Scenario Cyberoam should bypass the IPSec VPN traffic between Site A and Site B, in other words, between Router A and Firewall B. The network schema is as given below.
Configuration Cyberoam can bypass IPSec VPN traffic if it has its UDP ports 500 and 4500 open both from WAN and LAN sides. To open the ports, follow the steps given below. The configuration is to be done from Web Admin Console using Administrator profile.
How To Bypass IPSec VPN Traffic How To Bypass IPSec VPN Traffic
Step 1: Create Virtual Host for UDP port 500 Go to Firewall Virtual Host Virtual Host and click Add to create a new virtual host according to parameters given below.
Parameter Description
Parameter Value Description Name UDP_Port_500 Name to identify the Virtual Host. External IP #PortC 10.10.1.1 External IP address is the IP address through which Internet users access internal server/host. Mapped IP 172.16.16.20 Mapped IP address is the IP address of the internal server/host. Physical Zone LAN LAN, WAN, DMZ, VPN or custom zone of the mapped IP addresses. For example, if mapped IP address represents any internal server then the zone in which server resides physically. Port Forwarding Enable Port Forwarding Enabled Click to enable service port forwarding. Protocol UDP Select the protocol TCP or UDP that you want the forwarded packets to use. Port Type Port Click to specify whether port mapping should be single or range of ports. External Port 500 Specify public port number for which you want to configure port forwarding. Mapped Port 500 Specify mapped port number on the destination network to which the public port number is mapped.
How To Bypass IPSec VPN Traffic
On clicking OK, you are asked to create Firewall Rules to allow access to the virtual host created.
Step 2: Add Firewall Rule On clicking OK, the following screen is displayed prompting you to create Firewall Rules.
Enable Add Firewall Rule(s) For Virtual Host and specify parameters shown in the screen as required. Click Add Rule(s) to add the firewall rule. The above firewall rule forwards all traffic from port 500 on WAN side to port 500 on the LAN side.
How To Bypass IPSec VPN Traffic
Step 3: Create Virtual Host for UDP port 4500 Go to Firewall Virtual Host Virtual Host and click Add to create a new virtual host according to parameters given below.
Parameter Description
Parameter Value Description Name UDP_Port_4500 Name to identify the Virtual Host. External IP #PortC 10.10.1.1 External IP address is the IP address through which Internet users access internal server/host. Mapped IP 172.16.16.20 Mapped IP address is the IP address of the internal server/host. Physical Zone LAN LAN, WAN, DMZ, VPN or custom zone of the mapped IP addresses. For example, if mapped IP address represents any internal server then the zone in which server resides physically. Port Forwarding Enable Port Forwarding Enabled Click to enable service port forwarding. Protocol UDP Select the protocol TCP or UDP that you want the forwarded packets to use. Port Type Port Click to specify whether port mapping should be single or range of ports. External Port 4500 Specify public port number for which you want to configure port forwarding. Mapped Port 4500 Specify mapped port number on the destination network to which the public port number is mapped.
How To Bypass IPSec VPN Traffic
On clicking OK, you are asked to create Firewall Rules to allow access to the virtual host created.
Step 4: Add Firewall Rule On clicking OK, the following screen is displayed prompting you to create Firewall Rules.
Enable Add Firewall Rule(s) For Virtual Host and specify parameters shown in the screen as required. Click Add Rule(s) to add the firewall rule. The above firewall rule forwards all traffic from port 4500 on WAN side to port 4500 on the LAN side.
How To Bypass IPSec VPN Traffic
Note:
Ensure that there exists a similar Firewall Rules which forward all traffic from port 500 and 4500 on LAN side to port 500 and 4500 respectively on the WAN side.