26 How To - Establish Net-To-Net VPN Connection Using Certificate

How To Establish Net-to-Net VPN Connection
using Certificate
Applicable to Version: 9.4.0 build 2 onwards

This article describes a detailed configuration example that demonstrates how to set up a net-to-net
IPSec VPN connection between the two networks using Digital certificate to authenticate VPN peers.
Following sections are included:
Case I Peers using different CA
Case II Peers using Same CA
Throughout the article we will use the default VPN policy provided by Cyberoam and network parameters
as shown in the diagram below. We will establish VPN connection from AHMD branch to DLH branch
therefore:
For AHMD branch:
Cyberoam1 is the Local server.
Cyberoam2 is the Remote server.
For DLH branch:
Cyberoam2 is the Local server.
Cyberoam1 is the Remote server.
Information to be gathered before configuration

Before configuring for IPSec connection, gather the following information about the Remote server:
1. CA
2. Connection details - Encryption algorithm, Authentication Algorithm and DH/PFS Group
3. Server IP addresses
4. Internal Network Subnet
5. Certificate ID
How To Net-to-Net IPSec Connection using Certificate
Case I: Peers are using different CAs i.e. Cyberoam1

and Cyberoam2 are using different CAs
Configuration Table
Please note: Phase 1 and Phase 2 parameters: Encryption algorithm, Authentication Algorithm and
DH/PFS Group must be same for both the peers Cyberoam1 and Cyberoam2 VPN servers.
Configuration
Parameters
Certificate
Authority (CA)
IPSec Connection
(Net-to-Net)
Cyberoam1
Cyberoam2
Unzip and upload CA used by

Cyberoam2
Local Network details
Cyberoam1 WAN IP address
182.7.7.254
Local
Internal
Network
192.168.1.0/24
Local ID john@elitecore.com
Local certificate AHMD_cert

Cyberoam1
Cyberoam2
IP
address
125.16.7.254
Local
Internal
Network
192.168.2.0/24
Local ID dean@elitecore.com
Local certificate DLH_cert
Remote Network details

Remote VPN server IP address
125.16.7.254
Remote
Internal
Network
192.168.2.0/24
Remote ID dean@elitecore.com

182.7.7.254
Remote Internal Network
192.168.1.0/24
Remote ID john@elitecore.com
Step-by-Step Configuration of Cyberoam1 server

Step 1. Generate CA
Go to VPN Certificate Authority Manage Certificate Authority and
Click Default certificate authority. If you are generating CA for the first time, enter complete details as
required else modify details if required.
Click Generate/Re-generate
Step 2. Download CA generated in step 1 and forward to the Remote user.
Go to VPN Certificate Authority Manage Certificate Authority
Click Default certificate authority
Click Download. CA is downloaded in tar.gz format. One can unzip the file using winzip or winrar.
This CA is to be uploaded at Cyberoam2 server.
Step 3. Obtain and Upload Remote Certificate Authority i.e. CA of Cyberoam2
Unzip the CA received from the Remote user to extract two files: default.pem and default.der
Go to VPN Certificate Authority Upload Certificate Authority
Step 4. Generate Local Certificate

Go to VPN Certificate New Certificate and click Self Signed Certificate to create certificate. Create
certificate with the following value:
Certificate name: AHMD_cert
Valid upto: As required
Key length: As required
Password: As required
Certificate ID: john@elitecore.com
Step 5: Create IPSec connection
Go to VPN IPSec Connection Create Connection and create connection with the following values:
Connection name: n2n_AHMD
Policy: Default Policy
Action on restart: As required
Mode: Tunnel
Connection Type: Net to Net
Authentication Type Digital Certificate
Local Certificate Select Certificate created in step 4 i.e. AHMD_cert
Remote Certificate - Select External Certificate. Alternately if certificate DLH_cert used by Cyberoam2 is
available on Cyberoam1, you can select that certificate.
Local server IP address (WAN IP address) 182.7.7.254
Local Internal Network 192.168.1.0/24
Local ID Automatically displays ID specified in the Local certificate created in step 4 i.e.
john@elitecore.com
Remote server IP address (WAN IP address) 125.16.7.254
Remote Internal Network 192.168.2.0/24
User Authentication Mode: As required
Protocol: As required
Step 6. Activate Connection
Go to VPN IPSec Connection Manage Connection and click
connection.
against the n2n_AHMD
under the Connection status indicates that the connection is successfully activated
Note
At a time only one connection can be active if both the types of connection - Digital Certificate and
Preshared Key - are created with the same source and destination. In such situation, at the time of
activation, you will receive error unable to activate connection hence you need to deactivate all other
connections.
Step-by-Step Configuration of Cyberoam2 Server

