It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda NextGen Firewall X
Overview Documentation Materials

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

How to Configure a Client-to-Site VPN with Shared Key Authentication

  • Last updated on

The Barracuda NextGen Firewall X-Series supports client-to-site VPN with shared key authentication. You can use either the Barracuda VPN Client, mobile clients running iOS or Android, or third-party IPsec clients supporting client authentication.

The certificates for the VPN service must include the FQDN resolving to the external IP address the VPN service is listening on as the Subject Alternative Name. E.g., DNS:vpn.mydomain.com Alternatively, you can also use a wildcard: DNS:*

Mobile devices

The X-Series Firewall supports IPsec VPN connections for Apple iOS and Android devices. You must enable the IPsec client option in the access policy to be able to connect with a mobile client. 

Barracuda VPN Client

The Barracuda VPN Client authenticates with username and password. The shared key configured for the IPsec client is not used for the Barracuda VPN Client. You must enable the Barracuda VPN Client option in the access policy to be able to connect with the Barracuda VPN Client.

Third-party IPsec clients

The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN. You must enable IPsec client in the access policy to use the IPsec VPN client.

Step 1. Enable the VPN service on a network interface

Enable the VPN service on a static IP address. If you do not have a static WAN IP address, you must enable the VPN service for a static internal interface and then redirect incoming connections to the VPN service with a firewall rule.

Static (fixed) WAN IP address

To enable the VPN service for the static network interface:

  1. Go to NETWORK > IP Configuration.
  2. In the Static Interface Configuration section, click Edit to configure your static WAN interface. 
    c2sIPsec01.png

  3. In the Edit Static Network Interface window, select the VPN Server check box.
    c2sIPsec02_67.png

    If SSL VPN service is also enabled for this interface, go to VPN > Site-To-Site VPN and disable the Use TCP Port 443 setting for the VPN service.


  4. Click Save
Dynamic (DHCP/3G/PPPoE) WAN IP address

You must have an active DynDNS account, so that the client can connect to the dynamic IP address. For more information on creating a DynDNS account, see http://www.dyndns.org.

To use the VPN service with a dynamic WAN IP address, run the VPN service on an internal IP address. Do not use the management IP address; instead, use a secondary IP address. Then, configure a firewall rule to redirect all incoming VPN traffic from the dynamic interface to the VPN service.

  1. Go to NETWORK > IP Configuration.
  2. Enable dynamic DNS.
    1. In the Dynamic Interface Configuration section, click Edit to configure your dynamic WAN interface. 
    2. In the Edit Dynamic Network Interface window, enable Use Dynamic DNS

    3. Enter the DynDNS Hostname and authentication information.

    4. Click Save.
  3. In the Management IP Configuration section, add a secondary IP address: 
    • IP ADDRESS – Enter an IP address that is free in the local network. For example, 10.0.10.6 if the MIP address is in the 10.0.10.0/24 network.
    • VPN SERVER – Select this check box. 
    c2sIPsec03_67.png
  4. Create an access rule to redirect incoming VPN connections on the dynamic interface to the VPN server listening on the local IP address.
    1. Go to FIREWALL > Firewall Rules.
    2. Click Add Access Rule
    3. In the Add Access Rule windows, configure a Redirect to Service firewall rule. 
      • For the Destination, select the network object corresponding to your Internet connection type (DHCP, 3G, or DSL).
      • For the Redirected To setting, select the VPN network object.
      c2sIPsec04_67.png
    4. Click Save.
  5. Move the firewall rule above the BLOCKALL rule. For more information, see Firewall Rules Order
  6. Click Save.

Step 2. Configure client-to-site VPN settings for shared key IPsec VPN

Configure user authentication and IPsec settings.

Step 2.1 Configure User Authentication
  1. Go to VPN > Client-To-Site VPN.
  2. In the Settings section, select a User Authentication method. You can use local or external user authentication.
  3. In the IPsec Settings section:
    1. For Authentication, select Shared Key.
    2. Enter the Shared Key.
    3. Unless you are using iOS or Android devices as VPN clients, you can also configure the IPsec Phase 1 Settings and IPsec Phase 2 Settings.

