Contents

Related Topics

Set up a VPN from a Firebox to a Cyberoam Device

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic tells you how to define a manual BOVPN tunnel between a Firebox and a Cyberoam Security Appliance (10.04.0 build 433). Before you create a BOVPN tunnel, you must collect the IP addresses from each endpoint and agree on the common tunnel settings to use.

This topic does not give detailed information on what the different BOVPN settings mean, or the effects those settings can have on the tunnel that is built. If you want to know more about a particular setting, use these resources:

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

VPN Configuration Summary

For reference purposes, here is a summary of the VPN configuration defaults for the Cyberoam Security Appliance, with emphasis on any settings that do not match the default VPN configuration settings in Fireware.

VPN Settings WatchGuard Device Default Cyberoam Device Default Matched?
Phase 1 Settings
IKE Exchange Mode Main Main Y
Authentication SHA1 SHA1 Y
Encryption 3DES AES (128-bit)

N

Diffie-Hellman Group 2 2 Y
Phase 2 Settings
Perfect Forward Secrecy No Yes N
Protocol ESP ESP Y
Authentication SHA1 SHA1 Y
Encryption AES (256-bit) AES (128-bit) N

WatchGuard and Cyberoam devices have different default settings for Phase 1 and 2 encryption. For the VPN tunnel to build successfully, you must specify the same Phase 1 and 2 settings on your Firebox and Cyberoam devices. For the strongest security, WatchGuard recommends that you specify an AES variant (128-bit or 256-bit) for encryption.

Collect IP Address and Tunnel Settings

Before you can configure a branch office VPN, you must collect the public IP addresses of each device, and the IP addresses of the private networks you want to connect. You must also agree upon Phase 1 and Phase 2 settings to use for the VPN. This procedure describes how to configure a Firebox with the Phase 1 and Phase 2 settings that match the default settings on a Cyberoam device.

For example, the IP address settings you collect could look like this:

WatchGuard Firebox:

External interface IP address: 203.0.113.2

Trusted network IP address: 10.0.1.0/24

Cyberoam device:

External interface IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

Configure the WatchGuard Device

On the Firebox, you must add a VPN gateway, and add a VPN tunnel that uses that gateway. The Phase 1 settings on the Firebox must match the Phase 1 settings on the Cyberoam device.

Add the VPN Gateway

Add the VPN Tunnel

After you define the gateway, you can add a tunnel and configure the Phase 2 settings.

Configure the Cyberoam Device

This procedure describes how to manually configure the VPN settings for the Cyberoam device. The Cyberoam web-based interface also includes a setup wizard for the VPN configuration, but you can use this procedure as a guide for how to look at the settings in any existing VPN configuration.

In the Cyberoam web-based management interface:

  1. Select VPN > IPSec.
  2. Click Add.
  3. Locate the General Settings section of the page.

Screen shot of the Cyberoam VPN General Settings

  1. In the Name text box, type a meaningful name for this connection.
  2. From the Connection Type drop-down list, select Site to Site.
  3. From the Policy drop-down list, select the DefaultHeadOffice policy.

In older versions of Cyberoam software, this Connection Type is called Net to Net.

  1. Locate the Authentication Details section of the page.

Screen shot of the Cyberoam Authentication Details section

  1. From the Authentication Type drop-down list, select Preshared Key.
  2. In the two Preshared Key text boxes, type and confirm the shared key that you configured in the gateway settings on the WatchGuard device.
  3. Locate the Endpoint Details section of the page.

Screen shot of the Endpoint Details section

  1. From the Local drop-down list, select the interface on the Cyberoam device to use as the VPN endpoint.
    The IP address of the interface you select must match the IP address you configured as the Remote Gateway ID on the WatchGuard device.
  2. In the Remote text box, type the public IP address of the Firebox.
    This IP address must match what you configured as the Local Gateway ID on the WatchGuard device.
  3. Locate the Network Details section of the page.

Screen shot of the Local Network Details section

  1. Click Add.
    The Add Network Address dialog box appears.

  1. From the Local LAN Address drop-down list, select Local LAN Address.

  1. Click Add IP Host.

Screen shot of the Add IP Host dialog box

  1. In the Name text box, type a meaningful name for the local network.
  2. Adjacent to Type, select Network.
  3. In the IP Address text box, type the network IP address of the local network that connects to the Cyberoam device.
  4. In the Subnet drop-down, select the subnet mask for the local network.
  5. Click OK to add the IP Host.
  6. Click OK to close the Add Network Address dialog box.
  7. From the Local ID drop-down list, select IP Address. Type the public IP address of the Cyberoam device in the adjacent text box.
  8. Locate the Remote Network Details section of the page.
  9. From the Remote LAN Network drop-down list, select Remote Network.
  10. Click Add IP Host.

Screen shot of the ADd IP Host settings

  1. In the Name text box, type a meaningful name for the remote network.
  2. Adjacent to Type, select Network.
  3. In the IP Address text box, type the subnet ID for the remote network.
  4. From the Subnet drop-down list, select the subnet mask for the remote network.
  5. Click OK to add the IP Host.
  6. Click OK to close the Add Network Address dialog box.
  7. From the Remote ID drop-down list, select IP Address. Type the public IP address of the Firebox in the adjacent text box.
  8. Click OK at the bottom of the page to add the VPN configuration.

Activate the Connection

Screen shot of the Cyberoam VPN connection status

After you complete the VPN configuration on the Cyberoam device, you must activate the connection. To activate the connection, click the red indicator in the Active column, and click OK.

Confirm the Cyberoam Device Allows Connections

By default the Cyberoam device does not add a policy to allow traffic to and from the remote VPN hosts. Once you have configured the VPN, select Firewall > Rules and look for rules to allow VPN-LAN, and LAN-VPN. If you do not see these rules, follow these steps to add the necessary rules in the Cyberoam web-based management interface.

Add a rule to allow traffic from the LAN to the VPN:

  1. Select Firewall > Rule.
  2. Click Add.

Screen shot of the General Settings for a rule

  1. In the Name text box, type a meaningful name for the new rule. For example, LAN-VPN.
  2. Set the Source Zone to LAN.
  3. Set the Destination Zone to VPN.
  4. Set the Action to Accept.
  5. Click OK to save the new rule.

Add another rule to allow traffic from the VPN to the LAN:

  1. Click Add.
  2. In the Name text box, type a meaningful name for the new rule. For example, VPN-LAN.
  3. Set the Source Zone to VPN.
  4. Set the Destination Zone to LAN.
  5. Set the Action to Accept.
  6. Click OK to save the new rule.

After you have configured the VPN on both devices, you can try to send traffic through the tunnel as a test of the VPN.

See Also

Troubleshoot Branch Office VPN Tunnels

Give Us Feedback     Get Support     All Product Documentation     Technical Search