The following list provides a complete overview of all TINA tunnel- and transport settings.
Tunnel Settings
Networks
Setting | Description |
Scheme | Select a configured scheme for local networks. |
Local Networks | Click + to add the local networks that should be able to reach the peer networks. You can enter a list of networks or single IP addresses. Because this setting is typically shared by several tunnels, it may be defined from the Local Networks setting and referenced within the single tunnel configurations. After typing an address, hit Enter. |
Remote Networks | Click + to add the shared networks of the remote peer. After typing an address, hit Enter. |
Transports
Setting | Description |
Transports | Click + to add a VPN tunnel transport. For information on how to configure transport details, see the Transport Settings section below. |
Advanced
Setting | Description |
Packet Balancing inside a Provider Class | Enables/disables packet-based traffic balancing over multiple ISP connections. This only works for transports within the same SD-WAN class. For more information, see How to Configure Packet-Based Balancing for VPN Tunnels with SD-WAN. |
Use Dynamic Mesh | Enable to allow this CloudGen Firewall to create and accept dynamic VPN tunnels. For more information, see Dynamic Mesh VPN Networks. |
Dynamic Mesh Timeout | Dynamic tunnels are terminated after the timeout (in seconds) passes without traffic being sent through the VPN tunnel. |
VPN Interface Index | By default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field. |
Transport Settings
Basic
Setting | Description |
Call Direction | From this list, you can select one of the following options to specify if the local network is active or passive: Active – An active VPN server accepts tunnel requests and initiates the tunnel connection. When the tunnel is down for a defined time, it cleans its state to accept retries from its partner. Furthermore, it tries to initiate the connection by itself. |
Enable this Transport | To manually disable the tunnel, select this check box. |
SD-WAN Class | Assign a class for each transport, or select from the list of configured providers. For the first transport, only provider or class 'Bulk' is allowed. Further transports can be classified individually. |
Transport | The transport type for the tunnel. You can select one of the following options:
|
Encryption | The data encryption algorithm. You can select one of the following options:
|
Authentication | The hashing algorithm for the VPN tunnel. You can select one of the following options:
|
Peers
Setting | Description |
Endpoint Type | Enable to use IPv4 or IPv6 addresses for the VPN tunnel envelope. |
Transport Source | Select the IP address that will be used for establishing a VPN tunnel/transport. |
Explicit IP or Interface | Set a default explicit address or interface instead of a predefined one. |
Remote Peer | Add one or more IP addresses or hostnames to connect to. |
Identity
Setting | Description |
Identification Type | From the list, you can select one of the following options to specify if a public key or certificate is to be used:
|
Local / Remote | For certificates, configure the Server Certificate and/or Server Protocol Key settings to select the certificate and protocol key. |
SD-WAN
From the SD-WAN - Bandwidth Protection and SD-WAN - VPN Envelope Protection tabs, configure the SD-WAN settings for the tunnel. For more information, see SD-WAN.
SD-WAN - Bandwidth Protection
Setting | Description |
Dynamic Bandwidth Detection | When using traffic shaping, select the monitoring policy:
For more information, see SD-WAN. |
Bandwidth Policy | Chose a policy to define how traffic shaping is applied:
|
Estimated Bandwidth | Enter the outbound bandwidth in kps. |
Inbound/Reverse | Enter the inbound bandwidth in kps or |
Upper Limit | Define an upper limit in percent of the available bandwidth (default: 20). |
Low Priority Upper Limit | Define a lower limit in percent of the available bandwidth (default: 60). |
SD-WAN - VPN Envelope Protection
Setting | Description | |||||||||||||||||||||||||||
TOS Policy | This policy setting specifies how Type of Service (ToS) information contained within a packet’s IP header is handled. In networks, the ToS may be used to define the handling of the datagram during transport. If the ToS is enveloped, this information is lost. You can select one of the following options:
| |||||||||||||||||||||||||||
Envelope TOS Value | Enter the fixed ToS value. The same ToS information is then assigned to all packets. For example:
For more information about precedence values, see http://www.bogpeople.com/networking/dscp.shtml and http://www.tucny.com/Home/dscp-tos. | |||||||||||||||||||||||||||
QoS Policy | The QoS Policy settings rely on connection objects that are assigned to bands in the firewall rulesets and specify bandwidth assignment to transports as a whole. Multiple transports can share a single band if they are processed by the same interface. You can select one of the following options:
| |||||||||||||||||||||||||||
QoS Connector ID | The unique access ID for the connection. | |||||||||||||||||||||||||||
Replay Window Size | If ToS policies assigned to VPN tunnels or transport packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance and to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding any global policy settings. Set to
| |||||||||||||||||||||||||||
On-Demand Transport Timeout | Transport will be disabled if no traffic has been sent within this period of time. | |||||||||||||||||||||||||||
On-Demand Transport Delay | Instead of being processed the moment it arrives, the traffic is delayed for the specified time span until more traffic has accumulated. |
Advanced
Setting | Description |
Encryption | Select the accepted data encryption algorithm for the VPN transport. This is applied when the remote peer initiates the transport.
