It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Set Up a Default Route Through a Site-to-Site VPN Tunnel

  • Last updated on

To move the Internet breakout for the branch office to one central location, connect the branch offices with site-to-site VPN tunnels configured to send all Internet traffic for the client behind the remote firewall through the VPN tunnel. The local firewall can then apply company-wide security policies in one location.

s_to_s_default_rt.png

Before You Begin

Configure a TINA site-to-site VPN tunnel between the local and remote firewalls.

For more information, see How to Create a TINA VPN Tunnel between CloudGen Firewalls.

Step 2. Configure the VPN Tunnel on the Remote Firewall

  1. Log into the remote firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Site to Site.
  3. Click Lock.
  4. Double-click the VPN tunnel.
  5. Configure the VPN tunnel between the remote and the local firewall:
    • Local Networks – Enter the networks you want to route through the VPN tunnel.
    • Remote Networks – Enter 0.0.0.0/0 as the remote network to forward all traffic through the site-to-site VPN tunnel to the remote firewall.

    VPN_tunnel_firewall_internal_LAN.png
  6. Click Send Changes and Activate.

Step 3. Configure the VPN Tunnel on the Local Firewall

  1. Log into the local firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Site to Site.
  3. Click Lock.

  4. Double-click the VPN tunnel.
  5. Configure the VPN tunnel between the local an the remote firewall:
    • Local Networks – Enter 0.0.0.0/0.
    • Remote Networks – Enter the networks you want to route through the VPN tunnel.
    VPN_tunnel_firewall_with_internet_access.png
  6. Click Send Changes and Activate.

Step 4. Configure an Access Rule for the Remote Firewall

The remote firewall sends all Internet traffic through the VPN tunnel.

  1. Log into the remote firewall.
  2. On your firewall with no direct Internet access, go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  3. Click Lock.
  4. Right-click the ruleset and select New. The New Rule window opens.
  5. Enter a Name for the access rule.

  6. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic:
    • Action –  Select Pass.
    • Source – Enter your private network used for the VPN tunnel. 
    • Service – Select the services allowed to access the tunnel. Default: Any
    • Destination – Configure the route to the Internet as the destination so that traffic will be sent through the VPN tunnel to the remote firewall.
    • Connection Method – Select Original Source IP.
      LAN-to-Internet-via-VPN.png
  7. Click OK.
  8. Reorder the access rule by dragging it to the correct position in the Forwarding Firewall's ruleset. Make sure no access rule placed above it will match the traffic for the site-to-site access rule.
  9. Click Send Changes and Activate.

Step 5. Configure an Access Rule for the Local Firewall

The local firewall forwards Internet traffic from the remote networks.

  1. Log into the local firewall.
  2. On your firewall with direct internet access, go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  3. Click Lock.
  4. Right-click the ruleset and select New. The New Rule window opens.
  5. Enter a Name for the access rule.
  6. Right-click the rule set and select New > Rule to create an access rule to match the VPN traffic:
    • Action –  Select Pass.
    • Source – Select your private local network. 
    • Service – Select the services allowed to access the tunnel. Default: Any
    • Destination – Configure the route to the Internet as the destination.
    • Connection Method – Select Dynamic NAT.
      LAN-to-Internet.png
  7. Click OK.
  8. Reorder the access rule by dragging it to the correct position in the Forwarding Firewall's ruleset. Make sure no access rule placed above it will match the traffic for the site-to-site access rule.
  9. Click Send Changes and Activate.

The clients behind the remote firewall can now access the Internet via the site-to-site VPN tunnel. On the local and remote firewall, go to FIREWALL > Live. Verify that the Internet traffic for the clients behind the remote firewall is flowing through the VPN tunnel and that it is forwarded to the Internet on the local firewall.

Remote firewall:

log_example_remote_fw.png

Local Firewall
log_example_local_fw.png

Troubleshooting

If you have issues with the default route for the site-to-site VPN tunnel, try the following solutions:

  • No traffic passes through the default route – Verify that the VPN connection itself works by setting up clients on both ends of the tunnel. Note that locally transmitted ICMP pings are not redirected through the tunnel. The client on the external system can also be an external web server.
  • ICMP traffic passes through the VPN tunnel in one direction but the reply does not – Use  Dynamic NAT on the external CloudGen Firewall.
  • There is no connection to the Internet – Make sure that a valid default route also appears in the regular network configuration of the external CloudGen Firewall and that this default route points to a working Internet gateway.