Cyberoam VPN Management Guide PDF

VPN Management
Guide Version 9
Document version 9410-1.0-06/01/2007

IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of
any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility
for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or
specifications. Information is subject to change without notice.
USER’S LICENSE
The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms
and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this
license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the
place of purchase for a full refund.
LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software
is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its
published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the
original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore
or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the
software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the
software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky
Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that
the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that
virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components
will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or
replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make,
model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that
Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.
DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any
implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade
practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or
punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if
Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the
customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations
shall apply even if the above stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without
limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have
been advised of the possibility of such damages.
RESTRICTED RIGHTS
Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd.
Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore
Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without
notice, to make changes in product design or specifications. Information is subject to change without notice
CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower,
Off. C.G. Road,
Ahmedabad – 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com , www.cyberoam.com
VPN Management Guide
Contents
Guide Sets ..........................................................................................................................5

Technical Support ..............................................................................................................6
Typographic Conventions..................................................................................................7
Overview................................................................................................................................8
Introduction to VPN...............................................................................................................8
Cyberoam and VPN ...............................................................................................................8
Policy .....................................................................................................................................9
Encryption and Authentication method .............................................................................9
Preshared Key ................................................................................................................9
Digital Certificates .......................................................................................................10
Public Key....................................................................................................................10
Policy Parameters.............................................................................................................10
Create VPN Policy...........................................................................................................13
Update VPN Policy..........................................................................................................17
Delete VPN policy ...........................................................................................................21
Certificate Authority ............................................................................................................22

Generate Certificate Authority.....................................................................................22
Import external Certificate Authority ..........................................................................24
Upload Certificate........................................................................................................25
Generate Self signed certificate ...................................................................................26
Generate Certificate Signing Request..........................................................................28
Download Certificate ...................................................................................................30
Delete Certificate .........................................................................................................31
Certificate Revocation List ..................................................................................................32

Revoke certificate ........................................................................................................32
Download CRL ............................................................................................................34
Upload CRL .................................................................................................................34
Delete CRL ..................................................................................................................36
IPSec Connection.................................................................................................................37
Create Transport mode IPSec Connection.......................................................................38
Create Road Warrior IPSec connection ...........................................................................41
Create Net to Net IPSec connection.................................................................................44
Create Host to Host IPSec connection .............................................................................47
Manage IPSec Connection...............................................................................................51
Activate/Deactivate Connection ..................................................................................51
Export Connection configuration file (only for Road warrior connection) .................52
Delete Connection........................................................................................................52
L2TP Connection .................................................................................................................53

L2TP configuration..........................................................................................................53
Create L2TP connection ..................................................................................................55
Manage L2TP connection ................................................................................................57
3
Delete L2TP connection ..............................................................................................60
PPTP Connection .................................................................................................................61

PPTP Configuration .........................................................................................................61
4
Guide Sets
Guide Describes
User Guide
Console Guide Console Management
Windows Client Guide Installation & configuration of Cyberoam
Windows Client
Linux Client Guide Installation & configuration of Cyberoam Linux
Client
HTTP Client Guide Installation & configuration of Cyberoam HTTP
Client
Analytical Tool Guide Using the Analytical tool for diagnosing and
troubleshooting common problems
LDAP Integration Guide Configuration for integrating LDAP with
Cyberoam for external authentication
ADS Integration Guide Configuration for integrating ADS with
PDC Integration Guide Configuration for integrating PDC with
Cyberoam for authentication
RADIUS Integration Guide Configuration for integrating RADIUS with
High Availability Configuration Configuration of High Availability (HA)
Guide
Data transfer Management Guide Configuration and Management of user based
data transfer policy
VPN Management Implementing and managing VPN
Multi Link Manager User Guide Configuration of Multiple Gateways, load
balancing and failover
Cyberoam IDP Implementation Configuring, implementing and managing
Guide Intrusion Detection and Prevention
Cyberoam Anti Virus Configuring and implementing anti virus solution
Implementation Guide
Cyberoam Anti Spam Configuring and implementing anti spam
Implementation Guide solution
5
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26462200
Web site: www.elitecore.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Email: support@cyberoam.com
Web site: www.elitecore.com
Visit www.cyberoam.com for the regional and latest contact information.
6
Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.
Item Convention Example

Server Machine where Cyberoam Software - Server component is
installed
Client Machine where Cyberoam Software - Client component is
installed
User The end user
Username Username uniquely identifies the user of the system
Part titles Bold and
Report
shaded font
typefaces
Topic titles Shaded font
Introduction
typefaces
Subtitles Bold & Black

typefaces Notation conventions
Navigation link Bold typeface Group Management → Groups → Create

it means, to open the required page click on Group
management then on Groups and finally click Create tab
Name of a Lowercase Enter policy name, replace policy name with the specific
particular italic type name of a policy
parameter / Or
field / command Click Name to select where Name denotes command button
button text text which is to be clicked
Cross Hyperlink in refer to Customizing User database Clicking on the link will
references different color open the particular topic
Notes & points Bold typeface Note

to remember between the
black borders
Prerequisites Bold typefaces Prerequisite
between the
• Prerequisite details
black borders
7
Overview
Welcome to the Cyberoam’s – VPN Management Guide.
Cyberoam’s integrated Internet security solution is purpose-built to meet the unified threat
management needs of corporate, government organizations and educational institutions. It also
provides assistance in improving Bandwidth management, increasing Employee productivity and
reducing legal liability associated with undesirable Internet content access.
Guide provides a basic introduction to VPN and gives some fundamental information of those
technologies that are relevant to the way Cyberoam implements VPN. It outlines how VPNs are
actually created and gives a detailed picture of the different settings that can be used to adjust the
VPN policies using Cyberoam.
VPN management module is an add-on module which needs to be registered before use. Refer to
Cyberoam Installation and Registration guide for more details.
Introduction to VPN
A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint
system to another over a public network such as the Internet without the traffic being aware that
there are intermediate hops between the endpoints or the intermediate hops being aware they are
carrying the network packets that are traversing the tunnel. The tunnel may optionally compress
and/or encrypt the data, providing enhanced performance and some measure of security.
VPN allows you to pretend you are using a leased line or a direct telephone call to communicate
between the endpoints.
VPNs allow users and telecommuters to connect to their corporate intranets or extranets. VPNs
are cost-effective because users can connect to the Internet locally and tunnel back to connect to
corporate resources. This not only reduces overhead costs associated with traditional remote
access methods, but also improves flexibility and scalability.
Cyberoam and VPN
For all business people traveling or working from home, connecting securely to the corporate
network is essential. With Cyberoam, setting up a VPN is almost effortless.
The two endpoints in Cyberoam VPN are referred to as:

