It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

How to Add a VPN Transport to a TINA VPN Tunnel with Explicit Transport Selection

  • Last updated on

Add multiple VPN transports to your TINA site-to-site VPN tunnel to use SD-WAN. The SD-WAN settings in the access rules matching the traffic determine which transport is used.

Before You Begin

Create a TINA site-to-site VPN tunnel between two CloudGen Firewalls. For more information, see How to Create a TINA VPN Tunnel between CloudGen Firewalls.

Step 1. Add a Transport to the VPN Tunnel

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN Service > Site to Site.
  2. Click Lock.
  3. Right-click an existing TINA VPN tunnel and select Add
    add_trans_tina.png
  4. Select Add New Transport. The TINA tunnel transport window opens.

  5. Configure the transport settings for the local firewall. For more information, see TINA Tunnel Settings.

    Configure the CloudGen Firewall with a dynamic IP address to be the active peer. If both firewalls use dynamic IP addresses, a DynDNS service must be used. For more information, see How to Configure VPN Access via a Dynamic WAN IP Address

  6. Click OK.
  7. Click Send Changes and Activate.

Step 2. Add the VPN Transport on the Remote Firewall

Duplicate the VPN transport configuration on the remote firewall. For more information, see How to Create a TINA VPN Tunnel between CloudGen Firewalls.

Step 3. Create a Custom Connection Object for the SD-WAN Primary

Create a custom connection object to route traffic into the new VPN transport and configure the firewall as a SD-WAN primary.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.  
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter a Name.
  5. From the Translated Source IP list, select Original Source IP.
  6. Click Edit/Show.
    ti_conn.png
  7. The SD-WAN Settings window opens. From the Transport Selection Policy drop-down list, select Explicit Transport Selection.
  8. From the SD-WAN Learning Policy drop-down list, select Primary.
    ti_add_primary.png
  9. Configure the Explicit SD-WAN Transport Selection policy:
    • Primary Transport Class – Select the default transport class for the traffic matching this rule.
    • Primary Transport ID – Select the default transport ID for the traffic matching this rule. 
    • Secondary Transport Class – Select the backup transport class.
    • Secondary Transport ID – Select the backup transport ID.
    • Further Transport Selection – Select the transports that are used if the primary and secondary VPN transports fail. Depending on the additional available VPN transports, you can define more than one backup path. Select from the following predefined policies:
      • First try Cheaper then try Expensive
      • Only try Cheaper
      • First try Expensive then try Cheaper
      • Only try Expensive

      • Stay on Transport (no further tries)

    • Allow Bulk Transports | Allow Quality Transports | Allow Fallback Transports – Enable all transport classes that can be used as a backup path in combination with the Further Transport Selection setting.
    Feature Level 8Feature Level 9
    ti_add_primary_details_feature_level_8.pngti_add_primary_details_feature_level_9.png
  10. (TCP transports only) Configure TCP Transport Traffic Prioritization settings:
    • When using BULK Transports – The priority level for the bulk transport class.
    • When using QUALITY Transports – The priority level for the quality transport class.
  11. (Dynamic Mesh only) Configure the Dynamic Mesh settings. For more information, see Dynamic Mesh VPN Networks.
  12. Click OK.
  13. Click OK.
  14. Click Send Changes and Activate.

Step 4. Create a Custom Connection Object for the SD-WAN Secondary

Create a custom connection object to route traffic into the new VPN transport and configure the firewall as a SD-WAN secondary.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules .  
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter a Name.  
  5. From the Translated Source IP list, select Original Source IP.
  6. Click Edit/Show. The SD-WAN Settings window opens.
    ti_conn.png
  7. From the SD-WAN Learning Policy drop-down list, select Secondary. All other SD-WAN settings are learned from the SD-WAN primary.
    ti_add_secondary.png
  8. Click OK.
  9. Click OK.
  10. Click Send Changes and Activate.

 

Step 3. Edit Access Rules Matching the VPN Traffic

Edit the access rules matching the VPN traffic on both firewalls to use the custom connection objects. If multiple firewalls are connected in a hub and spoke VPN network, the firewall acting as the VPN hub must be the SD-WAN primary. Create multiple access rules and connection objects to statically route VPN traffic through different VPN transports.

For more information, see How to Create Access Rules for Site-to-Site VPN Access.

Next Steps

Configure advanced SD-WAN features such as: