Contents

Related Topics

Set up a VPN from a Firebox to a Cyberoam Device

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic tells you how to define a manual BOVPN tunnel between a Firebox and a Cyberoam Security Appliance (10.04.0 build 433). Before you create a BOVPN tunnel, you must collect the IP addresses from each endpoint and agree on the common tunnel settings to use.

This topic does not give detailed information on what the different BOVPN settings mean, or the effects those settings can have on the tunnel that is built. If you want to know more about a particular setting, use these resources:

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

VPN Configuration Summary

For reference purposes, here is a summary of the VPN configuration defaults for the Cyberoam Security Appliance, with emphasis on any settings that do not match the default VPN configuration settings in Fireware v11.12.4.

In Fireware v12.0 and higher, the default BOVPN security settings are different. To determine whether those settings are compatible with your Cyberoam device, see the documentation for your Cyberoam device.

VPN Settings WatchGuard Device Default (v11.12.4) Cyberoam Device Default (10.04.0 build 433) Matched?
Phase 1 Settings
IKE Exchange Mode Main Main Y
Authentication SHA1 SHA1 Y
Encryption 3DES AES (128-bit)

N
Diffie-Hellman Group 2 2 Y
Phase 2 Settings
Perfect Forward Secrecy No Yes N
Protocol ESP ESP Y
Authentication SHA1 SHA1 Y
Encryption AES (256-bit) AES (128-bit) N

WatchGuard and Cyberoam devices have different default settings for Phase 1 and 2 encryption. For the VPN tunnel to build successfully, you must specify the same Phase 1 and 2 settings on your Firebox and Cyberoam devices. For the strongest security, WatchGuard recommends that you specify an AES variant (128-bit or 256-bit) for encryption.

Collect IP Address and Tunnel Settings

Before you can configure a branch office VPN, you must collect the public IP addresses of each device, and the IP addresses of the private networks you want to connect. You must also agree upon Phase 1 and Phase 2 settings to use for the VPN. This procedure describes how to configure a Firebox with the Phase 1 and Phase 2 settings that match the default settings on a Cyberoam device.

For example, the IP address settings you collect could look like this:

WatchGuard Firebox:

External interface IP address: 203.0.113.2

Trusted network IP address: 10.0.1.0/24

Cyberoam device:

External interface IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

Configure the WatchGuard Firebox

On the Firebox, you must add a VPN gateway, and add a VPN tunnel that uses that gateway. The Phase 1 settings on the Firebox must match the Phase 1 settings on the Cyberoam device.

Add the VPN Gateway

To add the VPN gateway, from Fireware Web UI:Closed
  1. Select VPN > Branch Office VPN.
  2. Below the Gateways list, click Add.
    The Gateway settings page appears.

Screen shot of Branch Office VPN General Settings tab

  1. In the Gateway Name text box, type a name to identify this gateway.
  2. Select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters. It must match the key used on the Cyberoam device.
  3. Below the Gateway Endpoint list, click Add.
    The Gateway Endpoint Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box, Local Gateway tab

  1. From the External Interface drop-down list, select the external interface has the public IP address.
  2. Select By IP Address. Type the external (public) IP address for the Firebox.
  3. Select the Remote Gateway tab.

Screen shot of the Gateway Endpoint SEttings dialog box, Remote Gateway tab

  1. In the Specify the remote gateway IP address for a tunnel section, select Static IP Address. Type the external (public) IP address of the Cyberoam device.
  2. In the Specify the remote gateway ID for tunnel authentication section, select By IP Address. Type the public IP address of the Cyberoam device.
  3. Click OK to close the Gateway Endpoint Settings dialog box.
    The gateway pair you defined appears in the list of gateway endpoints.
  4. Select the Phase 1 Settings tab.

Screen shot of the Phase 1 Settings tab

  1. In the Transform Settings list, select the default Phase 1 Transform. Click Edit.
    The Phase 1 Transform dialog box appears.
  2. From the Encryption drop-down list, select AES (128-bit).
    This matches the default setting on the Cyberoam device.

Screen shot of the Transform Settings dialog box

  1. Click OK to confirm the change to the Phase 1 Transform.
    Do not change any of the other Phase 1 settings from their default values.
  2. Click Save.
    The gateway is added to the Gateways list.
To add the VPN gateway, from Policy Manager:Closed
  1. In Policy Manager, select VPN > Branch Office Gateways. Click Add.
    The New Gateway dialog box appears.
  2. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.

Screen shot of the New Gateway dialog box, General Setting tab

  1. Select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters. It must match the key used on the Cyberoam device.
  2. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints settings dialog box appears.

