IPSec LAN-LAN VPN between Vigor and Cyberoam.

Vigor Model- 2912 Ver- 3.8.1.1

Cyeberoam Model- CR25iNG – 10.6.3 MR-4

This article describes a detailed configuration example that demonstrates how to set up a LAN-to-LAN IPSec VPN connection between Cyberoam and Vigor using preshared key to authenticate VPN peers.

Throughout the article we will use the network parameters as shown in the diagram below

ipsec1

ipsec2

Step by Step Configuration on Cyberoam

Step 1: Create VPN Policy

  • Go to VPN and create VPN Policy with following values:
    • Policy Name: Vigor2912
    • Description: If required
    • Allow Re-keying: Yes
    • Key Negotiation Tries: 3
    • Authentication Mode: Main Mode
    • Pass data in compressed format: Enable

Phase 1

    • Encryption Algorithm: AES256: Authentication Algorithm MD5
    • Encryption Algorithm: AES256: Authentication Algorithm SHA 1
    • DH Group (Key Group): 2 (DH1024)
    • Key life: 28800 sec
    • Rekey margin: 120 Sec
    • Randomize Rekeying margin by: 0
    • Dead Peer Detection: Enable
    • Check Peer After Every: 10 Sec
    • Wait for response upto: 30 Sec
    • Action When Peer unreachable : Disconnect

Phase 2

    • Encryption Algorithm: AES256       Authentication Algorithm: MD5
    • Encryption Algorithm: AES256       Authentication Algorithm: SHA1
    • PFS Group (DH Group): None
    • Key life: 3600 sec

ipsec3

Step 2: Create VPN Connection

  • Go to VPN IPSec Connection Create Connection and specify parameters as follows:
    • Connection name: Vigor2912
    • Description: If required
    • Connection Type: Site to Site
    • Policy: Choose Vigor 2912 policy
    • Action on restart: Respond only
    • Authentication Type – Preshared Key
    • Preshared Key: 0123456789
    • End points Details Local (WAN IP address) – 2.50.6.141
    • Remote : xxxx.dyndns.org
    • Local: choose Cyberoam Local Subnet from the Object : 192.168.1.0/24
    • Remote: Choose Vigor Local Subnet from the Object : 192.168.6.0/24

ipsec4

ipsec5

Step 3 Go to VPN and Remote Access >> Remote Access Control Setup

  • To allow the VPN traffic through routers, enable IPsec services as per following screen

ipsec6

Step 4 Go to VPN and Remote Access LAN to LAN

  • Choose an unused profile, e.g. 1. and click Next to continue.
  • The status of unused profile will be “???”

Section 1: Common Settings

  • Enter a Profile Name and enable the profile
  • As Vigor router will always initiate the VPN connection, for Call Direction click “Dial-Out” and click “Always on” to enable always on VPN tunnel.

Section 2: Dial- Out Settings

  • Under Type of Server I am calling, select “IPSec Tunnel” and enter WAN IP address/hostname of Cyberoam i.e. 2.50.6.141 as Server IP/Host Name
  • Under IKE Authentication Method, click “Pre-Shared Key” and enter Pre-Shared Key 0123456789
  • Under IPSec Security Method, click “High (ESP)” and select AES with Authentication
  • Click “Advanced” button

In Advanced settings enter parameters as follows:

    • IKE phase 1 mode: Main mode
    • IKE phase 1 proposal: AES256_SHA1_G2
    • IKE phase 2 proposal: AES256_SHA1/AES256_MD5
    • IKE phase 1 key lifetime: 28800
    • IKE phase 2 key lifetime: 3600
    • Perfect Forward Secret: Disable

ipsec7
ipsec8

Section 5: TCP/ IP Network Settings

  • Enter following parameters
    • Remote Network IP – 192.168.1.1 (Cyberoam’s internal network IP)
    • Remote Network Mask – 255.255.255.0
    • Local Network IP- 192.168.6.1 (Vigor Internal network IP)
    • Local Network Mask- 255.255.255.0
    • Click “OK” button

ipsec9

After above configurations see the VPN status below.

ipsec10

ipsec11

ipsec12

Reality about Browsing Security with Draytek

If you’re accountable for IT security/management, keeping clients safe on the web is one of the most serious issues you confront. However, there are some obsolete thoughts about dangers that can hamper possible security.

Protecting users on the web (http/https) requires you to think about all the ways users access it, and the different ideas cyber-criminals have in their minds for getting around traditional anti-virus security.

To secure your data, keep your clients gainful, and cut down on the measure of time you spend cleaning up compromised PCs, I suggest read below.

Draytek Vigor 2860

Myth: You may think that a strict browsing policy that simply blocks malware sites and keeps users safe.

