How To Establish Site-to-Site VPN Connection

How To Establish Site-to-Site IPSec VPN Connection using Preshared key

using
Preshared Key
Applicable Version: 10.00 onwards
Overview
IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is
used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a host (network-to-host).
Cyberoams IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote connectivity,
eliminating the need for expensive private remote access networks like leased lines, Asynchronous
Transfer Mode (ATM) and Frame Relay. This article describes a detailed configuration example that
demonstrates how to set up a site-to-site IPSec VPN connection between the two networks using
preshared key to authenticate VPN peers.

Scenario
Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps given
below. In this article, we have used the following parameters to create the VPN connection.
Network Parameters
Local Network details
Remote Network details

Local Server (WAN IP address) 14.15.16.17

Local LAN address 10.5.6.0/24
Remote VPN server (WAN IP address) 22.23.24.25
Remote LAN Network 172.23.9.0/24

Site A Configuration
The configuration is to be done from Site As Cyberoam Web Admin Console using profile having readwrite administrative rights for relevant feature(s).

How To Establish Site-to-Site IPSec VPN Connection using Preshared key

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the
connection using the following parameters.

Parameter Description
Parameter

Value

Description

Name

SiteA_to_SiteB

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
Remote Access
Site to Site
Host to Host

Policy

DefaultHeadOffice Select policy to be used for connection

Action on VPN Restart Respond Only

Select the action for the connection.

Available options:
Respond Only
Initiate
Disable

Authentication details
Authentication Type

Preshared Key

Select Authentication Type. Authentication of user

depends on the connection type.

Preshared Key

123456789

Preshared key should be the same as that configured in

remote site.

Endpoints Details
Local

PortB-14.15.16.17 Select local port which acts as end-point to the tunnel

Remote

22.23.24.25

Specify IP address of the remote endpoint.

Local Network Details

Local Subnet

10.5.6.0/24

Remote Network Details

Select Local LAN Address. Add and Remove LAN

Address using Add Button and Remove Button

How To Establish Site-to-Site IPSec VPN Connection using Preshared key

Remote LAN Network 172.23.9.0/24

Click OK to create IPSec connection.

Select Remote LAN Address. Add and Remove LAN

Address using Add Button and Remove Button

How To Establish Site-to-Site IPSec VPN Connection using Preshared key

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.

Click

under Status (Active) to activate the connection.

Site B Configuration
The configuration is to be done from Site Bs Cyberoam Web Admin Console using profile having readwrite administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the
connection using the following parameters.

How To Establish Site-to-Site IPSec VPN Connection using Preshared key

Parameter Description
Parameter

Value

Description

Name

SiteB_to_SiteA

Name to identify the IPSec Connection

Connection Type

Site to Site

Select Type of connection.

Available Options:
Remote Access
Site to Site
Host to Host

Policy

DefaultBranchOffice Select policy to be used for connection

Action on VPN
Restart

Initiate

Select the action for the connection.

Available options:
Respond Only
Initiate
Disable

Authentication details
Authentication Type

Preshared Key

Select Authentication Type. Authentication of user

depends on the connection type.

Preshared Key

123456789

Preshared key should be the same as that configured in

remote site.

Local

PortB-22.23.24.25

Select local port which acts as end-point to the tunnel

Remote

14.15.16.17

Specify IP address of the remote endpoint.

Endpoints Details

Local Network Details

Local Subnet

172.23.9.0/24

Select Local LAN Address. Add and Remove LAN

Address using Add Button and Remove Button

Remote Network Details

Remote LAN Network 10.5.6.0/24

Select Remote LAN Address. Add and Remove LAN

Address using Add Button and Remove Button

How To Establish Site-to-Site IPSec VPN Connection using Preshared key

Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above.

Click

under Status (Active) and Status (Connection).

How To Establish Site-to-Site IPSec VPN Connection using Preshared key

The above configuration establishes an IPSec connection between Two (2) sites.
Note:
Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head
Office acts as a responder due to following reasons:
Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the
connection.
As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that
Branch Offices retries the connection instead of the Head Office retrying all the branch office
connections.

Document Version: 2.1 22 February, 2014