Step 1. Generate CA
Step 2. Download CA generated in step 1 and forward to the Remote user.
Step 3. Obtain and Upload Remote Certificate Authority i.e. CA of Cyberoam1
Certificate name: DLH_cert
Certificate ID: dean@elitecore.com
Connection name: n2n_DLH
Mode: Tunnel
Local Certificate Select Certificate created in step 4 i.e. DLH_cert
Remote Certificate - Select External Certificate. Alternately if certificate AHMD_cert used by Cyberoam1
is available on Cyberoam2, you can select that certificate.
dean@elitecore.com

against the n2n_DLH connection.
Note
connections.
Establish Connection
You can establish connection, once the both the servers are configured. You can establish connection
from either of the servers.
against the connection
under the Connection status indicates that the connection is successfully established.
If you are not able to establish the connection, check VPN log from Telnet Console. Refer to VPN Logs
and Troubleshooting Guide for log explanation and error solution.
Case II: Peers are using same CA i.e. Cyberoam1 acts

as CA
Configuration Table
Please note: Phase 1 and Phase 2 parameters: Encryption algorithm, Authentication Algorithm and
DH/PFS Group must be same for both the peers Cyberoam1 and Cyberoam2 VPN servers.
Configuration
Parameters
Certificate
Authority (CA)
IPSec Connection
(Net-to-Net)
Cyberoam1
Cyberoam2

Cyberoam1 WAN IP address
182.7.7.254
Local
Internal
Network
192.168.1.0/24
Local ID john@elitecore.com
Local certificate AHMD_cert

Cyberoam1
Cyberoam2
IP
address
125.16.7.254
Local
Internal
Network
192.168.2.0/24
Local ID dean@elitecore.com
Local certificate DLH_cert

125.16.7.254
Remote
Internal
Network
192.168.2.0/24

182.7.7.254
Remote Internal Network
192.168.1.0/24
Step-by-Step Configuration of Cyberoam1 server

Step 1. Generate CA
Step 2. Download CA generated in step 1 and forward to the Remote user
Certificate name: AHMD_cert
Certificate ID: john@elitecore.com

Step 4. Generate Remote Certificate
Certificate name: DLH_cert
Certificate ID: dean@elitecore.com
Step 5. Download Certificate generated in step 4 and forward to the Remote user
Go to VPN Certificate Manage Certificate and click Download against the DLH_cert. Certificate is
downloaded in tar.gz format. One can unzip the file using winzip or winrar.
This Certificate is to be uploaded at Cyberoam2 server.
Connection name: n2n_AHMD
Mode: Tunnel
Local Certificate Select Certificate created in step 3 i.e. AHMD_cert
Remote Certificate - Select Certificate created in step 4 i.e. DLH_cert
john@elitecore.com
Remote ID Automatically displays ID specified in the Remote certificate created in step 4 i.e.
dean@elitecore.com
connection.
against the n2n_AHMD
Note
connections.
Step-by-Step Configuration of Cyberoam2 Server

Step 1. Obtain and Upload Certificate Authority of Cyberoam1
Step 2. Obtain and Upload Remote Certificate created in Cyberoam1
Unzip Certificate received from the Remote user
Go to VPN Certificate New Certificate and click Upload Certificate and specify following values:
Certificate name: As required
Confirm Password: As specified in Password field
Certificate: Using Browser select UserCertificate.pem file from folder in which the zip file is extracted
Private Key: Using Browser select UserPrivateKey.key file from folder in which the zip file is extracted
Connection name: n2n_DLH
Mode: Tunnel
Local Certificate Select Certificate uploaded in step 2
Remote Certificate - Select External Certificate
Local ID Automatically displays ID specified in the Local certificate i.e. dean@elitecore.com
against the n2n_DLH connection.
Note
Preshared Key - are created. In such situation, at the time of activation, you will receive error unable to
activate connection hence you need to deactivate all other connections.
Establish Connection
You can establish connection, once the both the servers are configured. You can establish connection
from either of the servers.
against the connection
under the Connection status indicates that the connection is successfully established.
If you are not able to establish the connection, check VPN log from Telnet Console. Refer to VPN Logs
and Troubleshooting Guide for log explanation and error solution.
Document Version: 9402-1.0-15/11/2006

26 How To - Establish Net-To-Net VPN Connection Using Certificate

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

26 How To - Establish Net-To-Net VPN Connection Using Certificate

Uploaded by

Copyright:

Available Formats

How To Establish Net-to-Net VPN Connection

Applicable to Version: 9.4.0 build 2 onwards

Information to be gathered before configuration

How To Net-to-Net IPSec Connection using Certificate

Case I: Peers are using different CAs i.e. Cyberoam1

Unzip and upload CA used by

Unzip and upload CA used by

Remote Network details

Remote Network details

Step-by-Step Configuration of Cyberoam1 server

How To Net-to-Net IPSec Connection using Certificate

Step 4. Generate Local Certificate

against the n2n_AHMD

How To Net-to-Net IPSec Connection using Certificate

Step-by-Step Configuration of Cyberoam2 Server

How To Net-to-Net IPSec Connection using Certificate

User Authentication Mode: As required

against the n2n_DLH connection.

against the connection

How To Net-to-Net IPSec Connection using Certificate

Case II: Peers are using same CA i.e. Cyberoam1 acts

Local Network details

Unzip and upload CA used by

Remote Network details

Remote Network details

Step-by-Step Configuration of Cyberoam1 server

How To Net-to-Net IPSec Connection using Certificate

Certificate ID: john@elitecore.com

against the n2n_AHMD

How To Net-to-Net IPSec Connection using Certificate

Step-by-Step Configuration of Cyberoam2 Server

against the n2n_DLH connection.

How To Net-to-Net IPSec Connection using Certificate

against the connection

Document Version: 9402-1.0-15/11/2006

You might also like