How To Establish IPSec VPN between

How Cyberoam and

To Establish IPSec Microsoft
VPN Connection Azure
between Cyberoam and Microsoft Azure

Applicable Version: 10.00 onwards

Overview
Microsoft Azure is a cloud computing platform and infrastructure, created by Microsoft, for building,
deploying and managing applications and services through a global network of Microsoft-managed
datacenters. It provides both PaaS and IaaS services and supports many different programming
languages, tools and frameworks, including both Microsoft-specific and third-party software and
systems.

This article describes how to configure an IPSec VPN connection between Cyberoam and virtual
networks hosted on Microsoft Azure. Cyberoam allows secure IPSec VPN connection with MS Azure
such that an organization can safely use it as an extension of its own network.

Scenario
Establish IPSec VPN connection between Cyberoam and Microsoft Azure.

Prerequisite
You should be registered with and have access to Microsoft Azure. For details, refer to
http://azure.microsoft.com.

Azure Configuration
You can configure the VPN connection in Azure by following the steps given below.
 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Step 1: Create Local Network

Sign in to your Azure Account and go to Networks > Local Networks and click Add a Local
Network to create a Local Network that represents Cyberoam LAN in the VPN connection.

Specify Local Network Details, as shown below.

 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Specify the Address Space of the LAN and click to save the Local Network.

Step 2: Create Virtual Network

Go to Networks > Virtual Networks and click Create a Virtual Network to launch the Create
Virtual Network Wizard.
 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Specify the Name and Affinity Group of the Virtual Network. Click to go to the next
configuration screen.

Check Configure a site-to-site VPN and select Cyberoam_LAN, created in step 1, as the Local

Network. Click to go to the next configuration screen.

 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Specify the address space and subnet of the Virtual Network, and add the gateway subnet by
clicking add gateway subnet and specifying the values.

Click to add to save the Virtual Network.

Step 3: Add Gateway to Virtual Network

Once Virtual Network is created, click on the newly created Virtual Network and go to the Dashboard.
Click Create Gateway at the bottom of the screen and select Static Routing to associate a gateway
to the Virtual Network through which it would connect to Cyberoam LAN.
 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

It takes a few minutes to create the Gateway.

Step 4: Obtain Preshared Key

Once Virtual Network is configured, obtain the Preshared Key which would be used in Cyberoam by
clicking Manage Key at the bottom of the screen.
 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

The Preshared Key to be used is displayed on the screen, as shown below.

Step 5: Create Virtual Machine to be accessed over VPN

Go to Virtual Machines and click Create a Virtual Machine.
 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

The New tab at the bottom of the screen pops up. Select Compute > Virtual Machine > From
Gallery to start the Create Virtual Machine Wizard.

Select the Image of Virtual Machine to be created. Here, as an example, we create a Windows

Server 2012 R2 Datacenter. Click to go to the next configuration screen.

 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Specify the Virtual Machine details, as shown below.

 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Check Install the VM Agent and click to save the Virtual Machine.

The above configuration prepares Azure to connect to Cyberoam over VPN.

Cyberoam Configuration
After configuration of VPN connection on Azure, configure IPSec connection in Cyberoam. You can
configure IPSec in Cyberoam by following the steps given below. Configuration is to be done from the
Cyberoam Web Admin Console using profile having read-write administrative rights over relevant
features.

Step 1: Create VPN Policy

Go to VPN > Policy > Policy and click Add to add a new policy.

Note:

Configure IPSec Parameters in Cyberoams VPN Policy to match the IPSec Parameters supported by
Azure. For information on parameters supported by Azure, refer to http://msdn.microsoft.com/en-
us/library/azure/jj156075.aspx.
 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Parameter Value Description

Name CR_Azure Specify a name to identify the VPN Policy.
Keying Method defines how the keys for the connection
are to be managed. Select Keying Method from the
available options.
Keying Method Automatic
Available Options:
- Automatic
- Manual
Enable Re-Keying to start the negotiation process
Allow Re-Keying Disable
automatically before key expiry.
Specify maximum key negotiation trials allowed. Set 0 for
Key Negotiation Tries 3
unlimited number of trials.
Select Authentication Mode. Authentication Mode is used
for exchanging authentication information.
Authentication Mode Main Mode
Available Options:
- Main Mode
- Aggressive Mode
Pass Data in Enable to pass data in compressed format to increase
Enable
Compressed Format throughput.
Perfect Forward Enable to generate new key for every negotiation on key
Disable
Secrecy (PFS) expiry and disable to use same key for every negotiation.
Phase 1
Select encryption algorithm that would be used by
Encryption Algorithm 3DES communicating parties for integrity of exchanged data for
phase 1.
Select Authentication Algorithm that would be used by
Authentication
SHA1 communicating parties for integrity of exchanged data for
Algorithm
phase 1.
DH Group (Key Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16.
2(DH1024)
Group) DH Group specifies the key length used for encryption.
Specify Key Life in terms of seconds. Key Life is the
Key Life 3600 amount of time that will be allowed to pass before the key
expires.
 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Specify Re-Key Margin. Re-Key Margin is the time when

the negotiation process should be started automatically
Re-Key Margin 120
without interrupting the communication before the key
expiry.
Randomize Re-Keying
0 Specify Randomize Re-Keying time.
Margin By
Enable to check at regular interval whether peer is live or
Dead Peer Detection Disable
not.
Phase 2
Select Encryption Algorithm that would be used by
Encryption Algorithm 3DES communicating parties for integrity of exchanged data for
phase 2.
Select Authentication Algorithm that would be used by
Authentication
SHA1 communicating parties for integrity of exchanged data for
Algorithm
phase 2.
PFS Group (DH Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16.
Same as Phase-1
Group) DH Group specifies the key length used for encryption.
Specify Key Life in terms of seconds. Key Life is the
Key Life 3600 amount of time that will be allowed to pass before the key
expires.

Click OK to save policy.

 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Step 2: Configure IPSec Connection

Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given
below.

Parameter Description

Parameter Value Description

Name CR_to_Azure Name to identify the IPSec Connection
Select Type of connection.
Available Options:
Connection Type Site to Site - Remote Access
- Site to Site
- Host to Host
CR_Azure(created
Policy Select policy to be used for connection
in step 1)
Select the action for the connection.
Available options:
Action on VPN Restart Respond Only - Respond Only
- Initiate
- Disable
Authentication details
Select Authentication Type. Authentication of user
Authentication Type Preshared Key
depends on the connection type.
<As obtained
from Azure Virtual To obtain Preshared Key from Azure, refer to step 4 of
Preshared Key
Network created Azure Configuration
above >
Endpoints Details
PortB-
Local Select local port which acts as end-point to the tunnel
103.250.31.224
Specify Gateway IP Address assigned to Azure Virtual
Remote 23.97.71.193 Network. It can be obtained from the Dashboard of the
Virtual Network created in step 3 of Azure Configuration.
Local Network Details
Select Local LAN Address. Add and Remove LAN
Local Subnet 172.16.16.0/24
Address using Add Button and Remove Button
Remote Network Details
Select IP addresses and netmask assigned to Azure
Remote LAN Network 10.10.10.0/27
Virtual Network.
 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Click OK to create the connection.

 How To Establish IPSec VPN Connection between Cyberoam and Microsoft Azure

Step 3: Activate IPSec Connection

Go to VPN > IPSec > Connection and click under Active and Connection heads against
BO_to_HO connection, created in step 2.

Under the Active status indicates that the connection is successfully activated.
Under the Connection status indicates that the connection is successfully established.

Document Version: 1.0 22 April, 2014