Local - First endpoint is the local machine itself
Remote - Second endpoint is the remote peer - the machine you are trying to establish a VPN
connection to, or the machine which is trying to establish a VPN connection with you.
Cyberoam VPN automatically encrypts the data and sends it to the remote site over the Internet,
where it is automatically decrypted and forwarded to the intended destination. By encrypting, the
integrity and confidentiality of data is protected even when transmitted over the untrusted public
network. Cyberoam uses IPSec standard i.e. IPSec protocol to protect traffic. In IPSec, the identity
of communicating users is checked with the user authentication based on digital certificates, public
keys or preshared keys.
8
Cyberoam can be used to establish VPN connection between sites, LAN-to-LAN and Client-to-LAN
connection. VPN is the bridge between Local & Remote networks/subnets.
Cyberoam supports following protocols to authenticate and encrypt traffic:

• Internet Protocol Security (IPSec)
• Layer Two Tunneling Protocol (L2TP)
Policy
Encryption and Authentication method
Authentication of communicating parties and integrity of exchanged data is crucial for the reliable
implementation of VPN.
Encryption is used to provide confidentiality of data during the negotiation. Cyberoam supports
3DES encryption algorithm which is extensively tested public algorithm and uses hash functions -
message digest MD5 algorithm for Data integrity.
3DES: Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP
standard. It is the Application of the DES standard where three keys are used in succession to
provide additional security.
AES: Advanced Encryption Standard AES offers the highest standard of security. The effective key
lengths that can be used with AES are 128, 192 and 256 Bits.
This security system supports a number of encryption algorithms.
Serpent: Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks
variable key length to be either 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or
iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
Blowfish: Blowfish is a symmetric encryption algorithm which uses the same secret key to both
encrypt and decrypt messages. Blowfish is also a block cipher which divides a message into fixed
length blocks during encryption and decryption. Blowfish has a 64-bit block size and a key length
of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm
Twofish: Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to
256 bits.
Preshared Key
An authentication mechanism whereby the key is used in encryption is exchanged before
hand/prior to negotiation with another system.
Preshared key authentication is the process by which two systems prove their identity to each
other where each system encrypts some unpredictable, arbitrary data with a key that has been
exchanged beforehand. If they can successfully decrypt the message, it is assumed that the
sender is valid.
A single shared key is used for encryption and decryption. The data is encrypted by a key and
send to the recipient over the Internet. At the receiving end, the data is decrypted with the exact
same key that was used for encryption.
9
Digital Certificates
Digital Certificates are yet another authentication method employing digital signatures and public
key cryptography.
A digital certificate is a document that guarantees the identity of a person or entity and is issued by
the trusted third party Certificate Authority (CA). Digital certificate holders have a public or private
key pair which can be used to authenticate the sender and decrypt the incoming message
ensuring that only the certificate holder can decode the message.
A certificate is used to associate a public/private key pair with a given IP address or host name
and issued by CA for a specific period of time. A CA can be in-house CA, run by your own
organization, or a public CA. To use certificates for negotiation, both peers have to generate
public/private key pairs, request and receive public key certificates, and are configured to trust the
CA that issues the certificates.
Users can download and install certificate from Cyberoam.
Public Key
Public key authentication uses two keys – public key available to anyone and a private key held by
only one individual. The sender encrypts the data with the recipient’s public key. Only the recipient
can decrypt the data, being the only one who possesses the corresponding private key.
Policy Parameters
Policy describes the security parameters that are used for negotiations to establish and maintain a
secure tunnel between two peers.
Before you set up your secure tunnels, to make their configuration faster and easier, you can
create VPN policies that work on a global level. Rather than configuring the policy parameters for
every tunnel you create, you can configure general policies and then later apply them to your
secure tunnels.
Authentication mode
To ensure secure communication, there are two phases to every IKE (Internet Key Exchange)
negotiation - Phase 1 (Authentication) and Phase 2 (Key exchange).
The Phase 1 negotiation establishes a secure channel between peers and determines a specific
set of cryptographic protocols, exchanges shared secret keys and encryption and authentication
algorithm that will be used for generating keys.
The Phase 2 negotiation establishes a secure channel between peers to protect data. During
Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the
peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after
which to negotiate.
Key life
Lifetime of key is specified as Key life.
Once the connection is established after exchanging authenticated and encrypted keys,
connection is not dropped till the key life. If the key life of both the peers is not same then
negotiation will take place whenever the key life of any one peer is over. This means intruder has
to decrypt only one key to break in your system.
Key generation and key rotation are important because the longer the life of the key, the larger the
10
amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis.
Perfect Forward Secrecy (PFS)

It becomes difficult for a network intruder to get the big picture if keys are changing and they have
to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting
PFS, new key will be generated for every negotiation and a new DH key exchange is included. So
every time intruder will have to break yet another key even though he already knows the key. This
enhances security.
Diffie-Hellman (DH) Group (IKE group)

Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret
over an insecure communications channel. Diffie-Hellman Key Exchange uses a complex
algorithm and public and private keys to encrypt and then decrypt the data.
The Diffie-Hellmann group describes the key length used in encryption. Group number also termed
as Identifiers.
DH Group Key length (bits)

1 768
2 1024
5 1536
14 2048
15 3072
16 4096
If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched
during the negotiation.
Re-key Margin
Time before the next key exchange. Time is calculated by subtracting the time elapsed since the
last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts
automatically without interrupting service before key expiry.
Dead Peer detection settings