Screen shot of the New Gateway Endpoint Settings dialog box

  1. From the External Interface drop-down list, select the external interface that has the public IP address.
  2. In the Local Gateway section, select By IP Address.
  3. From the IP Address drop-down list, select the external (public) IP address for the device.
  4. In the Specify the remote gateway IP address for a tunnel section, select Static IP Address. Type the external (public) IP address of the Cyberoam device.
  5. In the Specify the gateway ID for tunnel authentication section, select By IP Address. Type the public IP address of the Cyberoam device.
  6. Click OK.
    The gateway endpoint pair you defined appears in the list of gateway endpoints.
  7. In the New Gateway dialog box, select the Phase 1 Settings tab.

Screen shot of the Phase1 Settings tab

  1. In the Transform Settings list, select the default Phase 1 Transform. Click Edit.
    The Phase 1 Transform dialog box appears.
  2. In the Authentication drop-down list, select SHA1.
  3. In the Encryption drop-down, select AES (128-bit).
    This matches the default setting on the Cyberoam device.

Screen shot of the Phase1 Transform dialog box

  1. Click OK to confirm the change to the Phase 1 Transform.
    Do not change any of the other Phase 1 settings from their default values.
  2. Click OK to add the new gateway.
  3. Click OK to close the Gateways dialog box.

Add the VPN Tunnel

After you define the gateway, you can add a tunnel and configure the Phase 2 settings.

To add the VPN tunnel, from Fireware Web UI:Closed

Create a Phase 2 proposal with settings that match the default Phase 2 settings on the Cyberoam device:

  1. Select VPN > Phase2 Proposals.
  2. Click Add.
  3. The Phase2 proposal settings appear.
  4. In the Name text box, type a meaningful name for this Phase2 proposal.
  5. From the Encryption drop-down list, select AES(128-bit).
  6. With this change, the proposal settings match the default configuration for the Cyberoam device.
  7. Click Save.

Create a VPN tunnel that uses the new Phase 2 proposal:

  1. Select VPN > Branch Office VPN.
  2. Below the Tunnels list, click Add.

Screen shot of the Branch Office VPN add tunnel page

  1. In the Name text box, type a meaningful name for this tunnel.
  2. From the Gateway drop-down list, select the gateway you configured to the Cyberoam device.
  3. Below the Addresses list, click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box, Addresses tab

  1. In the Local IP settings, from the Choose Type drop-down list, select Network IPv4. Type the network IP address for the local network that you want to use the VPN tunnel.
  2. In the Remote IP settings, from the from the Choose Type drop-down list, select Network IPv4. Type the network IP address for the private network on the Cyberoam device that you want to use the VPN tunnel.
  3. Click OK to add the tunnel route.
    The tunnel route is added to the Addresses tab of the tunnel configuration.
  4. Select the Phase 2 Settings tab.
  5. Select the Enable Perfect Forward Secrecy check box.
    This matches the default setting on the Cyberoam device.
  6. In the IPSec Proposals list, select the default ESP-AES-SHA1 proposal. Click Remove.
  7. From the IPSec Proposals drop-down list, select the phase 2 proposal you added earlier. Click Add.
  8. Click Save.
    The tunnel route configuration is added to the Tunnels list.
To add the VPN tunnel, from Policy Manager:Closed
  1. In Policy Manager, select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Click Add.
    The New Tunnel dialog box appears.

Screen shot of the New Tunnel dialog box

  1. In the Tunnel Name text box, type a meaningful name for this tunnel.
  2. From the Gateway drop-down list, select the gateway you configured to the Cyberoam device.
  3. Click Add to add a tunnel route.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local text box, type the network IP address for the local network that you want to use the VPN tunnel.
  2. In the Remote text box, type the network IP address for the private network on the Cyberoam device that you want to use the VPN tunnel.
  3. Click OK to add the tunnel route.
    The tunnel route is added to the Addresses tab of the New Tunnel dialog box.
  4. Click the Phase 2 Settings tab.
  5. Select the PFS check box.
    This matches the default setting on the Cyberoam device.
  6. In the IPSec Proposals section, select the default ESP-AES-SHA1 entry.
  7. Click Remove, and click OK to confirm that you want to remove the proposal.
  8. Click Add to add an IPSec Proposal.
  9. Select Create a new Phase2 proposal.
  10. In the Name text box, type a meaningful name for this proposal.
  11. From the Encryption drop-down list, select AES (128-bit).
    Leave all other settings at their default values.
  12. Click OK to add the New Phase2 Proposal.
  13. Click OK to add the new tunnel to the configuration.
  14. Click Close to close the Branch Office IPSec Tunnels dialog box.

