IPSec LAN-LAN VPN between Vigor and Cyberoam.

Vigor Model- 2912 Ver- 3.8.1.1

Cyeberoam Model- CR25iNG – 10.6.3 MR-4

This article describes a detailed configuration example that demonstrates how to set up a LAN-to-LAN IPSec VPN connection between Cyberoam and Vigor using preshared key to authenticate VPN peers.

Throughout the article we will use the network parameters as shown in the diagram below

ipsec1

ipsec2

Step by Step Configuration on Cyberoam

Step 1: Create VPN Policy

  • Go to VPN and create VPN Policy with following values:
    • Policy Name: Vigor2912
    • Description: If required
    • Allow Re-keying: Yes
    • Key Negotiation Tries: 3
    • Authentication Mode: Main Mode
    • Pass data in compressed format: Enable

Phase 1

    • Encryption Algorithm: AES256: Authentication Algorithm MD5
    • Encryption Algorithm: AES256: Authentication Algorithm SHA 1
    • DH Group (Key Group): 2 (DH1024)
    • Key life: 28800 sec
    • Rekey margin: 120 Sec
    • Randomize Rekeying margin by: 0
    • Dead Peer Detection: Enable
    • Check Peer After Every: 10 Sec
    • Wait for response upto: 30 Sec
    • Action When Peer unreachable : Disconnect

Phase 2

    • Encryption Algorithm: AES256       Authentication Algorithm: MD5
    • Encryption Algorithm: AES256       Authentication Algorithm: SHA1
    • PFS Group (DH Group): None
    • Key life: 3600 sec

ipsec3

Step 2: Create VPN Connection

  • Go to VPN IPSec Connection Create Connection and specify parameters as follows:
    • Connection name: Vigor2912
    • Description: If required
    • Connection Type: Site to Site
    • Policy: Choose Vigor 2912 policy
    • Action on restart: Respond only
    • Authentication Type – Preshared Key
    • Preshared Key: 0123456789
    • End points Details Local (WAN IP address) – 2.50.6.141
    • Remote : xxxx.dyndns.org
    • Local: choose Cyberoam Local Subnet from the Object : 192.168.1.0/24
    • Remote: Choose Vigor Local Subnet from the Object : 192.168.6.0/24

ipsec4

ipsec5

Step 3 Go to VPN and Remote Access >> Remote Access Control Setup

  • To allow the VPN traffic through routers, enable IPsec services as per following screen

ipsec6

Step 4 Go to VPN and Remote Access LAN to LAN

  • Choose an unused profile, e.g. 1. and click Next to continue.
  • The status of unused profile will be “???”

Section 1: Common Settings

  • Enter a Profile Name and enable the profile
  • As Vigor router will always initiate the VPN connection, for Call Direction click “Dial-Out” and click “Always on” to enable always on VPN tunnel.

Section 2: Dial- Out Settings

  • Under Type of Server I am calling, select “IPSec Tunnel” and enter WAN IP address/hostname of Cyberoam i.e. 2.50.6.141 as Server IP/Host Name
  • Under IKE Authentication Method, click “Pre-Shared Key” and enter Pre-Shared Key 0123456789
  • Under IPSec Security Method, click “High (ESP)” and select AES with Authentication
  • Click “Advanced” button

In Advanced settings enter parameters as follows:

    • IKE phase 1 mode: Main mode
    • IKE phase 1 proposal: AES256_SHA1_G2
    • IKE phase 2 proposal: AES256_SHA1/AES256_MD5
    • IKE phase 1 key lifetime: 28800
    • IKE phase 2 key lifetime: 3600
    • Perfect Forward Secret: Disable

ipsec7
ipsec8

Section 5: TCP/ IP Network Settings

  • Enter following parameters
    • Remote Network IP – 192.168.1.1 (Cyberoam’s internal network IP)
    • Remote Network Mask – 255.255.255.0
    • Local Network IP- 192.168.6.1 (Vigor Internal network IP)
    • Local Network Mask- 255.255.255.0
    • Click “OK” button

ipsec9

After above configurations see the VPN status below.

ipsec10

ipsec11

ipsec12

Reality about Browsing Security with Draytek

If you’re accountable for IT security/management, keeping clients safe on the web is one of the most serious issues you confront. However, there are some obsolete thoughts about dangers that can hamper possible security.

Protecting users on the web (http/https) requires you to think about all the ways users access it, and the different ideas cyber-criminals have in their minds for getting around traditional anti-virus security.

To secure your data, keep your clients gainful, and cut down on the measure of time you spend cleaning up compromised PCs, I suggest read below.

Draytek Vigor 2860

Myth: You may think that a strict browsing policy that simply blocks malware sites and keeps users safe.

Web security used to be pretty straightforward: you merely had to block out certain websites in categories like adult content, gambling, P2P, and violent or extremist content. (like Draytek WCF and APPE Filter)

You may have some sound reasons for blocking those kinds of websites – they probably violate your country laws, company policies, present legal liabilities, harm worker productivity, and can contribute to an unhealthy work environment.

But blocking dubious sites won’t keep users safe from web-borne threats.

The reality is that the vast majority of threats come from legitimate websites that have been compromised by cyber-criminals.

Current websites tend to be built from a huge number of components. Some of these are likely delivered by third-party sites and the bad guys have become expert at targeting those, which are often not as well protected and carrier for vulnerable codes and malwares.

So, even if a site has done a good job securing its own substructure it could still unintentionally be serving up malware. Malwares delivered by malvertising (Malware Ads) is a common example.

Some attacks – called drive-by downloads – can infect your computers with malicious code just by visiting a compromised website. They don’t even need to click on anything because the infection happens automatically, without them even realizing it. Your staff are particularly at risk of this kind of attack if they don’t keep your browsers and all associated plugins up to date with outstanding security patches.

In addition to a URL filtering solutions and router based Web Content Filters, randomly perform deep scanning of web traffic as it’s accessed and keep your devices up-to-date and protected by trustful internet security solutions.

“By 2017, more than 50% of network attacks will use SSL/TLS, yet most organizations lack the ability to de-crypt and inspect SSL communications to detect threats.” Gartner

Hashim RK | IT Manager

cropped-dvcom-coverpic-1.jpg

DVCOM Technology LLC, Dubai, UAE

2N® Helios IP Force, is a Robust IP AV Intercom with IP69K, IK10, 802.1x

This present-day security concerns at entrance is handled by exceptionally sturdy IP Intercom. Can deal with the most demanding conditions with is weather-sealed IP69K rating for tough environments and can withstand impact resistance of IK10.


IP Force ONVIF

Best SIP Video Intercoms

Camera
The embedded wide-angle megapixel camera is ONVIF compliant. Monitoring buildings using 2N® Helios IP Force is simplified by an integrated camera, which can take pictures at an angle of up to 135° (H), 109° (V).

Automatically, switch to night mode to more effectively capture people even at night.

Audio
Effortless communication, using its 2 integrated microphones with 10Watt amplifier supporting Fullduplex (AEC). Crystal clear acoustic pressure even at crowded place, 94 dB.

Video door entry station integrates with major video management system (VMS) vendors.  Retain Video evidence when require, most deployment happens at Corporate facilities, education institution, Government, Army and Prison.

SIP compliant, enable IP devices to be connected directly, and allow you to design more complex solution.

For more information, call us at 04-887-3370.

2N® Helios IP Force – Authorized Distributor