It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Dynamic Mesh VPN

  • Last updated on

To configure a Dynamic Mesh for managed firewalls, see How to Configure a Dynamic Mesh VPN with the GTI Editor.

Create a Dynamic Mesh network for three or more stand-alone Barracuda CloudGen Firewalls with the central firewall acting as the VPN hub. Every firewall in the VPN Network must be configured to use Dynamic Mesh, and the VPN hub must be the SD-WAN primary and use a Dynamic Mesh-enabled connection object for the access rule matching the VPN relay traffic. Dynamic Mesh can only be used in combination with TINA Site-to-Site tunnels. The IPv6 envelope for the VPN tunnels is not supported.

vpn_dyn_mesh.png

Before You Begin

Step 1. Enable Dynamic Mesh

Repeat this step on every firewall in the Dynamic Mesh VPN network.

  1. Open the VPN Settings page (CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service).
  2. Click Lock
  3. In the TINA section, verify that Allow Dynamic Mesh is selected.
    vpn_dynmesh.png
  4. Click OK.
  5. Click Send Changes and Activate.

Step 2. Enable Dynamic Mesh for the VPN Tunnels

For each TINA tunnel, edit the TINA VPN tunnel configuration on the VPN hub and the remote firewalls to use Dynamic Mesh.

  1. Open the Site to Site page (CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service).
  2. Click Lock
  3. Double-click the Site-to-Site TINA tunnel. The TINA Tunnel window opens.
  4. Click on the Advanced tab.
  5. Enable Use Dynamic Mesh.
  6. (optional) Enter the Dynamic Mesh Timeout (s) in seconds. The timeout must be between 5 and 600 seconds.
    dyn_mesh.png
  7. Click OK.
  8. Click Send Changes and Activate.

Step 3. Create Three Custom Connection Objects on the VPN Hub

You must create three custom connection objects on the VPN hub: one that triggers a dynamic tunnel and resets the tunnel timeout, one for traffic going through the dynamic tunnel while not resetting the tunnel timeout, and one for the traffic that should always be relayed through the VPN hub.

Step 3.1 Dynamic Mesh Connection Object SD-WAN Primary with Idle Timeout Reset

Only connections matching an access rule with the Dynamic Mesh and SD-WAN primary options enabled in the SD-WAN settings of the custom connection object on the VPN hub will trigger a new dynamic VPN tunnel. All other traffic will continue to go through the VPN hub. The connection objects on the remote units (SD-WAN secondaries) do not need to be enabled because they are learned automatically from the VPN hub acting as the SD-WAN primary. For traffic matching access rules using this connection object to keep the dynamic tunnel open, Prevent tunnel timeout must be enabled.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, click Connections.
  3. Right-click in the Connections and click New > Connection.
  4. Enter a Name. E.g., DynMeshNoSNAT
  5. Select Original Source IP.

  6. In the SD-WAN VPN Settings section, click Edit/Show. The SD-WAN Settings window opens.
    vpn_dynmesh03.1.png
  7. Set the SD-WAN Learning Policy to Primary (propagate SD-WAN settings to partner).
    ti_add_primary.png
  8. In the Dynamic Mesh section, enable Allow Dynamic Mesh and Trigger Dynamic Mesh.
  9. Enable Prevent tunnel timeout.
    vpn_dynmesh04b.png
  10. Click OK.
  11. Click OK.
  12. Click Send Changes and Activate.
Step 3.2 Dynamic Mesh Connection Object SD-WAN Primary with no Idle Timeout Reset

Only connections matching an access rule with the Dynamic Mesh and SD-WAN primary options enabled in the SD-WAN settings of the custom connection object on the VPN hub will trigger a new dynamic VPN tunnel. All other traffic will continue to go through the VPN hub. The connection objects on the remote units (SD-WAN secondaries) do not need to be enabled because they are learned automatically from the VPN hub acting as the SD-WAN primary.

  1. Go to  CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, click Connections.
  3. Right-click in the Connections and click New > Connection.
  4. Enter a Name. E.g., DynMeshNoTimeout
  5. Select Original Source IP.

  6. In the SD-WAN VPN Settings section, click Edit/Show. The SD-WAN Settings window opens.
    vpn_dynmesh05.1.png
  7. Set the SD-WAN Learning Policy to Primary (propagate SD-WAN settings to partner).
     ti_add_primary.png
  8. In the Dynamic Mesh section, enable Allow Dynamic Mesh.
  9. Disable Prevent tunnel timeout.
    gti_dynmesh14.png
  10. Click OK.
  11. Click OK.
  12. Click Send Changes and Activate.
Step 3.3. Create an SD-WAN Primary Connection Object for the VPN Hub

For all services that should not go through the VPN tunnel, use a custom connection object with the SD-WAN Learning Policy set to Primary. Traffic matching an access rule that uses this connection object will not trigger a dynamic tunnel. Instead, it continues to go through the VPN hub.

