connection(s) Table – Delete L2TP connection screen elements
60
VPN Management Guide
61
PPTP Connection Cyberoam support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with a Cyberoam Appliance that has been configured to act as a PPTP server.
PPTP Configuration
Use to: • Configure PPTP • Add and delete PPTP User • Add and delete PPTP User Groups
Select VPN → PPTP Configuration
Screen – PPTP Configuration
Screen Elements Description
PPTP Configuration Local IP Address Displays LAN IP address that will be used for PPTP server Assign IP from PPTP server will lease IP address to the PPTP client from the
specified IP address range. The PPTP client uses the assigned IP address as its source address for the duration of the connection. Do not specify the same IP address range in L2TP configuration and PPTP configuration
Client Information DNS server Specify IP address of your DNS server and alternate DNS server to
be used at the client end WINS server Specify IP address of your WINS server and alternate WINS server
VPN Management Guide
62
Screen Elements Description
to be used at the client end Save Saves the details
Click to save
Add Users button Click to add PPTP user. Displays list of users which are migrated or created in Cyberoam. Click Select against the Names that are to be allowed PPTP access i.e. only the selected users will be allowed PPTP connection Click Select All to allow PPTP access to all the users. Click Add
Add Groups button Click to add PPTP user group. Displays list of user groups created in Cyberoam. Click Select against the Group Names that are to be allowed PPTP access i.e. only the selected user groups will be allowed PPTP connection Click Select All to allow PPTP access to all the user groups. Click Add. All the users in the selected groups will be allowd PPTP access
Delete Users & Groups button
To delete user/groups: Click Del against the names to deleted Click Delete Users & Groups button Table – PPTP Configuration Screen elements