Use to check whether Cyberoam is able to connect the IP address or not. Set time interval after
which the status of peer is to be checked and what action to take, if peer is not alive.
Tunnel Negotiation
Negotiation process starts to establish the connection when local or remote peer wants to
communicate with each other. Depending on the connection parameters defined, the key is
generated which is used for negotiations. Lifetime of key is specified as Key life. Once the
connection is established, connection is alive/active and data can be transferred up to the
specified key life. Connection will be closed/deactivated once the key expires.
If the connection is to be activated again then the entire negotiation process is to be started all
over again. Negotiation process can be started again automatically by either local or remote peer
only if Allow Re-keying is set to ‘Yes’. Set the re-keying time in terms of the remaining key life
when negotiation is to be started automatically without interrupting the communication before key
expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation
process will automatically start after 7 hours 50 minutes of key usage.
Negotiation process will generate new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’.
11
PFS will generate a new key from scratch and there will be no dependency between old and new
key.
Re-keying Result
Yes Local and remote peer both will be able to initiate request for
connection.
Depending on PFS, negotiation process will use same key or

generate a new key.
No Only remote peer will be able to initiate request for connection.
Depending on PFS, negotiation process will use same key or

generate a new key.
12
Create VPN Policy

Cyberoam provides the default policy and you can also create a customized policy to meet your
organization’s requirement.
Select VPN Æ Policy Æ Create Policy to open the create policy page
Screen – Create VPN policy
Screen Elements Description

VPN policy details
Name Assign name to policy. Choose a name that best describes the policy to
be created
Description Click to enter the full description of policy
Using Template Select a template if you want to create a new policy based on an
13

existing policy and want to inherit all the parameters from the existing
policy
Select ‘None’ template, if you want to create a fresh policy. After

creation you can always customize according to the requirement.
Following options are available only if policy is created based on ‘None’ template
Keying Method Keying method defines how the keys for the connection are to be
managed.
Select keying method: Automatic or Manual
Manual key exchange is not supported for L2TP connection

Allow Re-keying Specify whether the negotiation process is to be started automatically
before key expiry or not. Process will start automatically at the specified
time in re-key margin.
If it is set to ‘Yes’, negotiation process can be initiated by both the local

or remote peer.
Depending on PFS, negotiation process will use same key or generate a

new key.
Key Negotiations tries Specify maximum negotiation trials allowed and must be greater than 0
Authentication mode Authentication mode is used to support key exchange. Currently only
Main mode is supported.
Depending on Authentication mode, the phase 1 parameters are

exchanged for authentication purpose.
In Main mode, the phase 1 parameters are exchanged in multiple

rounds with encrypted authentication information.
Pass Data In Enable to pass data in compressed format to increase throughput
Compress Format
Perfect Forward Specify whether new key should be generated for every negotiation on
Secrecy key expiry.
Set ‘Yes’ to generate new key for every negotiation on key expiry
Set ‘No’ to use same key for every negotiation

Phase 1
Encryption and Select the encryption and authentication algorithm that would be used
Authentication by communicating parties for integrity of exchanged data fpr phase 1.
algorithm
Supported Encryption algorithms: 3DES, AES, TwoFish, BlowFish,
Serpent
3DES: Triple DES is a symmetric strong encryption algorithm that is
compliant with the OpenPGP standard. It is the application of DES
standard where three keys are used in succession to provide additional
security.
AES: Advanced Encryption Standard offers the highest standard of

security. The effective key lengths that can be used with AES are 128,
192 and 256 Bits. This security system supports a number of encryption
algorithms.
Supported Authentication algorithms: MD5, SHA1
Maximum three combination of encryption and authentication algorithm
14

can be selected. The remote peer must be configured to use at least
one of the defined combinations.
Click to add more than one combination of encryption and

authentication algorithm.
DH Group DH group specifies the key length used for encryption.
• DH Group 1 uses 768-bit encryption
Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16
The remote peer must be configured to use the same group. If

mismatched groups are specified on each peer, negotiation fails.
Key Life Key life is the amount of time that will be allowed to pass before the key
expires.
Specify keylife in terms of seconds

Re-Key Margin Re-key margin is the time when the negotiation process should be
started automatically without interrupting the communication before the
key expiry.
Set time in terms of the remaining key life.
For example, if key life is 8 hours and re-key margin is 10 minutes then
negotiation process will automatically start after 7 hours 50 minutes
usage of key life.
Specify in terms of minutes

Randomize Re- Randomizes re-key time.
Keying Time by
For example, if key life is 8 hours, re-key margin is 10 minutes and
randomize re-keying time is 20% then the re-key margin will be 8 to 12
minutes and negotiation process will start automatically 8 minutes before
the key expiry and will try up to 2 minutes after key expiry.
Enable Dead Peer Enable to check whether peer is live or not.
Detection
Check Peer After Once the connection is established, peer which initiated the connection
Every (Only if Dead checks whether another peer is live or not.
Peer Detection
option is ‘Enabled’ ) Specify time when the peer should be checked for its status.
Wait for Response Specify till what time initiated peer should wait for the status response. If
unto (Only if Dead the response is not received within the specified time, the peer is
Peer Detection considered to be inactive.
option is ‘Enabled’ )
Specify in terms of seconds
Action when Peer is Specify what action should be taken if peer is not active.
not active (Only if
Dead Peer Detection Hold – hold the connection
option is ‘Enabled’ ) Clear – close the connection
Restart – reestablish the connection
Phase 2
15

Encryption and Select the encryption and authentication algorithm that would be used
Authentication by communicating parties for integrity of exchanged data fpr phase 2.
algorithm
Supported Encryption algorithms: DES, 3DES, AES, TwoFish,
BlowFish, Serpent
DES, 3DES: Triple DES is a symmetric strong encryption algorithm that

is compliant with the OpenPGP standard. It is the application of DES
standard where three keys are used in succession to provide additional
security.

security. The effective key lengths that can be used with AES are 128,
192 and 256 Bits. This security system supports a number of encryption
algorithms.
Maximum three combination of encryption and authentication algorithm

can be selected. The remote peer must be configured to use at least
one of the defined combinations.

PFS Group PFS group specifies the key length used for encryption.
• Group 1 uses 768-bit encryption
Select one of group from 1, 2, 5, 14, 15 or 16
If ‘Same as Phase 1’ is selected PFS group specified at connection

initiator’s end will be used
If No PFS is selected, this security parameter can not be added for

Phase 2

Key Life Key life is the amount of time that will be allowed to pass before the key
expires.

