It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Create a TINA VPN Tunnel between CloudGen Firewalls

  • Last updated on

Since the TINA protocol offers significant advantages over IPsec, it is the main protocol used for VPN connections between CloudGen Firewalls. Many of the advanced VPN features, such as SD-WAN, are supported only for TINA site-to-site tunnels.

autovpn_tina.png

You must complete this configuration on both the local and the remote Barracuda CloudGen Firewall by using the respective values below: 

SettingExample values for the local firewallExample values for the remote firewall
VPN local networks10.0.10.0/2510.0.81.0/24
VPN remote networks10.0.81.0/2410.0.10.0/25
External IP address (listener VPN service)62.99.0.40212.86.0.10

The following sections use the default transport, encryption, and authentication settings. For more detailed information, see TINA Tunnel Settings.

Before You Begin

If not already present, configure the Default Server Certificate in CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > VPN Settings > General. For more information, see VPN Settings.

Step 1. Configure the VPN Service Listeners

Configure the IPv4 and (optional) IPv6 listener addresses for the VPN service.

Step 2. Configure the TINA Tunnel at Location 1

For the firewall at Location 1, configure the network settings and export the public key. For more information on specific settings, see TINA Tunnel Settings.

  1. Log into the firewall at Location 1.
  2. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > Site to Site.
  3. Click Lock.
  4. Click the TINA Tunnels tab.
  5. Right-click the table and select Add.New Tunnel.
    1. Alternatively, you can click the + sign in the top-right corner of the window.
    2. Then, select Add Tunnel.
  6. In the Tunnel Name field, enter a name for the new VPN tunnel.
  7. For each remote network, add the address in the Remote  section. E.g., 10.0.81.0/24
  8. (optional) To propagate the remote VPN network via dynamic routing, select Yes for Advertise Route.
    tina_net_90.png
  9. In the left menu, click Transports.
    trans01.png
  10. Click + to add a new transport for the VPN tunnel. The New Transport for window opens.
  11. Select the Call Direction. (At least one of the firewalls must be active.)

    Configure the CloudGen Firewall with a dynamic IP address to be the active peer. If both firewalls use dynamic IP addresses, a DynDNS service must be used. For more information, see How to Configure VPN Access via a Dynamic WAN IP Address

    call_active.png

  12. Configure the Basic transport settings. For more information, see TINA Tunnel Settings.

    • SD-WAN Class – Depending on your requirements, select either Bulk, Quality, or Fallback from the list.
    • Transport – Select the transport encapsulation (recommended: UDP).
    • Encryption – Select the data encryption algorithm.
    • Authentication – Select the hashing algorithm for packet authentication.
  13. In the left menu, click Peers.
    For Transport Source, select one of the following options:

  14. Configure SD-WAN and Advanced transport settings to match the settings configured for the local firewall. For more information, see the lower section in TINA Tunnel Settings.

    In the Advanced tab, you can select the Accepted Algorithms. To use a cipher, the list must match the Encryption settings configured in the Basic tab.

  15. Configure the Advanced tunnel settings to match the settings configured for the local firewall. For more information, see the lower section in TINA Tunnel Settings.
  16. Click OK.

  17. Click Send Changes and Activate.

Step 3. Create the TINA Tunnel at Location 2

  1. Log into the firewall at Location 2.
  2. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > Site to Site.
  3. Click Lock.
  4. Click the TINA Tunnels tab.
  5. Right-click the table and select Add new TINA Tunnel. Alternatively, you can click the + sign in the top-right corner of the window. 
  6. Select Add Tunnel.
  7. In the Tunnel Name field, enter a name for the new VPN tunnel.
  8. For each remote network, add the address in the Remote  section. E.g., 10.0.10.0/25
    tina_net2_90.png
  9. Configure the TINA tunnel settings to match the settings configured for Location 1. For more information, see the upper section in TINA Tunnel Settings.
  10. In the left menu, click Transports.
  11. Click + to add a new transport. The Edit Transport window opens, showing the Basic tab.
  12. Select the Direction. (At least one of the firewalls must be active.)

    tina02_dir.png

  13. In the left menu, click Peers.
  14. Configure the remaining transport and tunnel settings to match the configuration for Location 1. For more information, see the lower section in TINA Tunnel Settings.

Step 4. Exchange the Public Keys Between the Local and Remote Firewall

Start with exporting the public key in the displayed window on the remote firewall.

  1. Go to CONFIGURATION > Configuration Tree > Box > your remote firewall > Assigned Services > VPN > Site to Site.
  2. Edit the transport for the TINA tunnel.
  3. In the left menu, click Identity.
  4. From the Identification Type list, select Public Key.
  5. In the Local section, click the cog wheel icon next to Server Protocol Key, and export the public key to clipboard.
    export_public.png
  6. Click OK and close the TINA Tunnel configuration.

  7. Go to CONFIGURATION > Configuration Tree > Box > your local firewall > Assigned Services > VPN > Site to Site.
  8. Click Lock.
  9. Select TINA Tunnels.
  10. Open the configuration for the site-to-site tunnel transport created in Step 1.
  11. In the left menu, click Identity.
  12. In the Remote section, click the cog wheel icon next to Public Key, and import the key from the clipboard.
    import_public.png
  13. Click OK.
  14. Click Send Changes and Activate
  15. In the Local section, click the cog wheel icon next to Server Protocol Key, and export the key to the clipboard.
  16. Click OK to close the TINA Tunnel window.
  17. Go to CONFIGURATION > Configuration Tree > Box > your remote firewall > Assigned Services > VPN > Site to Site.
  18. Click Lock.
  19. Select TINA Tunnels.
  20. Open the configuration for the site-to-site tunnel transport.
  21. Click the Identity tab.
  22. In the Remote section, click the cog wheel icon next to Public Key, and import the public key from the clipboard.
  23. Click OK and close the TINA Tunnel window.
  24. Click Send Changes and Activate.

After configuring the TINA VPN tunnel on both firewalls, you must also create an access rule on both systems to allow access to the remote networks through the VPN tunnel.

Next Step

Create access rules to allow traffic in and out of your VPN tunnel: How to Create Access Rules for Site-to-Site VPN Access.