IPSec VPN Configuration between a Cyberoam CR35iNG router and a UTT Business Router (Public IP to Private IP)

IPSec VPN Configuration between a Cyberoam CR35iNG router and a UTT Business Router (Public IP to Private IP)

Purpose

The head office and the branch office need to connect with IPSec VPN. The head office has a Cyberoam CR35iNG router (with a public IP address), and the branch office has a UTT Business Router (with a private IP address). This document describes how to configure the IPSec VPN.

Prerequisites

  • A UTT Business Router (hereinafter referred to as “the Router”), such as UTT router N518W, AC750W, AC750GW, and etc. Firmware Version: 1.7.0 or above.
  • A Cyberoam CR35iNG router. Firmware Version: 10.6.1 MR-3.
  • A PC/laptop connects one of the routers, either through its LAN port or wireless network.

Configuration

  1. Log on the Web UI of UTT AC750W. Go to the IPSec page under VPN. Click Add.
Figure 1-1
 
  1. Select Originate Only in Connection Type.
In the Remote area on the page, enter the remote gateway IP or domain name, which is the WAN IP of the Cyberoam router, x.x.40.54.
Enter the subnet address and subnet mask of the Cyberoam router. For example, 192.168.1.0 and 255.255.255.0.
In the Local area on the page, select WAN1 in Bind to.
Enter the subnet address and subnet mask of the UTT router. For example, 192.168.2.0 and 255.255.255.0.
Set the Pre-shared Key and P2 Encrypt/Auth Algorithms 1 (for example, esp-ase128-md5) in Security Options.
Figure 1-2
 
  1. Click Advanced Options.
In Phase 1, select Aggressive in Exchange Mode. Set 28800 in SA Lifetime. Select 3des-md5-group2 in Encrypt/Auth Algorithms 1. Leave Encrypt/Auth Algorithms 2, Encrypt/Auth Algorithms 3 and Encrypt/Auth Algorithms 4 blank.
In Phase 2, leave Encrypt/Auth Algorithms 2, Encrypt/Auth Algorithms 3 and Encrypt/Auth Algorithms 4 blank. Enter 3600 in SA Lifetime.
Keep other options as default. Click Save
Figure 1-3
 
  1. Log on the Web UI of the Cyberoam router. Go to Hosts under OBJECTS. Configure two hosts as follows.
    1. Name: Remote_346
IP Family: IPv4
  • : Network
IP Address: 192.168.2.0
  • : 255.255.255.0
    1. Name: Local_LAN_HO_145
IP Family: IPv4
  • : Network
IP Address: 192.168.1.0
  • : 255.255.255.0
 
Figure 1-4
 
  1. Go to VPN > Policy. Click Add. Specify the Name as UTT_VPN. Select Aggressive Mode in Authentication Mode. Check to enable Allow Re-keying. Disable Perfect Forward Secrecy (FPS).
In Phase 1, select 3DES in Encryption Algorithm and MD5 in Authentication Algorithm. Check 2 in DH Group. Enter 28800 in Key Life.
In Phase 2, select AES128 in Encryption Algorithm and MD5 in Authentication Algorithm. Enter 3600 in Key Life.
Keep other options as default. Save the configuration. 
Figure 1-5
 
  1. Go to VPN > IPSec. Click Add. Specify a Name. Select Remote Access in Connection Type and UTT_VPN in Policy. Select Respond Only in Action on VPN Restart.
Select Preshared Key in Authentication Type and configure the Preshared Key (which should match that of the UTT end).
Specify the Local gateway IP address in Endpoint Details. Use a “*” mark as the Remote gateway IP address, which indicates any IP address.
Add Local_LAN_HO_145 to Local Subnet in Local Network Details.
Select Remote_346 in Remote LAN Network under Remote Network Details.
Keep other options as default. Save the configuration. 
Figure 1-6
 
  1. Click the red light (if any) under Active and Connection of VPN/IPSec to make them turn green.  The IPSec VPN is then successfully connected, which are shown in the below screenshots.
 
Figure 1-7
 
  1. If there's no traffic passing through the tunnel, even though IPSec Connection is active and connected, please refer to https://kb.cyberoam.com/default.asp?id=2475.