Create button Creates the policy
Click to create
Cancel button Cancels the current operation and return to Manage VPN policy page
Table – Create VPN policy screen elements
Note
Policies with the same name cannot be created
16
Update VPN Policy

Select VPN → Policy → Manage policy and Click Policy name to be modified
Screen – Manage VPN Policy

VPN policy details
Name Displays policy name
Cannot be modified
Description Displays policy description, modify if required
Keying Method Select keying method: Automatic or Manual
Allow Re-keying Displays whether re-keying is allowed or not. Modify if required.
Set ‘Yes’, if negotiation process can be initiated by both the local and
remote peer automatically before key expires
17
Depending on PFS, negotiation process will use same key or a new

key will be generated.
Key Negotiations Displays maximum negotiation trials allowed, modify if required
tries
Pass Data In Enable to pass data in compressed format to increase throughput
Compress Format
Perfect Forward Displays whether new key will be generated or not for every
Secrecy negotiation on key expiry, modify if required.
Set ‘Yes’ to generate new key for every negotiation on key expiry
Set ‘No’ to use same key for every negotiation

Phase 1
Encryption and Select the encryption and authentication algorithm that would be
Authentication used by communicating parties for integrity of exchanged data fpr
algorithm phase 1.
Supported Encryption algorithms: 3DES, AES, TwoFish,

BlowFish, Serpent
3DES: Triple DES is a symmetric strong encryption algorithm that is

compliant with the OpenPGP standard. It is the application of DES
standard where three keys are used in succession to provide
additional security.

security. The effective key lengths that can be used with AES are
128, 192 and 256 Bits. This security system supports a number of
encryption algorithms.
Maximum three combination of encryption and authentication

algorithm can be selected. The remote peer must be configured to
use at least one of the defined combinations.

DH Group DH group specifies the key length used for encryption.
Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16

Key Life Displays key life, modify if required
Key life is the amount of time that will be allowed to pass before the
key expires and can be specified in terms of hours or minutes
Keylife cannot be less than 2 minutes and at least 1 minute greater
18

than Re-Key margin
Re-Key Margin Displays re-key margin, modify if required
Re-key margin time is the time when the negotiation process should
be started automatically without interrupting the communication
before the key expiry.
Set time in terms of the remaining key life.
For example, if key life is 8 hours and Re-key margin is 10 minutes

then negotiation process will automatically start after 7 hours 50
minutes usage of key life.
Specify in terms of minutes

Randomize Re- Randomizes re-key margin
Keying Time by
For example, if key life is 8 hours, re-key margin is 10 minutes and
randomize re-keying time is 20% then the re-key margin will be 8 to
12 minutes and negotiation process will start automatically 8 minutes
before the key expiry and will try up to 2 minutes after key expiry.
Pass Data In Displays whether data is passed in the compressed format or not,
Compress Format modify if required.
Enable Dead Peer Enable to check whether peer is live or not.
Detection
Check Peer After Displays time when the peer that initiated the connection checks for
Every(Only if Dead whether another peer is live or not. Modify if required.
Peer Detection
option is ‘Enabled’)
Wait for Response Displays response wait time, modify if required
unto(Only if Dead
Peer Detection It specifies till what time initiated peer should wait for the status
option is ‘Enabled’) response. If the response is not received within the specified time,
the peer is considered to be inactive.
Specify in terms of seconds

Action when Peer is Displays what action will be taken if peer is not active, modify if
not active(Only if required
Dead Peer
Detection option is Hold – hold the connection
‘Enabled’) Clear – close the connection
Restart – restart the connection
Phase 2
Encryption and Select the encryption and authentication algorithm that would be
Authentication used by communicating parties for integrity of exchanged data fpr
algorithm phase 2.
Supported Encryption algorithms: DES, 3DES, TwoFish,

BlowFish, Serpent
DES, 3DES: Triple DES is a symmetric strong encryption algorithm

that is compliant with the OpenPGP standard. It is the application of
DES standard where three keys are used in succession to provide
additional security.

security. The effective key lengths that can be used with AES are
19

128, 192 and 256 Bits. This security system supports a number of
encryption algorithms.
Maximum three combination of encryption and authentication

algorithm can be selected. The remote peer must be configured to
use at least one of the defined combinations.

PFS Group PFS group specifies the key length used for encryption.
Select one of group from 1, 2, 5, 14, 15 or 16
If ‘Same as Phase 1’ is selected PFS group specified at connection

initiator’s end will be used
If No PFS is selected, this security parameter can not be added for

Phase 2

Key Life Key life is the amount of time that will be allowed to pass before the
key expires.

Update button Updates the policy
Click to update and save

Cancel button Cancels the current operation and return to Manage VPN policy page
Table – Manage VPN policy screen elements
Note
Default policy cannot be updated
20
Delete VPN policy
Prerequisite
• Not assigned for any connection
Select VPN → Policy → Manage policy to view the list of policies
Screen – Delete VPN policy

Del Select policy for deletion
Click Del to select
More than one policy can also be selected

Select All Select all the policies for deletion
Click Select All to select all the policies

Delete button Deletes all the selected policy/policies
Table – Delete VPN policy screen elements
Note
Default policy cannot be deleted
21
Certificate Authority
Digital Certificates are used for authentication purpose. Certificates are generated by the third
party trusted Certificate Authorities. They create certificates by signing public keys and identify the
information of the communicating parties with their own private keys. This way it is possible to
verify that a public key really belongs to the communicating party only and not been forged by
someone with malicious intentions.
A certificate signed by a CA identifies the owner of a public key. Each communicating party may
be required to present its own certificate signed by a CA verifying the ownership of the
corresponding private key. Additionally, the communicating parties need to have a copy of the
CA’s public key. In case private key is lost or stolen or the information is changed CA is
responsible for revoking the certificate.
Cyberoam provides a facility to generate a local certificate authority as well as import certificates,
signed by commercial providers, such as VeriSign.
Generate Certificate Authority
Select VPN → Certificate Authority → Manage Certificate Authority and click

Default
22
Screen – Generate Certificate Authority

Certificate Authority Details
Certificate Authority Displays certificate authority name
Name
Country Name Select the Country for which the Certificate will be used.
Generally this would be the name of the country where Cyberoam is

installed.
State/Province Select the State/Province for which the Certificate will be used.
Name
Generally this would be the name of the state where Cyberoam is
installed.
Locality Name Specify the locality/City.
Generally this would be the name of the city where Cyberoam is

installed.
Organization Name Specify your organization name
Organizational Unit Specify department/section name which will use this certificate
Name
Common Name Specify domain name. This domain will be certified to use the
Certificate.
Email Address Specify Email address
CA Password Specify password and confirm by re-typing the password
Generate button Generates the certificate with the above specified details
Click to generate
If the certificate is already generated, it will re-generate the certificate

with the above specified details
Cancel button Cancels the current operation
Table – Generate Certificate Authority screen elements
23
Import external Certificate Authority
Select VPN → Certificate Authority → Upload Certificate Authority
Screen – Define external Certificate Authority

