The Barracuda CloudGen Firewall VPN Graphical Tunnel Interface (GTI) provides you with a graphical interface to create and manage TINA and IKEv1 IPsec VPN tunnels. When configuring VPN tunnels manually, there are many identical configuration steps and settings. The GTI editor eliminates many of these redundant steps, helping you configure your VPN tunnels more quickly and with less errors. Environments with many VPN tunnels especially benefit by using the GTI editor. The GTI editor is available on the Barracuda Firewall Control Center and can be used on a global, range, or cluster level.
VPN Groups
VPN groups contain VPN services running in the same scope as the GTI editor. You can create as many groups as needed and then assign the available VPN service to the individual groups. When using the GTI on the cluster or range level, only include VPN services running on that range or cluster.
VPN GTI Settings per VPN Service
For each VPN service you want to use in the GTI Editor, you must configure a few basic parameters:
- Transport Source IP – This is a list of one of more IP addresses the VPN service is listening on. They can be entered explicitly or selected by the system using a rooting table lookup (Dynamic - via routing). You can also use all IP addresses configured in the VPN service properties by selecting All Service IPs.
- Transport Listening IP – Use an external IP address, which remote firewalls use as a destination IP address to establish a VPN tunnel. Use an external IP address through which the VPN service on the CloudGen Firewall can be reached. If only active VPN connections are going to be configured on this unit, no listening IP is needed.
- Networks – In the network configuration of the firewall your VPN service is running on, set the on-premise network(s) that are made available via VPN tunnel.
All other settings for the VPN tunnels are taken from the GTI Editor Defaults that are defined for each VPN Group.
For more information, see How to Configure VPN GTI Settings for a VPN Service.
VPN Tunnels
VPN tunnels are created by dragging a connection from one firewall to the other. The tunnel configuration parameters stored for each VPN service are then used to create the VPN tunnel. It might be necessary to configure some settings or remove a listening IP address, depending on how you configured the VPN GTI Settings.
For more information, see How to Create a VPN Tunnel with the VPN GTI Editor.
SD-WAN
The GTI editor allows you to add additional transport tunnels when using SD-WAN by a simple drag-and-drop operation. The tunnel configuration for the new transport can then be configured just like the primary transport.
For more information, see How to Configure SD-WAN Using the VPN GTI Editor.
GTI Editor Limitations
There are a some limitations you need to consider when using the GTI editor.
- You cannot import manually configured VPN tunnels into the GTI editor – Recreate the manually configured VPN tunnels in the GTI Editor. After creating the VPN tunnels in the GTI editor, remove the manually configured tunnels. Otherwise the VPN tunnel is configured twice and will not work correctly.
- Remember to create access rules that allow traffic in your VPN tunnels – The GTI Editor only creates VPN tunnels. Access rules must still be created manually to allow traffic to and from your VPN tunnels.
- The GTI Editor is only available in the Barracuda Firewall Control Center – When you go to the VPN page while logged into a CloudGen Firewall, only the VPN tunnels are listed. You will not see the VPN groups and VPN tunnel diagram.
- IKEv2 IPsec VPN Tunnels – IKEv2 IPsec tunnels are not supported by the GTI Editor.