How To – Establish VPN tunnel between Cyberoam and Sonicwall using Certificate

How To – Establish VPN tunnel between

Cyberoam and Sonicwall using Certificate

Applicable to Version: 9.4.0 build 2 onwards

This article describes a detailed configuration example that demonstrates how to configure
net-to-net IPSec VPN tunnel between a Cyberoam and SonicWall using Certificates to
authenticate VPN peers.

It is assumed that the reader has a working knowledge of Cyberoam and SonicWall appliance
configuration.

Prerequisite: Set same Date and Time on both the peers. Refer to Cyberoam Console
Guide for setting Date and time.

Throughout the article we will use the network parameters as shown in the diagram below.
 How To – Establish VPN tunnel between Cyberoam and Sonicwall using Certificate

Cyberoam Configuration
Step 1. Generate Local Certificate
Go to VPN → Certificate → New Certificate and click Self Signed Certificate to create
certificate. Create certificate with the following value:

Certificate name: CR_cert

Valid upto: As required
Key length: As required
Password: As required
Certificate ID: john@elitecore.com

Step 2. Generate Remote Certificate

Go to VPN → Certificate → New Certificate and click Self Signed Certificate to create
certificate. Create certificate with the following value:

Certificate name: SW_cert

Valid upto: As required
Key length: As required
Password: As required
Certificate ID: dean@elitecore.com

Step 3. Download Certificate generated in step 2 and forward to the Remote user
Go to VPN → Certificate → Manage Certificate and click Download against the SW_cert.
Certificate is downloaded in tar.gz format. One can unzip the file using winzip or winrar.

This Certificate is to be uploaded at SonicWAll.

Step 4: Create IPSec connection

Go to VPN → IPSec Connection → Create Connection and create connection with the
following values:

Connection name: CR_SW

Policy: Default Policy
Action on restart: As required
Mode: Tunnel
Connection Type: Net to Net

Authentication Type – Digital Certificate

Local Certificate – Select Certificate created in step 1 i.e. CR_cert
Remote Certificate - Select Certificate created in step 2 i.e. SW_cert

Local server IP address (WAN IP address) – 192.168.15.204 (Cyberoam WAN IP)

Local Internal Network – 8.8.8.0/24
 How To – Establish VPN tunnel between Cyberoam and Sonicwall using Certificate

Local ID – Automatically displays ID specified in the Local certificate created in step 1 i.e.
john@elitecore.com

Remote server IP address (WAN IP address) – 192.168.13.71 (SonicWall WAN IP)

Remote Internal Network – 172.18.1.0/24
Remote ID – Automatically displays ID specified in the Remote certificate created in step 2 i.e.
dean@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 5. Activate Connection

Go to VPN → IPSec Connection → Manage Connection
To activate the connection, click against the CR_CW connection.

under the Connection status indicates that the connection is successfully activated

Note
At a time only one connection can be active if both the types of connection - Digital Certificate
and Preshared Key - are created with the same source and destination. In such situation, at
the time of activation, you will receive error ‘unable to activate connection’ hence you need to
deactivate all other connections.
 How To – Establish VPN tunnel between Cyberoam and Sonicwall using Certificate

SonicWall Configuration
Step 6. Obtain and Upload Remote Certificate created in Cyberoam
Unzip Certificate received from the Remote user i.e. Cyberoam and extract Password.txt and
.p12 file
Go to System → Certificates and specify following values:

Select ‘Import a local end-user certificate with private key from a PKCS#12 (.p12 or .pfx)
encoded file
Certificate name: As required
Certificate Management Password: As specified in the Password.txt file
Please select a file to import: Using Browser select .p12 file from folder in which the zip file is
extracted

Certificate list will include Certificate CA and Certificate, if certificate is imported successfully.

Step 7. Add Address Object to define remote network that is to be connected via VPN tunnel
Go to Network → Address Object and click ADD under Address Objects and create with the
following values:
Name: CR_LAN
Zone: VPN
Type: Network
Network: 8.8.8.0 i.e. defined as Internal Network in Cyberoam
Mask: 255.255.255.0 i.e. subnet mask for the above network

Step 8. Create VPN Policy

Go to VPN → Settings and click ADD under VPN Policies

A. Input following values in the General Tab fields:

Authentication Method: IKE using 3rd Party Certificates

Name: sonicwall_2_cyberoam
IPsec Primary Gateway Name or Address: 192.168.15.204 i.e. WAN IP of Cyberoam
IPsec Secondary Gateway Name or Address: Blank
Local Certificate: Certificate imported in step 6
Peer IKE ID Type: E-mail ID
Peer IKE ID: john@elitecore.com (IKE of Cyberoam)

B. Input following values in the Network Tab fields:

Under Local Networks

Choose local network from list: LAN Subnets (Contains pre-defined object for LAN network)

Under Destination Networks

Choose local network from list: CR_LAN i.e. object created for Cyberoam network in step 7
 How To – Establish VPN tunnel between Cyberoam and Sonicwall using Certificate

C. Input following values in the Proposals Tab fields:

IKE Phase I Proposal

Exchange: Main Mode
DH Group: 2
Encryption: 3DES
Authentication: MD5
Life Tine (seconds): 3600

Ipsec (Phase 2) Proposal

Protocol: ESP
Encryption: 3DES
Authentication: MD5
Enable PFS: Yes
DH Group: 2
Life Time (seconds): 3600

VPN Policy is automatically enabled if created successfully.

If SonicWall is able to establish connection with Cyberoam successfully then the

connection/tunnel details will be displayed under Currently Active VPN Tunnels.

Step 8. Establish Connection from Cyberoam

Go to VPN → IPSec Connection → Manage Connection

To establish the connection/tunnel, click under Connection Status against the CR_SW
connection

under Connection Status indicates that the connection/tunnel is successfully established

Points to be noted
• Connection can be initiated from either of the peers provided connection is ‘Active’ in
Cyberoam
• If you try to connect from Cyberoam when the SonicWall VPN policy is not enabled,
Cyberoam will display ‘Unable to establish connection’ message.
• One can re-establish connection from SonicWall by enabling the VPN policy manually
only if connection is ‘Active’ in Cyberoam

Reference Documents
• VPN Troubleshooting Guide
• Cyberoam Console Guide

Document Version: 9402-1.0-15/11/2006