Certificate
Certificate Authority Specify Certificate authority name
Name
Certificate Format Cyberoam supports certificates in two formats: PEM and DER
PEM (Privacy Enhanced Mail): A format encoding the certificate in

ASCII code. The certificate, request, and private key are stored in
separate files.
DER: A binary format for encoding certificates. The certificate,

request, and private key are stored in separate files.
Certificate Specify certificate to be uploaded
Use Browse to select the complete path

Upload button Uploads the specified certificate
Table – Define external Certificate Authority screen elements
24
Upload Certificate
Select VPN → Certificate → New Certificate
Screen – Upload Certificate

Certificate
Action Select Upload Certificate
Certificate Name Specify certificate name
Password Specify password and confirm by re-typing the password
Certificate Specify certificate to be uploaded

Private key Specify private key for the certificate

Upload button Uploads the specified certificate
Table – Upload Certificate screen elements
25
Generate Self signed certificate
You can use Cyberoam to act as a certificate authority and sign its own certificates. This
eliminates the need of having your own certificate authority.
Prerequisite
• Certificate Authority generated
Screen – Generate Self Signed Certificate

Certificate
Action Select Generate Self Signed Certificate
Certificate Name Specify Certificate name
Valid upto Specify certificate validity period using Calendar
Validity period is the certificate life i.e. period up to which the

certificate will be considered as valid
Minimum validity period is one day

Key Length Select key length
Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but
requires more time to encrypt and decrypt data than smaller keys.
Password Specify password and confirm by re-typing
Password must be at least 10 character long

Certificate ID Specify certificate ID. You can specify any one of the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate)
Generate button Generates certificate with the specified details
26
Click to generate
27
Generate Certificate Signing Request

If you are using third party CA, you have to submit the request to CA, CA will verify the details then
sign and send the signed certificate.
Cyberoam provides a way for you to generate the request.
Screen – Generate CSR

Certificate
Action Select Generate Certificate Signing Request (CSR)
Certificate Name Specify Certificate name
Valid upto Specify certificate validity period using Calendar
Validity period is the certificate life i.e. period up to which the

certificate will be considered as valid
Minimum validity period is one day

Key Length Select key length
larger the key, the less chance that it will be compromised but
requires more time to encrypt and decrypt data than smaller keys.
Password specify password and confirm by re-typing
28

Certificate ID Specify certificate ID. You can specify any one of the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate)
Country Name Select the Country for which the Certificate will be used.
Generally this would be the name of the country where Cyberoam is

installed.
State/Province Select the State/Province for which the Certificate will be used.
Name
Generally this would be the name of the state where Cyberoam is
installed.
Locality Name Specify the locality/City.
Generally this would be the name of the city where Cyberoam is

installed.
Organization Name Specify your organization name
Organizational Unit Specify department/section name which will use this certificate
Name
Common Name Specify domain name. This domain will be certified to use the
Certificate.
Domain name has to be unique

Email Address Specify Email address
Generate button Generates certificate request with the details specified which you can
send to your CA for Certificate
Click to generate
Screen – Generate CSR
29
Download Certificate
Select VPN → Certificate → Manage Certificate, click the certificate to be downloaded

and follow the screen steps.
Certificate Signing Request is downloaded in zip format, unzip the file. It contains three file:
certificatename.csr, certificatename.key, password.txt
Cyberoam supports certificate in two formats: p12 and pem format. Certificate is downloaded in
tar.gz format, unzip the file winzip or winrar. It contains:
Certificatename.p12 (certificate in p12 format)
Password.txt
PEM folder which contains certificate in pem format as: certificatename.pem, certificatename.key
Screen – Download Certificate
30
Delete Certificate
Prerequisite
• Not used by any Connection
Select VPN → Certificate → Manage Certificate
Screen – Delete Certificate

Del Select certificate for deletion
Click Del to select
More than one certificate can also be selected

Select All Select all the certificates for deletion
Click Select All to select all the certificate(s)

Delete button Deletes all the selected certificate(s)
Table – Delete Certificate screen elements
Note
The deleted certificate will be revoked
31
Certificate Revocation List

CA maintains the list of valid and revoked certificates. Certificates which are stolen, lost or updated
are revoked by CA. Revocation list is the list of certificates which are revoked by CA.
Revoke certificate
Select VPN → Certificate → Manage Certificate and click the certificate to be revoked
Screen – Revoke Certificate

Certificate
Certificate Name Displays Certificate name
Valid upto Displays certificate validity period, modify if required.
Validity period is the certificate life i.e. period up to which the certificate
will be considered as valid
Key Length Displays key length, modify if required.
larger the key, the less chance that it will be compromised but requires
32

more time to encrypt and decrypt data than smaller keys.
Password Displays password
Click Change Password to modify the password

Regenerate button Regenerates the certificate
Revoke button Revoke certificate if lost, stolen or updated
Click to revoke
If the certificate is revoked it is automatically added to the Certificate

Revocation List (CRL). You can download and circulate if required.
Table – Revoke Certificate screen elements
33
Download CRL
Cyberoam creates the Default CRL the name Default.crl. Once you revoke the certificate, the
details of the revoked certificate are added to the default file and regenerated. You can download
and distribute if required.
Select VPN → Certificate Authority → Manage CRL and to view the list of CRLs.
Click Download against the CRL name to be downloaded. It downloads the zip file, unzip the file to
check the details.
Upload CRL
If you are using External Certificate Authority, you need to upload the CRL obtained from External
Certificate Authority.
Select VPN → Certificate Authority → Upload CRL

Enter CRL name and specify the full path of the file to be uploaded
Click Upload
34
35
Delete CRL
Select VPN → Certificate Authority → Manage CRL and to view the list of CRLs.
Screen – Delete CRL

Del Select CRL for deletion
Click Del to select
More than one CRLs can also be selected

Select All Select all the CRLs for deletion
Click Select All to select all the CRLs

