2. The IP Address range in L2TP and PPTP configuration cannot be the same.
5. L2TP connection will live till the Key Life specified in the Connection. On key expiry, Server will disconnect the Connection immediately but Client will take few minutes to get disconnected.
6. In Windows 2000, only Digital Certificate Authentication type is supported for L2TP connection.
7. In Windows 2000, Preshared Key Authentication type is not supported for L2TP connection.
8. Both Digital Certificate and Preshared key Authentication type is supported for L2TP connection in Windows XP and above.
9. Cyberoam IPSec VPN Client requires:
o Service pack(sp) 4 for Windows 2000
o Service pack(sp) 2 for Windows XP
10. If two Connections are created with different Authentication types i.e. Preshared key and Certificate then only one connection can be ‘Active’ at a time.
11. Do not include blank (space) as the leading character in preshared key. Cyberoam will not consider the blank (space), if included.
12. Certificate Authority and Certificates are generated in tar.gz form. Unzip/extract using WINRaR before use.
13. Mail only that Certificate to the Remote peer whose Certificate ID is same as the one specified as Remote ID in the Connection.
14. When Cyberoam is behind the NAT box
o Create Port Forward rule for UDP ports 500 and 4500.
o Configure Local and Remote ID to avoid the “invalid id information or no proposal chosen” error.
15. It is very important that Local and Remote VPN servers have the same time zone and time settings. Without these, keys expiration is not handled properly.
16. Set ‘Re-Key’ to ‘Yes’ on both or either of the servers to reduce the chances of Site-to-Site disconnection on key expiry.
18. VPN connectivity between Cyberoam and IPSec VPN server (remote server) can be established only when Cyberoam is functioning as a Gateway and IPSec VPN server’s WAN Interface is bound with a Public IP address.
19. For Site-to-Site connection, network subnet configured on both the VPN servers must be different.
20. For Road Warrior connectivity with Cyberoam, if road warrior is behind a NAT box, then configure different Internal network subnets for both the ends.
21. Use different remote-IDs, if you are creating multiple Site-to-Site connections using different preshared keys. If the same remote-IDs are used, following errors will be received:
o "Jan 27 08:04:44 1169870684 pluto: "JafztoBurdxb-1" #264: multiple ipsec.secrets entries with distinct secrets match endpoints:first secret used"
malformed payload in packet"
22. To avoid frequent VPN disconnection when DoS is enabled, bypass VPN peer’s IP Address at both ends. If Peer IP Address is not bypassed, Dead Peer Detection functionality blocks it and hence the connection is frequently dropped.
23. If Dead Peer Detection is enabled in VPN IPSec Policy, set ‘Action When Peer Unreachable” to:
· ‘Re-Initiate' for Site-to-Site connection when either or both of the peers is assigned dynamic IP address.(Recommended)
25. All Remote Access VPN connections (Road Warrior or L2TP) should have the same Preshared Key (PSK). Cyberoam does not allow you to add a new Remote Access VPN connection with a different PSK than existing connections. If you update the PSK of an existing connection, then PSK of all the other existing connections gets updated to the new PSK.
For example, consider the Remote Access VPN connections IPSec1, IPSec2 and L2TP1 with PSK ‘abc’.
Action 1: Add another connection L2TP2 with PSK ‘xyz’.
Result: Error. Cyberoam will reject the action.
Action 2: Update IPSec2 with PSK xyz.
Result: PSK of all Connections (IPSec1, IPSec2 and L2TP1) will be updated to ‘xyz’.
Document Version 3.3 - 16 June, 2014
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.