How To Create Hub and Spoke IPSec VPN network

How To Create Hub and Spoke IPSec VPN Network

This article describes how to configure Cyberoam Firewall/VPN in a hub and spoke VPN
system, as might be used in a headquarters with many branch offices.

In a hub and spoke network, all VPN tunnels terminate at the hub. Hub functions as a
concentrator on the network, managing all VPN connections between the spokes. Site-to-
Site connection between the spokes does not exist but the VPN traffic passes from one
tunnel to the other via the hub.

In the example throughout the article, below given IP addresses are assigned to
Cyberoam deployed at headquarter and 2 branches. Follow the steps for setting up the
example hub-and-spoke VPN configuration to create a VPN among Houston branch
(Cyberoam_br1), Dallas branch (Cyberoam_br2) and the New York Head office
(Cyberoam_ho) network.

IP addressing scheme

Hub - New York office (Cyberoam_ho)

LAN IP address 192.168.1.0/24
WAN IP address 202.11.11.11

Spoke 1 Huston Branch (Cyberoam_br1)

LAN IP address 5.5.5.0/16
WAN IP address 202.10.10.10

Spoke 2 Dallas Branch (Cyberoam_br2)

LAN IP address 10.10.10.0/24
WAN IP address 202.12.12.12
 How To Create Hub and Spoke IPSec VPN network

Configuring Connection at Houston branch (Spoke)

Configuration
Houston Branch (Cyberoam_br1)
Parameters
Preshared key Houston_key
Local Network Local Server (WAN IP address) 202.10.10.10
details Local LAN address 5.5.5.0/16
Local ID john@elitecore.com
Remote Network Remote VPN server (Hub IP address) 202.11.11.11
details Remote LAN Network
10.10.10.0/24 (Dallas Network)
192.168.1.0/24 (New York Network)
Remote ID dean@elitecore.com

Step 1: Create VPN Policy

Go to VPN Policy Create Policy and create policy with the following values:

Policy Name: hub_spoke_policy

Using Template: None
Keying Method: Automatic
Allow Re-keying: Yes
Pass Data In Compressed Format: Yes
Perfect Forward Secrecy (PFS): Yes
Key life: 28800 secs
Action When Peer Is Not Active: Restart

Change other values as per your requirements.

Step 2: Create IPSec connection

Go to VPN IPSec Connection Create Connection and create connection with the
following values:

Connection name: Houston_NY

Policy: hub_spoke_policy
Action on restart: As required
Mode: Tunnel
Connection Type: Net to Net

Authentication Type Preshared key

Preshared key Specify Preshared key. Forward this key to the remote peer i.e.
Cyberoam_ho

Local server IP address (WAN IP address) 202.10.10.10

Local LAN Network 5.5.5.0/16
Local ID john@elitecore.com

Remote server IP address 202.11.11.11

Remote LAN Network 10.10.10.0/24, 192.168.1.0/24
 How To Create Hub and Spoke IPSec VPN network

Remote ID dean@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 3. Activate Connection

Go to VPN IPSec Connection Manage Connection and click under Connection
Status against the Houston_NY connection

under Connection Status indicates that the connection is successfully activated

Configuring Connection at Dallas branch (Spoke)

Configuration
Dallas Branch (Cyberoam_br2)
Parameters
Preshared key Dallas_key
Local Network Local Server (WAN IP address) 202.12.12.12
details Local LAN address 10.10.10.0/24
Local ID mathews@elitecore.com
Remote Network Remote VPN server (Hub IP address) 202.11.11.11
details Remote LAN Network
5.5.5.0/16 (Houston Network)
192.168.1.0/24 (New York Network)
Remote ID anthony@elitecore.com

Step 1: Create VPN Policy

Go to VPN Policy Create Policy and create policy with the following values:

Policy Name: hub_spoke_policy

Using Template: None
Keying Method: Automatic
Allow Re-keying: Yes
Pass Data In Compressed Format: Yes
Perfect Forward Secrecy (PFS): Yes
Key life: 28800 secs
Action When Peer Is Not Active: Restart

Change other values as per your requirements.

Step 2: Create IPSec connection

Go to VPN IPSec Connection Create Connection and create connection with the
following values:

Connection name: Dallas_NY

Policy: hub_spoke_policy
Action on restart: As required
 How To Create Hub and Spoke IPSec VPN network

Mode: Tunnel
Connection Type: Net to Net

Authentication Type Preshared key

Preshared key Specify Preshared key. Forward this key to the remote peers i.e.
Cyberoam_ho

Local server IP address (WAN IP address) 202.12.12.12

Local LAN Network 10.10.10.0/24
Local ID mathews@elitecore.com

Remote server IP address 202.11.11.11

Remote LAN Network 5.5.5.0/16, 192.168.1.0/24
Remote ID anthony@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 3. Activate Connection

Go to VPN IPSec Connection Manage Connection and click under Connection
Status against the Dallas_NY connection

under Connection Status indicates that the connection is successfully activated

Note
At a time only one connection can be active if both the types of connection - Digital
Certificate and Preshared Key - are created with the same source and destination. In such
situation, at the time of activation, you will receive error unable to activate connection
hence you need to deactivate all other connections.