Delete button Deletes all the selected CRLs
Table – Delete CRL screen elements
Note
The default CRL cannot be deleted
36
IPSec Connection
IP Security (IPSec) is a suite of protocols designed for cryptographically secure communication at
the IP layer (layer 3).
IPSec protocols:
• Authentication Header (AH) - Used for the authentication of packet senders and for ensuring
the integrity of packet data. The Authentication Header protocol (AH) checks the authenticity
and integrity of packet data. In addition, it checks that the sender and receiver IP addresses
have not been changed in transmission. Packets are authenticated using a checksum created
using a Hash-based Message Authentication Code (HMAC) in connection with a key.
• Encapsulating Security Payload (ESP) - Used for encrypting the entire packet and for the
authenticating its contents. In addition to encryption, the ESP offers the ability to authenticate
senders and verify packet contents.
IPSec modes:
• Transport Mode - the original IP packet is not encapsulated in another packet. The original IP
header is retained, and the rest of the packet is sent either in clear text (AH) or encrypted
(ESP). Either the complete packet can be authenticated with AH, or the payload can be
encrypted and authenticated using ESP. In both cases, the original header is sent over the
WAN in clear text.
Use Transport mode where both endpoints understand IPSEC directly. Transport mode is
used between peers supporting IPSec, or between a host and a gateway, if the gateway is
being treated as a host.
• Tunnel Mode - the complete packet – header and payload – is encapsulated in a new IP
packet. An IP header is added to the IP packet, with the destination address set to the
receiving tunnel endpoint. The IP addresses of the encapsulated packets remain unchanged.
The original packet is then authenticated with AH or encrypted and authenticated using ESP.
Tunnel mode is primarily used for interoperability with gateways or end systems that do not
support L2TP/IPSec or PPTP VPN site-to-site connections.
IPSec connections types (for Tunnel mode only):

• Road Warrior - This type of VPN is a user-to-internal network connection via a public or
shared network. Many large companies have employees that need to connect to the Internal
network from the field. These field agents access the Internal network by using remote
computers and laptops without static IP address.
• Net to Net - A Net-to-Net VPN connects an entire network (such as a LAN or WAN) to a
remote network by way of a network-to-network connection. A network-to-network connection
requires routers on each side of the connecting networks to transparently process and route
information from one node on a LAN to a node on a remote LAN.
• Host to Host - Host-to-Host VPN connects one desktop or workstation to another by way of a
host-to-host connection. This type of connection uses the network to which each host is
connected to create the secure tunnel to each other.
Note
Alias IP address cannot be used for establishing Connection
37
Create Transport mode IPSec Connection

In transport mode only host-to-host connection is supported.
Select VPN → IPSec Connection → Create Connection
Screen - Create Transport mode IPSec Connection

Connection details
Name Assign name to connection. Choose a name that best describes the
connection to be created
Description Specify full description of connection
38

Policy Name Select policy to be used for connection
Action on Restart Select the action for the connection
Deactive – Keep connection deactive mode till the user activates.

Active – Activate connection on system/service start so that the
connection can be established whenever required
Connect – Connect as soon as the system/service starts
Mode Select Transport mode
Refer to IPSec modes for details

Authentication details
Authentication Type Specify Authentication type. Authentication of user depends on the
connection type.
Select Preshared key

An authentication mechanism whereby a single key is used for
encryption and decryption. Both the peers should possess the
preshared key. Remote peer uses the preshared key for decryption.
Select Digital Certificate

An authentication mechanism whereby sender and receiver both
uses the digital certificate issued by the Certificate Authority. Both
sender and receiver must have each other’s Certificate Authority.
Select RSA key

An Authentication mechanism whereby two keys - Public and Private
- are used for encryption and decryption. Private key is known only to
the owner and never transmitted over network.
Preshared key Specify the preshared key to be used. This preshared key will have
Only if to be shared or communicated to the peer at the remote end. At the
Authentication remote end, client will have to specify this key for authentication.
Type is ‘Preshared Refer to VPN Client guide, Phase 1 Configuration.
key’
If there is mismatch in the key, user will not be able to establish the
connection.
Local Certificate Select the local certificate that should be used for authentication by
Only if Cyberoam
Authentication
Type is ‘Digital
Certificate’
Remote Certificate Select the remote certificate that should be used for authentication by
Only if remote peer
Authentication
Type is ‘Digital
Certificate’
Local RSA Key Displays automatically generated key which cannot be modified.
Only if
Authentication Local Public key can be regenerated from Text based Administration
Type is ‘RSA Key’ (Telnet) Console. Refer to Console guide for more details.
Remote RSA Key Specify the public key which is to be used by the remote peer.
Only if
Authentication
Type is ‘RSA Key’
Local Network Details
Local server Specify public IP address of local server
39

Click to select
Local ID Displays ID and its value specified in the Local certificate
For preshared key, select local id and specify it’s value
For preshared key, DER ASN1 DN is not applicable

Remote Network
Remote Host Specify IP address of remote peer
Allow NAT Enable if a NAT device is located between your VPN endpoints i.e.
Traversal remote peer has an private IP address
Remote Internal Specify IP addresses and netmask of remote network which is
Network allowed to connect to the Cyberoam server through VPN tunnel
Only if NAT
Traversal is At a time only one connection can be established behind one NAT-
enabled box
Click Add to add network

Remote ID Displays ID if remote certificate is selected else specify ID specified
in the certificate used by peer
For preshared key, select any type of id and specify it’s value

User Authentication
User Authentication Specify whether user authentication is required at the time of
connection or not
Click Disable if user authentication is not required

If enabled as client, specify username and password
If enabled as server, Click Add to select and add all the users which
are to be allowed to connect
Quick Mode Selectors
Allow Protocols Select the protocol for negotiations.
Tunnel will pass only that data which uses the above specified
protocol
Local port Specify local port
Only for TCP
protocol
Remote port Specify remote port
Only for TCP
protocol
Create button Creates the connection
Click to create
Table - Create Transport mode IPSec Connection screen elements
40
Create Road Warrior IPSec connection
Screen – Create Road Warrior IPSec Connection

Connection details
41


Mode Select Tunnel mode

Connection Type Specify connection type. Authentication of user depends on the
connection type.
Select ‘Road warrior’
Refer to Connection types for details

connection type.
Preshared key
Digital Certificate
key’
connection.
Only if Cyberoam
Authentication
Type is ‘Digital
Certificate’
Only if remote peer
Authentication
Type is ‘Digital
Certificate’
Local Server Specify IP address of local server
Click to select
Local Internal Specify IP address and netmask of the local network which is allowed
Network to access remote peer through VPN connection
42

Remote Network
Only if NAT
Traversal is At a time only one connection can be established behind one NAT-
enabled box

Specify 0.0.0.0/0 to allow all the networks
Remote ID Specify ID specified in the Remote certificate

User Authentication
connection or not

Allow Protocols Select the protocol for negotiations
protocol
Only for TCP
protocol
Only for TCP
protocol
Click to create
Table – Create Road Warrior IPSec Connection screen elements
43
Create Net to Net IPSec connection
Screen - Create Net to Net IPSec connection

Connection details
44



connection type.
Select ‘Net to Net’

connection type.