Web security used to be pretty straightforward: you merely had to block out certain websites in categories like adult content, gambling, P2P, and violent or extremist content. (like Draytek WCF and APPE Filter)

You may have some sound reasons for blocking those kinds of websites – they probably violate your country laws, company policies, present legal liabilities, harm worker productivity, and can contribute to an unhealthy work environment.

But blocking dubious sites won’t keep users safe from web-borne threats.

The reality is that the vast majority of threats come from legitimate websites that have been compromised by cyber-criminals.

Current websites tend to be built from a huge number of components. Some of these are likely delivered by third-party sites and the bad guys have become expert at targeting those, which are often not as well protected and carrier for vulnerable codes and malwares.

So, even if a site has done a good job securing its own substructure it could still unintentionally be serving up malware. Malwares delivered by malvertising (Malware Ads) is a common example.

Some attacks – called drive-by downloads – can infect your computers with malicious code just by visiting a compromised website. They don’t even need to click on anything because the infection happens automatically, without them even realizing it. Your staff are particularly at risk of this kind of attack if they don’t keep your browsers and all associated plugins up to date with outstanding security patches.

In addition to a URL filtering solutions and router based Web Content Filters, randomly perform deep scanning of web traffic as it’s accessed and keep your devices up-to-date and protected by trustful internet security solutions.

“By 2017, more than 50% of network attacks will use SSL/TLS, yet most organizations lack the ability to de-crypt and inspect SSL communications to detect threats.” Gartner

Hashim RK | IT Manager

cropped-dvcom-coverpic-1.jpg

DVCOM Technology LLC, Dubai, UAE

Vigor Hotspot solution

Vigor Hotspot solution: Web Captive Portal login (HTTP/ HTTPS)

To track and secure your Wi-Fi Hotspot or visitor network in a centralized way. Based on captive portal technology, Vigor 2960/3900 lets your hotspot user’s login simply by using a web browser. Captive portal is the technology that forces user to see the login page before accessing the Internet. User just needs to access a normal web site (e.g. www.datavoiz.com), he will be automatically forced to see the Vigor login page. After entering the correct information, he will be able to surf the Internet normally.

This portal will allow the users to login with their credentials such as User Name and Password, which will be provided by the IT Team. The profiles of users will be created in advance with pre-defined time limits. After the user profiles are created, the same can be printed in the form of a voucher or the same can be exported to CSV file format. These voucher can then be given to the users, who are accessing the internet within your premises.

Vigor Hotspot
Vigor Hotspot

Authentication Methods- Local/Guest/Radius/LDAP/SMS

The Administrator can choose various methods of user authentication as mentioned above. Internal employee’s authentication can be integrated to the LDAP/Radius server and in the event of Guests/customers the authentication can be integrated to the guest profile setting the usage time limits.

Guests/users/customers can be authenticated for the credentials they provide in the form of email and mobile number through SMS authentication method. A report can also be generated on the details of the guests/users/customers on the usage of the internet services at the hot-spot location. SMS gateway/service provider can be customized with the necessary APIs provided by the SMS service provider.

Bulletin board

Bulletin board is available on the portal’s screen welcoming the guests with the information, news, profile or any adverts related to the company.

URL Redirection after login

Once the guest/users have logged into the Vigor Hotspot solution, automatically the pre-defined web/url link will be opened in the browser. This feature can be used for the branding perspectives.

Timed out settings

The active sessions will be timed-out, if the guests/users are idle for more than 10 Mins or so. Guests/Users have to log into the system again. These parameters can be configured in the system as per the company policy.

Whitelist settings

Whitelist functionality will allow the administrator to enable or disable policies that are created in the firewall to block and open web/URL links for Guest/Users Profiles with the pre-defined range of IP-Groups based on the company policies. E.g. for guests, administrator can block sites likes You Tube, Facebook, Twitter, etc. and allow the same to the internal users.

Monitor Online status

Status of the Guests/Users can be monitored on the monitor online status page for the number of guests/users, who have logged into hot-spot.

Create Bulk Guest profiles

Vigor Hotspot solution has the capability to create in advance, the bulk guest profiles. Administrator can create 30 profiles/groups. Each profile can carry 255 users, which means 255 Users x 30 Profiles. Administrator can define time-limits for each profile or group in advance for current or forthcoming days/weeks/months/year.

  • Administrator can set usage time and period for the Guest users
  • It is possible to export .csv file to get print
  • Administrator can create multiple guest groups and policy’s

Established in 2007, DVCOM Technology is an established Open Source IP Telephony and Unified Communications, Video Conferencing and Networking Solutions Company and Value added Distributors for Various Brands in IP Phones, IP PBX, GSM, VoIP Gateways, Telepresence, VPN Firewall Wi-Fi Routers, IP Intercoms, and Audio Paging & Network Security in MENA region.