Configuring Connection at New York (Hub)

Step 1: Create VPN zone firewall rule (only for version 9.5.8 build 24 onwards)

Go to Firewall Create Rule and create rule with the following values:

Source: VPN-Any Host

Destination: VPN-Any Host
Service/Service Group: All Services
Apply Schedule: All the Time

Action: Accept
 How To Create Hub and Spoke IPSec VPN network

Step 2: Create VPN Policy

Go to VPN Policy Create Policy and create policy with the following values:

Policy Name: hub_spoke_policy

Using Template: None
Keying Method: Automatic
Allow Re-keying: Yes
Pass Data In Compressed Format: Yes
Perfect Forward Secrecy (PFS): Yes
Action When Peer Is Not Active: Hold

Change other values as per your requirements.

Step 3: Create IPSec connection for Houston branch

Configuration
New York to Houston
Parameters
Preshared key Houston_key
Local Network Local Server (WAN IP address) 202.11.11.11
details Local LAN address
192.168.1.0/24
10.10.10.0/24
Local ID dean@elitecore.com
Remote Network Remote VPN server (Houston) 202.10.10.10
details Remote LAN Network
5.5.5.0/16
Remote ID john@elitecore.com

Go to VPN IPSec Connection Create Connection and create connection with the
following values:
 How To Create Hub and Spoke IPSec VPN network

Connection name: NY_ Houston

Policy: hub_spoke_policy
Action on restart: As required
Mode: Tunnel
Connection Type: Net to Net

Authentication Type Preshared key

Preshared key Specify Preshared key. Forward this key to the remote peer i.e.
Cyberoam_br1

Local server IP address (WAN IP address) 202.11.11.11

Local LAN Network 10.10.10.0/24, 192.168.1.0/24
Local ID dean@elitecore.com

Remote server IP address 202.10.10.10

Remote LAN Network 5.5.5.0/16
Remote ID john@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 4. Activate Connections

Go to VPN IPSec Connection Manage Connection and click under Connection
Status against the NY_Houston connection

under Connection Status indicates that the connection is successfully activated

Step 5: Create IPSec connection for Dallas branch

Configuration
New York to Dallas
Parameters
Preshared key Dallas_key
Local Network details Local Server (WAN IP address) 202.11.11.11
Local LAN address
192.168.1.0/24
5.5.5.0/16
Local ID anthony@elitecore.com
Remote Network Remote VPN server (Houston) 202.12.12.12
details Remote LAN Network
10.10.10.0/24
Remote ID mathews@elitecore.com

Go to VPN IPSec Connection Create Connection and create connection with the
following values:

Connection name: NY_Dallas

Policy: hub_spoke_policy
Action on restart: As required
Mode: Tunnel
 How To Create Hub and Spoke IPSec VPN network

Connection Type: Net to Net

Authentication Type Preshared key

Preshared key Specify Preshared key. Forward this key to the remote peer i.e.
Cyberoam_br2

Local server IP address (WAN IP address) 202.11.11.11

Local LAN Network 5.5.5.0/16, 192.168.1.0/24
Local ID anthony@elitecore.com

Remote server IP address 202.12.12.12

Remote LAN Network 10.10.10.0/24
Remote ID mathews@elitecore.com

User Authentication Mode: As required

Protocol: As required

Step 6. Activate Connections

Go to VPN IPSec Connection Manage Connection and click under Connection
Status against the NY_Dallas connection

under Connection Status indicates that the connection is successfully activated

Note
At a time only one connection can be active if both the types of connection - Digital
Certificate and Preshared Key - are created with the same source and destination. In such
situation, at the time of activation, you will receive error unable to activate connection
hence you need to deactivate all other connections.

Step 7. Establish Connections

You can establish connection, once the all three servers are configured. You can establish
connection from either of the servers.

Go to VPN IPSec Connection Manage Connection and click against the connection
under the Connection status indicates that the connection is successfully established.

If you are not able to establish the connection, check VPN log from Telnet Console. Refer
to VPN Troubleshooting Guide for log explanation and error solution.

Testing Connection

To check the connectivity between New York office to Houston branch and vice versa:
ping Cyberoam_br1 LAN interface from Cyberoam_ho LAN interface
ping Cyberoam_ho LAN interface from Cyberoam_br1 LAN interface

To check the connectivity between New York office to Dallas branch and vice versa:
ping Cyberoam_br2 LAN interface from Cyberoam_ho LAN interface
 How To Create Hub and Spoke IPSec VPN network

ping Cyberoam_ho LAN interface from Cyberoam_br2 LAN interface

To check the connectivity between Houston branch to Dallas branch and vice versa:
ping Cyberoam_br2 LAN interface from Cyberoam_br1 LAN interface
ping Cyberoam_br1 LAN interface from Cyberoam_br2 LAN interface

Reference Documents
VPN Troubleshooting Guide

Document version: 96016-2.0-05/06/2009