Select RSA key

An Authentication mechanism whereby two keys - Public and Private
- are used for encryption and decryption. Private key is known only to
the owner and never transmitted over network.
key’
connection.
Only if Cyberoam
Authentication
Type is ‘Digital
Certificate’
Only if remote peer.
Authentication
Type is ‘Digital Select ‘External Certificate’, if the remote certificate is not available
Certificate’
Only if
45

Only if
Authentication
Local Server Specify IP address of local server
Click to select
Local Internal Specify IP address and netmask of the local network which is allowed
Network to access to remote network through VPN connection

Remote Network
At a time only one connection can be established behind one NAT-

box

Remote ID Displays ID if remote certificate is selected else specify ID specified
in the certificate used by peer

User Authentication
connection or not

protocol.
Only for TCP
protocol
Only for TCP
protocol
Click to create
46
Table - Create Net to Net IPSec connection screen elements
Create Host to Host IPSec connection
Screen - Create Host to Host IPSec connection

Connection details
47



connection type.
Select ‘Host to Host’

connection type.


An authentication mechanism whereby sender and receiver both uses
the digital certificate issued by the Certificate Authority. Both sender
and receiver must have each other’s Certificate Authority.
Select RSA key

An Authentication mechanism whereby two keys - Public and Private -
are used for encryption and decryption. Private key is known only to the
owner and never transmitted over network.
Preshared key Specify the preshared key to be used. This preshared key will have to
Only if be shared or communicated to the peer at the remote end. At the
Authentication remote end, client will have to specify this key for authentication. Refer
Type is ‘Preshared to VPN Client guide, Phase 1 Configuration.
key’
connection.
Only if Cyberoam
Authentication
Type is ‘Digital
Certificate’
Only if remote peer
Authentication
Type is ‘Digital Select ‘External Certificate’, if the remote certificate is not available
Certificate’
Only if
48

Only if
Authentication
Local Server Specify public IP address of local server
Click to select

Remote Network
Remote Internal Specify IP addresses and netmask of remote network which is allowed
Network to connect to the Cyberoam server through VPN tunnel
Only if NAT
Traversal is At a time only one connection can be established behind one NAT-box
enabled
Remote ID Displays ID if remote certificate is selected else specify ID specified in
the certificate used by peer

User Authentication
connection or not

Tunnel will pass only that data which uses the above specified protocol
Only for TCP
protocol
Only for TCP
protocol
Click to create
Table - Create Host to Host IPSec connection screen elements
49
50
Manage IPSec Connection
Use to
• Activate, Deactivate, Initiate and disconnect connection
• Export Connection Configuration file
• Update connection details
• Delete connection
Activate/Deactivate Connection
1. Select VPN → IPSec Connection → Manage IPSec Connection to display the list
of connections
2. Under Connection status, Active column
Click to deactivate the connection
Click to activate the connection
Once disconnected, Road Warrior connection can be re-established from the remote peer
only after activating connection from the local server.
3. Under Connection status, Connection column
Click to initiate connection.
Click to disconnect connection. When you disconnect, connection will be deactivated and
to re-establish connection the connection, activate connection.
Note
If connection is created using manual keying policy, both the peers need to initiate the connection
Local peer cannot initiate the connection if remote peer is using dynamic IP address
Local peer cannot initiate the connection if Authentication mode is ‘Enable as Server’
Only one connection can be active at a time if two connections with different authentication types
(preshared key authentication and digital certification) are created for the same destination.
All similar connections should have same authentication mode
Screen – Activate/Deactivate Connection
51
Export Connection configuration file (only for Road warrior connection)
Select VPN Æ IPSec Connection Æ Manage IPSec Connection to view the list of
connections and click ‘Export’ against the Connection Name whose configuration is to be exported.
Configuration file will be created in .tbg format which can directly be imported in Cyberoam VPN
Client.
Delete Connection
Select VPN → IPSec Connection → Manage IPSec Connection to display list of

connections
Screen – Delete IPSec Connection

Del Select connection for deletion
Click Del to select
More than one connection can also be selected

Select All Select all the connections for deletion
Click Select All to select all the connections(s)

Delete button Deletes all the selected connection(s)
Table – Delete IPSec Connection screen elements
52
L2TP Connection
L2TP configuration
You can use Layer 2 Tunneling Protocol (L2TP) to create VPN tunnel over public networks such
as the Internet. For authentication, currently Cyberoam supports only Password Authentication
Protocol (PAP) algorithm.
Select VPN → L2TP Configuration
Screen – L2TP Configuration

L2TP Configuration
Local IP Address Displays IP address that will be assigned to L2TP server
Assign IP from Specify IP address range if L2TP server has to lease the IP address
Client Information
DNS server Specify IP address of your DNS server and alternate DNS server
WINS server Specify IP address of your WINS server and alternate WINS server
Save Saves the details
Click to save
Add Users button Click to add L2TP user. Displays list of users which are migrated or
created in Cyberoam.
Click Select against the Names that are to be allowed L2TP access
i.e. only the selected users will be allowed L2TP connection
Click Select All to allow L2TP access to all the users.
53
Click Add
Add Groups button Click to add L2TP user group. Displays list of user groups created in
Cyberoam.
Click Select against the Group Names that are to be allowed L2TP
access i.e. only the selected user groups will be allowed L2TP
connection
Click Select All to allow L2TP access to all the user groups.
Click Add. All the users in the selected groups will be allowd L2TP
access
Delete Users & To delete user/groups:
Groups button Click Del against the names to deleted
Click Delete Users & Groups button
Table – L2TP Configuration screen elements
54
Create L2TP connection
Select VPN → L2TP Connection → Create Connection to open the create page
Screen – Create L2TP Connection
55