|
Authentication | Select the accepted hashing algorithm for the VPN transport. This is applied when the remote peer initiates the transport.
|
Key Time Limit | The period of time after which the re-keying process is started. You can select 5, 10 (default), 30, or 60 minutes. |
Key Traffic Limit | The key traffic limit. You can select No Limit, 1 GB, 500 MB, 100 MB, 50 MB, 10 MB (default), 5 MB, or 1 MB. |
Transport Probing | The interval between tunnel probes. If probes are not answered in the time period specified by the Tunnel Timeout setting, the tunnel is terminated. You can select Silent (no probes are sent), 1 secs, 10 secs, 20 secs, 30 secs (default), or 60 secs. |
Transport Timeout | The length of time in which tunnel probes must be correctly answered before the tunnel is terminated. If, for some reason, the enveloping connection breaks down, the tunnel must be re-initialized. This is extremely important in setups with redundant possibilities to build the enveloping connection. You can select 3 secs, 10 secs, 20 secs (default), 30 secs, or 60 secs. |
Compression | Enable to compress traffic transmitted through the VPN tunnel. |
Dynamic Mesh on Dynamic Interface | Enable if Dynamic Mesh is used in combination with dynamic interfaces. For more information, see Dynamic Mesh VPN Networks. |
High Performance Settings | To allow multiple CPUs and cores to be assigned to a single VPN tunnel to increase VPN performance, select this check box. As of firmware 9.0.1, this option is enabled by default. NOTE! With enabling this setting, the firewalls will establish independent, unidirectional UDP sessions (per default on port 691) between the gateway IP addresses, which are visible in the Live view. These sessions are used for probing and utilizing the available CPU cores for the VPN tunnel and are normal. |
Proxy Type | From this list, you can select one of the following options:
|
Proxy Server IP [:port] | Enter the network address and (optionally) port of the HTTP proxy. |
Proxy User | Specify a username for authentication at the HTTP proxy. |
Proxy Password | Specify a password for authentication at the HTTP proxy. |
Start Script | Add a script that should be executed when connecting via VPN. |
Stop Script | Add a script that should be executed when disconnecting from the VPN. |
Peer Identification
Depending on whether the tunnel direction is passive or active, the partner server may be a whole subnet (passive mode) or may need to be defined by single IP addresses (active and bi-directional mode). Import the public key of the tunnel partner via a clipboard or file. Principally, the public key is not needed. However, it is highly recommended to use strong authentication to build up the tunnel enveloping connection. If you have two different tunnel connections configured between the same two peers, the keys are mandatory.
Perfect Forward Secrecy for TINA Tunnels
By default, the Barracuda CloudGen Firewall supports Perfect Forward Secrecy (PFS) and Elliptic Curve Cryptography (ECC). The VPN service sends and responds to PFS/EC requests and uses ECC if it is also supported by the remote firewall. To determine if PFS/EC is used, go to the VPN logs and check for the following log messages:
DH attributes found in request, generating a new key
DH attributes found in the response, deriving the shared secret
Clearing the DNS Cache of the VPN Service
To clear the cache and manually trigger a DNS lookup, open the VPN page. Right-click on the VPN tunnel and select Show Runtime information. Right-click on the IKE entry in the Worker section, and select Flush DNS Cache.
To clear the cache using the command line, log in as root and enter:
/opt/phion/bin/ipsecctrl isa flushdns