  4. Click Save. 
    c2sIPsec05_67.png

    If you want to use iOS or Android devices as VPN clients, do not change the default IPsec Phase 1 and Phase 2 settings.
Step 2.2 Create the VPN access policy

Define the VPN clients and the network information to be passed to client.

Access policies are matched based on the Allowed Group of the access policy from top to bottom. Make sure access policies are entered so the more specific allowed groups are at the top of the list and the generic * conditions are at the bottom of the list.

  1. Go to VPN > Client-To-Site VPN.
  2. In the VPN Access Policies section, click Add Access Policy
  3. In the Add VPN Access Policy window, specify the following settings: 

    • Name – A name for the access policy.

      The name of the access policy is referred to as group name on iOS or IPSec-ID on Android devices.

    • Client Network – The network that the client will be assigned to (e.g., 192.168.100.0/24).
    • (Optional) Domain – The domain assigned to the client.
    • Primary DNS Server – The IP address of the DNS server.
    • Published Networks –The local networks available for the VPN client.
    • No Split Tunnel Mode – Enable to lock down the client to connect only to the Published Networks of the VPN tunnel. Add 0.0.0.0/0 to the Published Networks to allow the client to access the Internet through the VPN tunnel.
    • IPsec Phase 2 – The IPsec Phase 2 settings that you configured in Step 2.2 (e.g., Client2SiteVPNClients from the example in Step 2.2).
    • Allowed Peers – Enable IPsec Clients for mobile devices and third-party IPsec clients and Barracuda VPN client to be able to connect with the Barracuda VPN Client.
    • Allowed Groups – The groups that are allowed to connect. To allow all groups, enter an asterisk (*).
    • Use for CudaLaunch – Enable self-provisioning on Windows, macOS, or iOS devices for remote clients using the CudaLaunch portal. For more information, see CudaLaunch.
      Configure the following settings:
      • CudaLaunch Server – Enter the IP address of the server providing CudaLaunch.
      • Allowed Groups – Enter the user groups that the policy applies to. Click after each entry. You can use question marks (?) and asterisks (*) as wildcard characters.
  4. Click Save.

Step 3. Configure Clients

Configure VPN clients to connect to the IPsec VPN with shared key authentication.

Barracuda VPN Clients

Configure the Barracuda VPN Client to connect to the IPsec VPN with the certificate authentication you just created.

  1. Go to VPN > Client-To-Site.
  2. Download and install the Barracuda VPN Client.
    1. In the Settings section, select your operating system from the Download Barracuda VPN Client list and click Download. 
    2. Install the Barracuda VPN Client. You must have administrative rights. 
    3. Reboot the computer after the installation.
  3. Configure a profile for connecting to the IPsec VPN.
    1. Start the Barracuda VPN Client.
    2. In the left pane, click Preferences.
    3. In the Barracuda VPN Control window, right-click the default profile and select Modify Profile.
    4. (optional) Enter a description of this connection entry to change the VPN profile name.
    5. In the Remote Server section, enter the WAN IP address or DynDNS name (e.g., 62.99.0.51 or bfw-vpn.dyndns.org) in the Host names or IP addresses of remote server field.
    6. Click OK
  4. Close the Barracuda VPN Control window.

After configuring the Barracuda VPN client, you can connect to the IPsec VPN:

  1. Start the Barracuda VPN Connector.
  2. Enter your Username and Password.
  3. Click Connect. 

You are now connected to the client-to-site IPsec VPN with the Barracuda VPN Client.

c2sIPsec06.png

The connection status is displayed on the VPN > Active Connections page.

c2s_connect.png

Mobile clients

For instructions on configuring mobile clients, see these articles:

Mobile OSSupported VersionArticle
Apple iOS5.2 and aboveHow to Configure the Apple iOS VPN Client for IPsec Shared Key VPN
Android4.0 and aboveHow to Configure the Android VPN Client for IPsec Shared Key VPN
Third-party IPsec VPN clients

The X-Series Firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN.

Troubleshooting

If you are having trouble connecting to the client-to-site VPN, see Troubleshooting Client-to-Site VPNs.