Connection details

Local Server Specify public IP address of local VPN server/peer
Click to select
Gateway of Local Select Gateway of the local VPN server
VPN server
Local ID Specify local ID
You can specify any one of the following:
• DNS
• IP address
• Email address
• DER ASN1 DN/X.509 (applicable only if Authentication Type
is Digital Certificate)
Remote Network
Remote ID Specify remote ID. You can specify any one of the following:
• DNS
• IP address
• Email address
connection type.
Preshared key
Digital Certificate
key’
connection.
Local Certificate Displays the local certificate which will be used for authentication
56

Only if
Authentication
Type is ‘Digital
Certificate’
Click to create
Table – Create L2TP Connection screen elements
Note
L2TP and IPSec connection name cannot be same
You may receive ‘Connection name already exists’ message while creating connection, if the name with
which you are creating the connection is already used for either L2TP or IPSec connection
Manage L2TP connection
Select VPN → L2TP Connection → Manage Connection to view the list of connections
Screen – Manage L2TP Connection
57
Screen – Update L2TP Connection

Connection details
Name Displays Connection name
Description Displays description, modify if required
Policy Name Displays policy that will be used for connection
Action on Restart Displays the action

Local Server Displays public IP address of local VPN server/peer
Click to select
Gateway of Local Displays Gateway of the local VPN server
58

VPN server
Local ID Displays local ID, modify if required
You can specify any one of the following:
• DNS
• IP address
• Email address
Remote Network
Remote Host Displays IP address of remote peer
Remote ID Displays remote ID, modify if required. You can specify any one of
the following:
• DNS
• IP address
• Email address
connection type.
Preshared key
Digital Certificate
key’
connection.
Local Certificate Displays the local certificate which will be used for authentication
Only if
Authentication
Type is ‘Digital
Certificate’
Local port Displays local port, modify if required
Remote port Displays remote port, modify if required
Update button Saves the modified details
Click to update
Table – Update L2TP Connection screen elements
59
Delete L2TP connection
Select VPN → L2TP Connection → Manage Connection to view the list of connections
Screen – Delete L2TP connection

Del Select connection for deletion
Click Del to select
More than one connection can also be selected

Select All Select all the connections for deletion
Click Select All to select all the connections(s)

Delete button Deletes all the selected connection(s)
Table – Delete L2TP connection screen elements
60
PPTP Connection
Cyberoam support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP
clients can establish a PPTP tunnel with a Cyberoam Appliance that has been configured to act as
a PPTP server.
PPTP Configuration
Use to:
• Configure PPTP
• Add and delete PPTP User
• Add and delete PPTP User Groups
Select VPN → PPTP Configuration
Screen – PPTP Configuration

PPTP Configuration
Local IP Address Displays LAN IP address that will be used for PPTP server
Assign IP from PPTP server will lease IP address to the PPTP client from the
specified IP address range. The PPTP client uses the assigned IP
address as its source address for the duration of the connection.
Do not specify the same IP address range in L2TP configuration and

PPTP configuration
Client Information
DNS server Specify IP address of your DNS server and alternate DNS server to
be used at the client end
WINS server Specify IP address of your WINS server and alternate WINS server
61

to be used at the client end
Save Saves the details
Click to save
Add Users button Click to add PPTP user. Displays list of users which are migrated or
created in Cyberoam.
Click Select against the Names that are to be allowed PPTP access
i.e. only the selected users will be allowed PPTP connection
Click Select All to allow PPTP access to all the users.
Click Add
Add Groups button Click to add PPTP user group. Displays list of user groups created in
Cyberoam.
Click Select against the Group Names that are to be allowed PPTP
access i.e. only the selected user groups will be allowed PPTP
connection
Click Select All to allow PPTP access to all the user groups.
Click Add. All the users in the selected groups will be allowd PPTP
access
Delete Users & To delete user/groups:
Groups button Click Del against the names to deleted
Click Delete Users & Groups button
Table – PPTP Configuration Screen elements
62

Cyberoam VPN Management Guide PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cyberoam VPN Management Guide PDF

Hochgeladen von

Copyright:

Verfügbare Formate

VPN Management

Document version 9410-1.0-06/01/2007

Guide Sets ..........................................................................................................................5

Certificate Authority ............................................................................................................22

Certificate Revocation List ..................................................................................................32

L2TP Connection .................................................................................................................53

Delete L2TP connection ..............................................................................................60

PPTP Connection .................................................................................................................61

Visit www.cyberoam.com for the regional and latest contact information.

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example

Topic titles Shaded font

Subtitles Bold & Black

Navigation link Bold typeface Group Management → Groups → Create

Notes & points Bold typeface Note

Cyberoam and VPN

The two endpoints in Cyberoam VPN are referred to as:

Cyberoam supports following protocols to authenticate and encrypt traffic:

Users can download and install certificate from Cyberoam.

Perfect Forward Secrecy (PFS)

Diffie-Hellman (DH) Group (IKE group)

DH Group Key length (bits)

Dead Peer detection settings

Depending on PFS, negotiation process will use same key or

Depending on PFS, negotiation process will use same key or

Create VPN Policy

Screen – Create VPN policy

Screen Elements Description

Screen Elements Description

Select ‘None’ template, if you want to create a fresh policy. After

Select keying method: Automatic or Manual

Manual key exchange is not supported for L2TP connection

If it is set to ‘Yes’, negotiation process can be initiated by both the local

Depending on PFS, negotiation process will use same key or generate a

Depending on Authentication mode, the phase 1 parameters are

In Main mode, the phase 1 parameters are exchanged in multiple

Set ‘No’ to use same key for every negotiation

AES: Advanced Encryption Standard offers the highest standard of

Supported Authentication algorithms: MD5, SHA1

Maximum three combination of encryption and authentication algorithm

Screen Elements Description

Click to add more than one combination of encryption and

Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16

The remote peer must be configured to use the same group. If

Specify keylife in terms of seconds

Set time in terms of the remaining key life.

Specify in terms of minutes

Screen Elements Description

DES, 3DES: Triple DES is a symmetric strong encryption algorithm that

AES: Advanced Encryption Standard offers the highest standard of

Supported Authentication algorithms: MD5, SHA1

Maximum three combination of encryption and authentication algorithm

Click to add more than one combination of encryption and

Select one of group from 1, 2, 5, 14, 15 or 16

If ‘Same as Phase 1’ is selected PFS group specified at connection

If No PFS is selected, this security parameter can not be added for

The remote peer must be configured to use the same group. If

Specify keylife in terms of seconds

Update VPN Policy

Screen – Manage VPN Policy

Screen Elements Description

Screen Elements Description

Depending on PFS, negotiation process will use same key or a new