How to Configure a Site-to-Site IPsec IKEv2 VPN Tunnel on SecureEdge Using Static Routing

The Barracuda SecureEdge Manager allows you to configure a site-to-site IPsec IKEv2 tunnel on SecureEdge devices. You can connect to remote appliances or to third-party deployments that are capable of using IPsec IKEv2. IPsec IKEv2 tunnels can be created on all types of site devices, hardware or virtual. However, they cannot be created on IoT devices such as the Barracuda Secure Connector. You can also configure IPsec tunnels for all Edge Services:  the Hosted Edge Service, Private Edge Service, and Edge Service for Virtual WAN. You can configure IKEv2 tunnels both for static routing and dynamic routing, where the remote networks will be propagated within SecureEdge via the Border Gateway Protocol (BGP). Only one IPsec IKEv2 tunnel can be configured for the same source and destination in the SecureEdge Manager.

Requirements and Limitations

• For IPsec traffic, do not configure your SD-WAN policy with ACTION set to PIN; otherwise, site-to-site traffic over IPsec tunnels might be blocked.
• If you want to connect the stand-alone site to the Edge Service for vWAN for an IPsec tunnel using BGP, you must first delete the stand-alone site configuration completely and re-configure the same settings via the new site setup wizard.
• If you configure an IPsec IKEv2 VPN tunnel with BGP enabled, you can add more than one destination. However, you must ensure that two destinations of the same tunnel do not have the same remote gateway value.

Step 1. Create an IKEv2 IPsec Tunnel on SecureEdge

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to configure the IPSec IKEv2 tunnel for.

3. Go to Integration > IPsec VPN.
   

4. The IPsec VPN page opens. To add tunnel, click Add IPsec Tunnel.
   

5. The Create IPsec Tunnel window opens. 
6. In the General tab, specify values for the following:
   
   • Enable – Click to enable/disable tunnel status.
   • Initiates – Initiates tunnel. Click to enable/disable.
     
     • If enabled, the appliance is the active unit and continuously attempts to connect to the remote VPN gateway until a VPN tunnel is established. 
     • If disabled, the appliance is the passive unit and waits for connection attempts from the remote VPN gateway.
   In the GENERAL  INFORMATION section, specify values for the following: 
   
   • Name – Enter a unique tunnel name.
   • Description – Enter a brief description.
   In the AUTHENTICATION section, specify values for the following: 
   
   • Authentication – Select the authentication method from the drop-down menu.

   • Shared Secret – Enter the shared secret to use a shared passphrase to authenticate.

     The shared secret can consist of small and capital characters, numbers, and non-alphanumeric symbols, except the hash sign (#).

     

7. Click Next.
8. In the Source/Destination tab, specify values for the following:
   • Enable BGP – Click to disable.
   In the SOURCE section, specify values for the following
   
   • Type – Select the type from the drop-down list. You can choose either Edge Service or Site.
   • Peer – Select the peer from the drop-down list.
   • WAN Interface – Select the WAN interface from the drop-down list.
   • Local ID – Enter the local ID.
   • Network Addresses – Add the IP address of the local network, and click +.
   In the DESTINATION section, specify values for the following:
   
   • Remote Gateway – Enter a remote gateway.
   • Remote ID – Enter a unique ID. VPN tunnels without remote ID will not establish successfully.
   • Network Address – Add the IP address of the remote network, and click +.
     
9. Click Next.
10. In the Phases tab, specify values for the following:
    In the PHASE 1 section, specify the values for the following: 
    • Encryption – Select the encryption algorithm from the drop-down list. You can choose between AES, 3DES, Blowfish, or AES256.
    • Hash – Select the hashing algorithm from the drop-down list. You can choose between MD5, SHA, SHA256, or SHA512.
    • DH-Group – Select the Diffie-Hellman Group from the drop-down list. Supported groups are: 1, 2, 5, 14 - 24.
    • Proposal Handling – Select the proposal handling from the drop-down list. You can choose between the following: 
      • Strict – The effective encryption is strictly determined by the proposed set of Encryption, Hash and Group. The communication partner must agree with the proposed set; otherwise, no communication will be established due to a missing common encryption agreement.
      • Negotiate – This option lets a communication partner decrease the strength of the encryption if it cannot support the proposed encryption from the initiator.
    • Lifetime – Enter the number of seconds until the IPsec SA is re-keyed. Default: 28800


    In the PHASE 2 section, specify the values for the following: 
    • Encryption – Select the encryption algorithm from the drop-down list. You can choose between AES, 3DES, Blowfish, or AES256.

    • Hash – Select the hashing algorithm from the drop-down list. You can choose between MD5, SHA, SHA256, SHA512, or GCM.

