It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure VPN GTI Settings for a VPN Service

  • Last updated on

Before adding VPN services to the VPN group, you must configure GTI VPN settings for each service. This information is then used by the GTI Editor when creating VPN tunnels.

  • Transport Source IP – The IPv4 or IPv6 address the VPN service is listening on.
  • Transport Listening IP – The external IPv4 or IPv6 addresses the VPN service can be reached at.
Before You Begin

Ensure you have switched to the Advanced Configuration mode in Firewall Admin. This will provide access to the necessary configuration options.

Step 1. Add the On-Premises Networks

The Barracuda CloudGen Firewall offers three ways to declare on-premises networks you want to make available through the VPN tunnel as GTI networks:

Add the GTI Networks as Shared Networks
  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. In the left menu, select IP Configuration.
  3. Click Lock.
  4. In the Shared Networks and IPs section, click +. The Shared Network and IPs window opens.
    1. Select an Interface for the VPN service.
    2. In the Network Address field, enter the local IPv4 networks you want to be available over the VPN. E.g., 10.0.10.0/25
    3. Select the GTI Network check box.
    4. Click OK.
  5. Click Send Changes and Activate.

The local IPv4 network is now displayed in the GTI Networks list.

Select the GTI Networks in the Routing Configuration

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. In the left menu, select Advanced Routing.
  3. Click Lock.
  4. In the IPv4 Route Configuration section, edit a configured direct-attached route or create a new one. The  IPv4 Routing Table window opens.
  5. Select the GTI Network check box.
  6. Click OK.
  7. Click Send Changes and Activate.

The local IPv4 network is now displayed in the GTI Networks list in Box > Network > IP Configuration.

Add On-Premises Networks to the GTI Netwoks List
  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. In the left menu, select IP Configuration.
  3. Click Lock.
  4. In the GTI Networks list, click + and add the local IPv4 networks you want to be available over the VPN.
  5. Click OK.
  6. Click Send Changes and Activate.

If you are using the old virtual server concept, you must enter the local IPv4 networks you want to be available over the VPN in the Server/GTI Networks table ( CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your virtual server > Server Properties).

Step 2. Configure the VPN GTI Settings

Configure the IP addresses the VPN service is listening on and the IP addresses through which the VPN service can be reached from the outside. Enter all configured IP addresses. You can remove them later when configuring the VPN tunnel in the GTI Editor as needed.

  1. Go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your box > Assigned Services > VPN Service > VPN GTI Settings.
  2. Click Lock.
  3. Configure the IPv4 Transport Settings:
    1. Select the Transport Source IP:
      • All Service IPs – Use all IP addresses defined in the Service Properties of the VPN service.
      • First-IP – Use the first IP address of the virtual server. Service properties of the VPN service must be configured to use the first IP address.
      • Second-IP – Use the second IP address of the virtual server. Service properties of the VPN service must be configured to use the second IP address.
      • Dynamic (via routing) – Source IP address is chosen via routing lookup. 
      • Explicit – Select Explicit and enter the IP addresses in the Explicit Transport Source IP table.
    2. Select the Transport Listening IP:
      • Use Transport Source IP
      • First-IP – Use the first IP address of the virtual server. Service properties of the VPN service must be configured to use the first IP address.
      • Second-IP – Use the second IP address of the virtual server. Service properties of the VPN service must be configured to use the second IP address.
      • Dynamic (via routing) – Source IP address is chosen via routing lookup. 
      • Explicit – Select Explicit and enter the IP addresses in the Explicit Transport Listening IP table.

        If you are only using active VPN connections from this VPN service, you can disable the transport listening IP by entering 127.0.0.1 in the Explicit Transport Listening IP table.

        gti_settings_01.png

  4. Configure the IPv6 Transport Settings:
    1. Select the Transport Source IP:
      • All Service IPs – Use all IPv6 addresses defined in the Service Properties of the VPN service.
      • Dynamic (via routing) – Source IP address is chosen via routing lookup. 
      • Explicit – Select Explicit and enter the IPv6 addresses in the Explicit Transport Source IP table.
    1. Select the Transport Listening IP:
      • Use Transport Source IP
      • Explicit – Select Explicit and enter the IP addresses in the Explicit Transport Listening IP table.

      gti_settings_02.png
  5. Click Send Changes and Activate.

Next Step

Add the VPN service to a VPN group and create VPN tunnels using the GTI Editor. For more information, see How to Create a VPN Tunnel with the VPN GTI Editor.