  1. Go to  CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, click Connections.
  3. Right-click in the Connections and click New > Connection.
  4. Enter a Name. E.g., TIPrimaryNoSNAT
  5. Select Original Source IP.

  6. In the SD-WAN VPN Settings section, click Edit/Show. The SD-WAN Settings window opens.
    vpn_dynmesh07.1.png
  7. Set the SD-WAN Learning Policy to Primary (propagate SD-WAN settings to partner).
    ti_add_primary.png
  8. Verify that all checkboxes in the Dynamic Mesh section are cleared.
    vpn_dynmesh08b.png
  9. Click OK.
  10. Click OK.
  11. Click Send Changes and Activate.

Step 4. Create Three Access Rules on the VPN Hub

Create an access rule that triggers the dynamic tunnel and another that relays the rest of the traffic.

Step 4.1. Create an Access Rule on the VPN Hub to Trigger a Dynamic Tunnel

Create an access rule on the VPN hub that will trigger a dynamic tunnel.

  • Action – Select PASS.
  • Source – Enter all Local Networks for all remote firewalls and the Local Networks for the VPN hub.
  • Service – Select the services that should trigger a dynamic tunnel.
  • Destination – Enter all Local Networks for all remote firewalls and the Local Networks for the VPN hub. 
  • Connection Method – Select the DynMeshNoSNAT custom connection object created in Step 3.1.
    vpn_dynmesh09.png
Step 4.2. Create an Access Rule on the VPN Hub to Trigger a Dynamic Tunnel without Resetting the Idle Timeout of the Dynamic Tunnel

Create an access rule on the VPN hub that will trigger a dynamic tunnel.

  • Action – Select PASS.
  • Source – Enter all Local Networks for all remote firewalls and the Local Networks for the VPN hub.
  • Service – Select the services that should go through the dynamic tunnel if it is up, otherwise go through the VPN Hub.
  • Destination – Enter all Local Networks for all remote firewalls and the Local Networks for the VPN hub. 
  • Connection Method – Select the DynMeshNoTimeout custom connection object created in Step 3.2.
    vpn_dynmesh10.png
Step 4.3.  VPN Relaying without Triggering a Dynamic Tunnel

Create an access rule on the VPN hub that allows the remote firewalls to send traffic to other remote firewalls through the VPN hub. Place this access rule below the rule triggering the dynamic tunnels.

  • Action – Select PASS.
  • Source – Enter all Local Networks for all remote firewalls and the Local Networks for the VPN hub.
  • Service – Select Any.
  • Destination – Enter all Local Networks for all remote firewalls and the Local Networks for the VPN hub. 
  • Connection Method – Select the TIPrimaryNoSNAT custom connection object created in Step 3.3.
    vpn_dynmesh11.png

Step 5. Create Custom Connection Objects on the Remote Firewalls

On every remote firewall in the Dynamic Mesh VPN network, create an SD-WAN secondary connection object to allow the dynamic mesh.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, click Connections.
  3. Right-click in the Connections and click New > Connection.
  4. Enter a Name. E.g., DynMeshAllow
  5. Select Original Source IP.
  6. In the SD-WAN VPN Settings section, click Edit/Show. The SD-WAN Settings window opens.
    vpn_dynmesh09a1.png
  7. Set the SD-WAN Learning Policy to Secondary (learn SD-WAN settings from partner).
    ti_add_secondary.png
  8. In the Dynamic Mesh section, enable Allow Dynamic Mesh.
    gti_dynmesh14.png
  9. Click OK.
  10. Click OK.
  11. Click Send Changes and Activate.

Step 6. Modify the VPN Access Rule on the Remote Firewalls

On every remote firewall, create or modify the access rule that allows traffic through the dynamic tunnel. Apply the connection object to allow the dynamic mesh.

  • Action – Select PASS.
  • Bi-Directional – Select the check box to apply the rule in both directions.
  • Source – Enter all local networks used for the VPN tunnel.
  • Service – Select the services that should go through the dynamic tunnel if it is up, otherwise go through the VPN hub.
  • Destination – Enter the Local Networks for all remote firewalls and the Local Networks for the VPN hub. 
  • Connection Method – Select the DynMeshAllow custom connection object created in Step 5.

You now have a Dynamic Mesh VPN network that automatically creates dynamic VPN tunnels when traffic matches an access rule using a Dynamic Mesh-enabled connection object. Go to VPN > Site-to-Site to see all dynamic tunnels on the remote firewalls or on the VPN hub. Dynamic tunnels are terminated automatically after no traffic has passed through them for the Dynamic Mesh Timeout defined in the Site-to-Site configuration for each tunnel.