To let mobile workers securely connect to corporate information resources, create a client-to-site VPN group policy. This allows you to use one client-to-site configuration that enables CudaLaunch, Barracuda VPN clients, and native IKEv1 and IKEv2 IPsec clients to connect. Use CudaLaunch on iOS and Android to fully manage the VPN configuration remotely through the SSL VPN templates. To manually configure the native IPsec clients on iOS and Android, verify that you are using encryption settings compatible with the the version of your mobile operating system. VPN clients can be authenticated either through external authentication schemes, client certificates, or a combination thereof.
Supported VPN Clients
Although any standard-compliant IPsec client should be able to connect via IPsec, Barracuda Networks recommends using the following clients:
- CudaLaunch via VPN templates in SSL VPN. For more information, see How to Configure VPN Templates in the SSL VPN.
- VPN Client & Network Access Client
- Native iOS IPsec VPN Client
- Native Android IPsec VPN Client
Before You Begin
- Set up the VPN certificates for External CA or Barracuda VPN CA. For more information, see How to Create Certificates with XCA and How to Create Certificates for a Client-to-Site VPN.
- Configure an external authentication scheme. For more information, see Authentication.
- Identify the subnet (static route) or a range in a local network (proxy ARP) to be used for the VPN clients.
Step 1. Enable the VPN Service on a Network Interface
Enable the VPN service on a static IP address. If you do not have a static WAN IP address, you must enable the VPN service for a static internal interface and then redirect incoming connections to the VPN service with an access rule.
Static (fixed) WAN IP Address
To enable the VPN service for the static network interface:
- Go to NETWORK > IP Configuration.
- In the Static Interface Configuration section, click Edit to configure your static WAN interface.
In the Edit Static Network Interface window, select the VPN Server check box.
- Click Save.
Dynamic (DHCP/3G/PPPoE) WAN IP Address
To use the VPN service with a dynamic WAN IP address, run the VPN service on an internal IP address. Do not use the management IP address; instead, add a secondary IP address. Then, create an access rule to redirect all incoming VPN traffic from the dynamic interface to the VPN service.
- Go to NETWORK > IP Configuration.
- Enable dynamic DNS:
- In the Dynamic Interface Configuration section, click Edit to configure the dynamic WAN interface.
- In the Edit Dynamic Network Interface window, enable Use Dynamic DNS.
Enter the DynDNS Hostname and authentication information.
- Click Save.
- In the Management IP Configuration section, enter a secondary IP address:
- IP Address – Enter an IP address that is free in the local network. For example,
10.0.10.6
if the MIP address is in the 10.0.10.0/24 network. - VPN Server – Select this check box.
- IP Address – Enter an IP address that is free in the local network. For example,
- Click Add.
Create an access rule to redirect incoming VPN connections on the dynamic interface to the VPN server listening on the local IP address. For more information, see How to Configure an Access Rule for a Client-to-Site VPN.
Step 2. (Certificate Authentication Only) Upload or Create Certificates
When using certificate authentication, use a third-party PKI to create the VPN and client certificates. For more information on how to create certificates, see How to Create Certificates with XCA and How to Create Certificates for a Client-to-Site VPN.
- Go to ADVANCED > Certificate Manager.
- Click Upload. The Upload Certificate window opens.
- Enter the following details:
- Certificate Name – Enter
VPN Certificate
- Certificate Type – Select the type of certificate you want to upload.
- Add to VPN Certificates – Enable the check box.
- Certificate File – Select the certificate file you want to upload.
- Certificate Name – Enter
- Click Save.
Step 3. Configure Client-to-Site VPN Settings
Configure user authentication and IPsec settings.
Step 3.1 Configure User Authentication and Select the Certificate
- Go to VPN > Client-To-Site VPN.
- In the Settings section, select a User Authentication method. You can use local or external user authentication. For more information, see Authentication.
- (Certificate Authentication Only) From the Local Certificate list, select the certificate that you created in Step 2. E.g., VPNCertificate.
- Click Save.
Step 3.2 Configure IPsec Settings for Authentication
Configure the authentication type and, if needed, the encryption algorithms for IPsec phase 1 and 2.
- Go to VPN > Client-To-Site VPN.
- In the IPsec Settings section, select the Authentication type.
(optional) Configure the IPsec Phase 1 Settings and IPsec Phase 2 Settings.
- Click Save.
Step 3.3 Create a VPN Group Policy
Define the VPN clients and network information to be passed to client.
- Go to VPN > Client-To-Site VPN.
- In the VPN Access Policies section, click Add Access Policy.
- In the Add VPN Access Policy window, configure the following settings:
Name – A name for the access policy.
Client Network – The network that the client will be assigned to. E.g.,
192.168.100.0/24
- (Optional) Domain – The domain assigned to the client.
- First DNS – The IP address of the DNS server.
Published Networks – The local networks available for the VPN client.
- IPsec Phase 2 – The IPsec Phase 2 settings that you configured in the IPsec Settings section.
No Split Tunnel Mode – Enable in order to lock down the client to connect only to the Published Networks of the VPN tunnel. (Applies to Windows hosts using the Barracuda VPN Client.)
- Allowed Peers – Enable IPsec Client for mobile devices and third-party IPsec clients and Barracuda VPN Client to be able to connect with the Barracuda VPN Client.
- Allowed Groups – The groups that are allowed to connect. To allow all groups, enter an asterisk (*).
- Use for CudaLaunch – Enable self-provisioning on Windows, macOS, or iOS devices for remote clients using the CudaLaunch portal. For more information, see CudaLaunch.
Configure the following settings:- CudaLaunch Server – Enter the IP address of the server providing CudaLaunch.
- Allowed Groups – Enter the user groups that the policy applies to. Click + after each entry. You can use question marks (?) and asterisks (*) as wildcard characters.
- Click Save.
Step 4. Configure Clients
Configure VPN clients to connect to the IPsec VPN with certificate authentication.
Barracuda VPN Clients
Configure the Barracuda VPN Client to connect to the IPsec VPN with the certificate authentication you just created. You can download the Barracuda VPN Client from the Barracuda Download Portal. To install the client, you must have administrative rights. Reboot the computer after the installation.
Configure a profile for connecting to the IPsec VPN:
- Start the Barracuda VPN Client.
- In the left pane, click Preferences.
- In the Barracuda VPN Control window, right-click the default profile and select Modify Profile.
- In the Properties window, specify these settings:
- Certificate – Select X509 authentication.
- Remote Server – Enter the WAN IP address or DynDNS name (e.g.,
62.99.0.51
orbfw-vpn.dyndns.org
) in the Host names or IP addresses of remote server field.
- Click OK.
- Close the Barracuda VPN Control window.
After configuring the Barracuda VPN Client, you can connect to the IPsec VPN:
- Start the Barracuda VPN Connector.
- Enter your Username and Password.
- Click Connect.
You are now connected to the client-to-site IPsec VPN with the Barracuda VPN Client.
The connection status is displayed on the VPN > Active Connections page.
Mobile Clients
For instructions on configuring mobile clients, see these articles:
Mobile OS | Supported Version | Article |
---|---|---|
Apple iOS | 5.2 or above | How to Configure the Apple iOS VPN Client for IPsec Shared Key VPN |
Android | 4.0 or above | How to Configure the Android VPN Client for IPsec Shared Key VPN |
Third-party IPsec VPN Clients
The firewall adheres to the IPsec standard. Any third-party IPsec client implementing this standard can connect to the IPsec VPN.