      Note that the GCM hash algorithm can be used only in combination with one of the AES encryption algorithms (such as AES, AES256, or AES512).

    • DH-Group – Select the Diffie-Hellman Group from the drop-down list. You can choose either Disable PFS or supported groups. Supported groups are: 1, 2, 5, 14 - 24.
    • Proposal Handling – Select the proposal handling from the drop-down list. You can choose between the following:
      • Strict – The effective encryption is strictly determined by the proposed set of Encryption, Hash and Group. The communication partner must agree with the proposed set; otherwise, no communication will be established due to a missing common encryption agreement.
      • Negotiate – This option lets a communication partner decrease the strength of the encryption if it cannot support the proposed encryption from the initiator.
    • Life time – Enter the number of seconds until the IPsec SA is re-keyed. Default: 3600.
    • Traffic Volume Enabled – Click to enable/disable. 
      • If enabled, specify the value for the following:
        • Traffic Volume KB –  Enter the number of KB after which the IPsec SA is re-keyed.
          
11. Click Next. 
12. In the Network tab, specify the values for the following:
    In the NETWORK SETTINGS section, specify the values for the following: 
    
    • One VPN Tunnel Per Subnet Pair – Click to enable/disable. This creates a dedicated security association for each subnet pair. 
    • Universal Traffic Selectors – Click to enable/disable. Instruct peer to route all traffic into tunnel. 
    • Force UDP Encapsulation – Click to enable/disable. Use UDP encapsulation (4500) for ESP traffic even if no NAT is detected. 

    • IKE Reauthentication – Click to enable/disable. Reauthenticate during every IKE rekeying. This setting must be disabled if the remote device is a Microsoft Azure Dynamic VPN Gateway. 

    In the DEAD PEER DETECTION section, specify the values for the following: 
    • Action When Detected – Select the action from the drop-down list. You can choose between the following:

      • None – Disable DPD.

      • Clear – Connection with the dead peer is stopped, and routes removed.

      • Restart – Connection is restarted.

    • Delay – Enter the number of seconds after which an empty INFORMATIONAL message is sent to check if the remote peer is still available. Note: DPD Delay is required when detected DPD action is set anything other than None.
    
13. Click Save.
14. Verify that your IPsec tunnel configuration has been created successfully and click Finish.

After the configuration is complete, you can see a new IPsec tunnel is shown on the IPsec VPN page, and the status of the field names (e.g., Enabled) can be verified.

(Optional) Restart the IPsec Tunnel

If you must restart the IPsec tunnel, proceed with the following steps:

1. On the IPsec VPN page, click the icon of three vertical dots to restart the IPsec tunnel.
   

2. Click Restart the IPsec Tunnel.

   To restart the IPsec tunnel that is not initiated from the SecureEdge Manager, you may need to initiate the remote-side tunnel to bring the IPsec tunnel back up.

(Optional) Edit Visible Columns 

1. To get more detailed information on IPsec VPN, click Edit columns. 
   
2. The Edit Visible Columns page opens.
   
3. Select the field names you wish to display the columns for, and click Save.

Step 2. Create an IPsec Tunnel with the Remote Appliance

Configure the remote appliance or third-party VPN gateway with the same settings. Only the local and remote networks and the IP address for the remote VPN gateway must be interchanged. You can create a pass access rule on the remote appliance to allow traffic through the VPN tunnel.

Monitoring a VPN Site-to-Site Tunnel

To verify that the VPN tunnel was initiated successfully and traffic is flowing, proceed with the following steps:

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.
2. In the left menu, click the Tenants/Workspaces icon and select the workspace containing your site. 
3. Go to Infrastructure > Sites. The Sites page opens.
4. Select the site you want to verify the status for. Click on the arrow icon next to the site.
   
5. In the Site menu, the Dashboard page opens. You can see the status of all VPN tunnels for the corresponding sites.
   

Edit an Existing IPsec VPN Tunnel

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to edit the IPsec IKEv2 tunnel for.

3. Go to Integration > IPsec VPN.

4. The IPsec VPN page opens.  Click on the pencil icon next to the IPsec IKEv2 tunnel you want to edit.
   

5. The Edit IPsec Tunnel window opens. Edit the value you are interested in.

6. Click Save.

Remove an Existing IPsec VPN Tunnel

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to remove the IPsec IKEv2 tunnel for.

3. Go to Integration > IPsec VPN.

4. The IPsec VPN page opens.  Click on the trashcan icon next to the IPsec IKEv2 tunnel you want to remove.
   
5. The Delete IPsec Tunnel <Name of Tunnel> window opens.
   
6. Click Ok to confirm.