how to - establish site-to-site ipsec connection using preshared key
DESCRIPTION
IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It isused in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways(network-to-network), or between a security gateway and a host (network-to-host)TRANSCRIPT
-
How To Establish Site-to-Site IPSec VPN Connection using Preshared key
Applicable Version: 10.00 onwards
Overview
IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is
used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a host (network-to-host).
Cyberoams IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote connectivity,
eliminating the need for expensive private remote access networks like leased lines, Asynchronous
Transfer Mode (ATM) and Frame Relay. This article describes a detailed configuration example that
demonstrates how to set up a site-to-site IPSec VPN connection between the two networks using
preshared key to authenticate VPN peers.
Scenario
Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps given
below. In this article, we have used the following parameters to create the VPN connection.
Network Parameters
Local Network details Local Server (WAN IP address) 14.15.16.17
Local LAN address 10.5.6.0/24
Remote Network details Remote VPN server (WAN IP address) 22.23.24.25
Remote LAN Network 172.23.9.0/24
Site A Configuration
The configuration is to be done from Site As Cyberoam Web Admin Console using profile having read-
write administrative rights for relevant feature(s).
How To Establish Site-to-Site VPN Connection
using Preshared Key
-
How To Establish Site-to-Site IPSec VPN Connection using Preshared key
Step 1: Create IPSec Connection
To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the
connection using the following parameters.
Parameter Description
Parameter Value Description
Name SiteA_to_SiteB Name to identify the IPSec Connection
Connection Type Site to Site
Select Type of connection.
Available Options:
Remote Access
Site to Site
Host to Host
Policy DefaultHeadOffice Select policy to be used for connection
Action on VPN Restart Respond Only
Select the action for the connection.
Available options:
Respond Only
Initiate
Disable
Authentication details
Authentication Type Preshared Key Select Authentication Type. Authentication of user
depends on the connection type.
Preshared Key 123456789 Preshared key should be the same as that configured in
remote site.
Endpoints Details
Local PortB-14.15.16.17 Select local port which acts as end-point to the tunnel
Remote 22.23.24.25 Specify IP address of the remote endpoint.
Local Network Details
Local Subnet 10.5.6.0/24 Select Local LAN Address. Add and Remove LAN
Address using Add Button and Remove Button
Remote Network Details
-
How To Establish Site-to-Site IPSec VPN Connection using Preshared key
Remote LAN Network 172.23.9.0/24 Select Remote LAN Address. Add and Remove LAN
Address using Add Button and Remove Button
Click OK to create IPSec connection.
-
How To Establish Site-to-Site IPSec VPN Connection using Preshared key
Step 2: Activate Connection
On clicking OK, the following screen is displayed showing the connection created above.
Click under Status (Active) to activate the connection.
Site B Configuration
The configuration is to be done from Site Bs Cyberoam Web Admin Console using profile having read-
write administrative rights for relevant feature(s).
Step 1: Create IPSec Connection
To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the
connection using the following parameters.
-
How To Establish Site-to-Site IPSec VPN Connection using Preshared key
Parameter Description
Parameter Value Description
Name SiteB_to_SiteA Name to identify the IPSec Connection
Connection Type Site to Site
Select Type of connection.
Available Options:
Remote Access
Site to Site
Host to Host
Policy DefaultBranchOffice Select policy to be used for connection
Action on VPN
Restart Initiate
Select the action for the connection.
Available options:
Respond Only
Initiate
Disable
Authentication details
Authentication Type Preshared Key Select Authentication Type. Authentication of user
depends on the connection type.
Preshared Key 123456789 Preshared key should be the same as that configured in
remote site.
Endpoints Details
Local PortB-22.23.24.25 Select local port which acts as end-point to the tunnel
Remote 14.15.16.17 Specify IP address of the remote endpoint.
Local Network Details
Local Subnet 172.23.9.0/24 Select Local LAN Address. Add and Remove LAN
Address using Add Button and Remove Button
Remote Network Details
Remote LAN Network 10.5.6.0/24 Select Remote LAN Address. Add and Remove LAN
Address using Add Button and Remove Button
-
How To Establish Site-to-Site IPSec VPN Connection using Preshared key
Step 2: Activate and Establish Connection
On clicking OK, the following screen is displayed showing the connection created above.
Click under Status (Active) and Status (Connection).
-
How To Establish Site-to-Site IPSec VPN Connection using Preshared key
The above configuration establishes an IPSec connection between Two (2) sites.
Note:
Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head
Office acts as a responder due to following reasons:
Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the
connection.
As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that
Branch Offices retries the connection instead of the Head Office retrying all the branch office
connections.
Document Version: 2.1 22 February, 2014