It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

IPsec IKEv1 Tunnel Settings

  • Last updated on

The following IKEv1 IPsec tunnel settings can be configured:

General

SettingDescription
NameThe tunnel name. You can enter a maximum of 26 characters.
DisabledTo manually disable the tunnel, select this check box.
IPv6Enable to use IPv6 addresses for the VPN tunnel envelope

Basics

In this tab, you can edit the following Phase 1 and Phase 2 settings.

SettingDescription
EncryptionThe data encryption algorithm.
Hash Meth.

The hash algorithm.

DH-Group

The Diffie-Hellman Group that specifies the type of key exchange. The Barracuda CloudGen Firewall supports Group1 to Group18.

Lifetime [sec]The re-keying time in seconds that the server offers to the partner.
Min. Lifetime [sec]The minimum re-keying time in seconds that the server accepts from its partner.
Max. Lifetime [sec]The maximum re-keying time in seconds that the server accepts from its partner.
Enable Perfect Forward SecrecyToggle to enable or disable PFS. The remote gateway mus also support PFS.

SD-WAN - VPN Envelope Policy

SettingDescription
TOS Policy

This policy setting specifies how Type of Service (ToS) information contained within a packet’s IP header is handled. In networks, the ToS may be used to define the handling of the datagram during transport. If the ToS is enveloped, this information is lost. You can select one of the following options:

  • Copy TOS From Payload to Envelope – Use this option with non-TCP transports. The packet’s original ToS information is copied onto the envelope, so that it stays available for use.
  • Fixed Envelope TOS – The ToS information is masked by enveloping it without consideration. In the Envelope TOS Value field, enter the fixed ToS value. The same ToS information is then assigned to all packets. For example:
DSCPPrecedencePurpose
00Best effort
81Class 1
162Class 2
243Class 3
324Class 4
405Express forwarding
486Control
567Control

For more information about precedence values, see http://www.bogpeople.com/networking/dscp.shtml and http://www.tucny.com/Home/dscp-tos.

Band Policy


For band policy settings to apply, you must configure traffic shaping. For more information, see Traffic Shaping. Band policy settings work independently from bandwidth protection settings.

The Band Policy settings rely on connection objects that are assigned to bands in the firewall rulesets and specify bandwidth assignment to transports as a whole. Multiple transports can share a single band if they are processed by the same interface.

You can select one of the following options:

  • Use Band According to Rule Set – Use the band from the firewall rule, allowing traffic between the tunnel endpoints.
  • Copy Band From Payload To Envelope – Use the band from the firewall rule, redirecting traffic to the VPN tunnel entry point. The band setting for the rule that configures traffic between the tunnel endpoints is then ignored.
  • Fixed Envelope Band – Use a static band. From the Envelope Band Value list, select one of the available bands (System, Band A to Band G).
Replay Window
Size

If ToS policies assigned to VPN tunnels or transports packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance and to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding any global policy settings. Set to -1 to disable Replay Protection.

  • To view or edit the global replay window size, see the VPN server settings.
  • To view the replay window size for a tunnel, double-click the tunnel on the VPN page to open the Transport Details window (attribute: transport_replayWindow).

Advanced

SettingDescription
DPD intervals [s]
Enter the number of seconds between sending IKE notify checks if the peer is still available. Default 5 sec.
Interface Index

By default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field.

Before using this option, you must first create the indexed VPN interface in the VPN Settings.

VPN Next Hop RoutingEnter the IP address of the remote VPN tunnel interface that is reachable via the vpnr interface using the index entered as the Interface Index.
Phase 2 Lifetime Adjust [s]

This setting ensures that the firewall initiates rekeying. On CloudGen Firewall devices with firmware 8.0.1 or higher, you can leave this field blank.

NAT-T Autodetect
Attempt to detect the UDP NAT-T type supported by the remote VPN gateway.

RAW IPSec

In this section, you can add optional parameters for establishing IPsec tunnels. When appending a parameter, first specify the section that the parameter is assigned to. Then, specify the new parameter itself in the next line. Enter one single value per line. For example:

[Section]
key=value

To set the IPSec ID for Phase 1, use the following format:

[IPSEC-<tunnelname>-ID]
ID-Type= IPV4_ADDR
Address= <IP address>

[IPSEC-<tunnelname>]
ID= IPSEC-<tunnelname>-ID

Example:

[IPSEC-TestTunnel-ID]
ID-Type= IPV4_ADDR
Address= 198.51.100.30

[IPSEC-TestTunnel]
ID= IPSEC-TestTunnel-ID

New sections are added to the end of the isakmpd.conf file. New parameters are added to the top of the specified section. For more information on the syntax to be used in this field, see the isakmpd.conf man page at www.openbsd.org/cgi-bin/man.cgi.

Local Networks

SettingDescription
Initiates Tunnel

Specifies whether the tunnel is active or passive. You can select one of the following options:

  • Yes (passive IKE)
  • No (active IKE)

Active also implies that incoming VPN connection attempts are accepted.

Local IKE GatewayThe IP address of the local IKE gateway. If you are using dynamic IP addresses, enter 0.0.0.0/0
ID-type
  • IPV4_ADDR (auto) – Automatically chosen IP address.
  • IPV4_ADDR (explicit) – Enter a single IP address.
  • IPV4_ADDR_SUBNET (auto) – Automatically chosen network.
  • IPV4_ADDR_SUBNET (explicit) – Explicit network. E.g., 62.99.0.0/24

Identify

SettingDescription
Identification Type
  • Shared Secret
  • X509 Certificate (CA signed)
  • X509 Certificate (explicit)
  • Box SCEP Certificate (CA signed)

X509 certificates must have the SubAltName field populated with at least one entry.


Mode
  • Main Mode – By default, the firewall uses main mode. Main mode is considered more secure than aggressive mode.
  • Aggressive Mode – Aggressive mode is required if the remote IP address is unknown and shared key authentication is used.

Remote Networks

SettingDescription
Remote IKE
Gateway		The IP address of the remote IKE gateway. If the remote IPsec gateway is connected to the Internet with a dynamic IP address, enter the DDNS (Dynamic Domain Name System) hostname of the gateway.
Network AddressTo add the network address of the VPN partner, enter it in this field and then click Add.

Peer Identification

Depending on which identification type is selected, different fields are unlocked in the Peer Identification section.  

SettingDescription
Shared SecretEnter the shared passphrase used to authenticate. Passphrases using the hash (#) character are not accepted.
CA Root
Select the root certificate used to validate the certificate.
X509 ConditionEnter the certificate key patterns the certificate is required to match when X.509 certificate authentication is used.
Explicit X509

Import an explicit certificate for X.509 certificate authentication.

X509 certificates must have the SubAltName field populated with at least one entry.