Configure the Cyberoam Device

This procedure describes how to manually configure the VPN settings for the Cyberoam device. The Cyberoam web-based interface also includes a setup wizard for the VPN configuration, but you can use this procedure as a guide for how to look at the settings in any existing VPN configuration.

In the Cyberoam web-based management interface:

  1. Select VPN > IPSec.
  2. Click Add.
  3. Locate the General Settings section of the page.

Screen shot of the Cyberoam VPN General Settings

  1. In the Name text box, type a meaningful name for this connection.
  2. From the Connection Type drop-down list, select Site to Site.
  3. From the Policy drop-down list, select the DefaultHeadOffice policy.

In older versions of Cyberoam software, this Connection Type is called Net to Net.

  1. Locate the Authentication Details section of the page.

Screen shot of the Cyberoam Authentication Details section

  1. From the Authentication Type drop-down list, select Preshared Key.
  2. In the two Preshared Key text boxes, type and confirm the shared key that you configured in the gateway settings on the WatchGuard device.
  3. Locate the Endpoint Details section of the page.

Screen shot of the Endpoint Details section

  1. From the Local drop-down list, select the interface on the Cyberoam device to use as the VPN endpoint.
    The IP address of the interface you select must match the IP address you configured as the Remote Gateway ID on the WatchGuard device.
  2. In the Remote text box, type the public IP address of the Firebox.
    This IP address must match what you configured as the Local Gateway ID on the WatchGuard device.
  3. Locate the Network Details section of the page.

Screen shot of the Local Network Details section

  1. Click Add.
    The Add Network Address dialog box appears.

Screen shot of the Add Network Address dialog box

  1. From the Local LAN Address drop-down list, select Local LAN Address.

Screen shot of the Add Network Address dialog box

  1. Click Add IP Host.

Screen shot of the Add IP Host dialog box

  1. In the Name text box, type a meaningful name for the local network.
  2. Adjacent to Type, select Network.
  3. In the IP Address text box, type the network IP address of the local network that connects to the Cyberoam device.
  4. In the Subnet drop-down, select the subnet mask for the local network.
  5. Click OK to add the IP Host.
  6. Click OK to close the Add Network Address dialog box.
  7. From the Local ID drop-down list, select IP Address. Type the public IP address of the Cyberoam device in the adjacent text box.
  8. Locate the Remote Network Details section of the page.
  9. From the Remote LAN Network drop-down list, select Remote Network.
  10. Click Add IP Host.

Screen shot of the Add IP Host dialog box

  1. In the Name text box, type a meaningful name for the remote network.
  2. Adjacent to Type, select Network.
  3. In the IP Address text box, type the subnet ID for the remote network.
  4. From the Subnet drop-down list, select the subnet mask for the remote network.
  5. Click OK to add the IP Host.
  6. Click OK to close the Add Network Address dialog box.
  7. From the Remote ID drop-down list, select IP Address. Type the public IP address of the Firebox in the adjacent text box.
  8. Click OK at the bottom of the page to add the VPN configuration.

Activate the Connection

Screen shot of the Cyberoam VPN connection status

After you complete the VPN configuration on the Cyberoam device, you must activate the connection. To activate the connection, click the red indicator in the Active column, and click OK.

Confirm the Cyberoam Device Allows Connections

By default the Cyberoam device does not add a policy to allow traffic to and from the remote VPN hosts. Once you have configured the VPN, select Firewall > Rules and look for rules to allow VPN-LAN, and LAN-VPN. If you do not see these rules, follow these steps to add the necessary rules in the Cyberoam web-based management interface.

Add a rule to allow traffic from the LAN to the VPN:

  1. Select Firewall > Rule.
  2. Click Add.

Screen shot of the General Settings for a rule

  1. In the Name text box, type a meaningful name for the new rule. For example, LAN-VPN.
  2. Set the Source Zone to LAN.
  3. Set the Destination Zone to VPN.
  4. Set the Action to Accept.
  5. Click OK to save the new rule.

Add another rule to allow traffic from the VPN to the LAN:

  1. Click Add.
  2. In the Name text box, type a meaningful name for the new rule. For example, VPN-LAN.
  3. Set the Source Zone to VPN.
  4. Set the Destination Zone to LAN.
  5. Set the Action to Accept.
  6. Click OK to save the new rule.

After you have configured the VPN on both devices, you can try to send traffic through the tunnel as a test of the VPN.

See Also

Troubleshoot Branch Office VPN Tunnels

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.