It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

TINA Tunnel Settings

  • Last updated on

The following list provides a complete overview of all TINA tunnel- and transport settings.

Tunnel Settings

Networks
SettingDescription
SchemeSelect a configured scheme for local networks.
Local Networks

Click + to add the local networks that should be able to reach the peer networks. You can enter a list of networks or single IP addresses. Because this setting is typically shared by several tunnels, it may be defined from the Local Networks setting and referenced within the single tunnel configurations. After typing an address, hit Enter.

Remote NetworksClick + to add the shared networks of the remote peer. After typing an address, hit Enter.
Transports
SettingDescription
Transports

Click + to add a VPN tunnel transport. For information on how to configure transport details, see the Transport Settings section below.

Advanced
SettingDescription
Packet Balancing inside a Provider Class

Enables/disables packet-based traffic balancing over multiple ISP connections. This only works for transports within the same SD-WAN class. For more information, see How to Configure Packet-Based Balancing for VPN Tunnels with SD-WAN.

Use Dynamic MeshEnable to allow this CloudGen Firewall to create and accept dynamic VPN tunnels. For more information, see Dynamic Mesh VPN Networks.
Dynamic Mesh TimeoutDynamic tunnels are terminated after the timeout (in seconds) passes without traffic being sent through the VPN tunnel.
VPN Interface IndexBy default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field.

Transport Settings

Basic
SettingDescription
Call Direction

From this list, you can select one of the following options to specify if the local network is active or passive:

Active – An active VPN server accepts tunnel requests and initiates the tunnel connection. When the tunnel is down for a defined time, it cleans its state to accept retries from its partner. Furthermore, it tries to initiate the connection by itself.
Passive – A passive VPN server does not build up the tunnel. It merely accepts requests from its partner. If the tunnel is down for a defined time, it cleans its state to accept retries from its partner.
OnDemand – Use this option with SD-WAN. The VPN server actively builds up a connection and terminates it during the time-outs specified by the On Demand Transport Timeout setting from the SD-WAN - Envelope Protection tab.

Enable this TransportTo manually disable the tunnel, select this check box.
SD-WAN Class

Assign a class for each transport, or select from the list of configured providers. For the first transport, only provider or class 'Bulk' is allowed. Further transports can be classified individually.

If policy profiles are used in the firewall, you can only select one provider (provider enforcement).

Transport

The transport type for the tunnel. You can select one of the following options:

  • UDP – The tunnel uses UDP to communicate. This connection type is suited best for response-optimized tunnels. It allows fast transport and generates the least overhead.
  • TCP – The tunnel uses a TCP connection on port 691 or 443 per default (for HTTP proxies). This mode is required for connection over SOCKS4 or HTTP proxies. It is useful for unreliable lines where packet loss is common.
  • UDP & TCP – The tunnel uses TCP and UDP connections. The tunnel engine uses the TCP connection for UDP requests and the UDP connection for TCP requests and ICMP-based applications.
  • ESP – The tunnel uses ESP (IP protocol 50) to communicate. This connection type is best suited for performance-optimized tunnels. This option is useful for a private link such as MPLS, or when ESP is not blocked by NAT.

    • Do not select ESP if there are filtering or NAT interfaces in between.
    • Some routers, especially DSL routers for home accounts and cable modems, block ESP traffic. In this case, select TCP or UDP.
  • Routing – Use this option with SD-WAN. It disables data payload encryption within the tunnel and should only be used for uncritical bulk traffic on private lines. With this option, you can also specify the next hop address for the routed data packets when configuring the SD-WAN traffic transport classification.

Encryption 

The data encryption algorithm. You can select one of the following options:

  • AES | AES256 | AES-CTR | AES256-CTR – The Advanced Encryption Standard (default). AES works with 128-bit key length and AES256 works with 256-bit long keys. With AES 256, the security of the encrypted data is increased, but more CPU capacity is required. Only use AES256 when required. Represents a very good compromise between key length and encryption speed. AES encryption speed can also be improved with hardware acceleration. (Recommended.)

  • 3DES Further developed DES encryption. Three keys each having a 56-bit length are used sequentially, providing a key length of 168-bit. (Not recommended.)

    Avoid using 3DES because this algorithm works very slowly and only offers acceptable performance with the help of special hardware acceleration cards.

  • CAST Algorithm similar to DES with a key length of 128-bit.
  • Blowfish Works with a variable key length up to 128-bit.
  • DES – Digital Encryption Standard. Because DES is only capable of a 56-bit key length, it can no longer be considered safe. (Not recommended.)
  • Null – No encryption.
Authentication

The hashing algorithm for the VPN tunnel. You can select one of the following options:

  • MD5 Message Digest 5. The hash length is 128-bit. (Not recommended. High performance, but theoretically vulnerable.)
  • SHA Secure Hash Algorithm. The hash length is 160-bit. (Not recommended. High performance, but theoretically vulnerable.)
  • NOHASH Use NOHASH for systems with hardware encryption support because it allows for hardware-accelerated high encryption performance on these systems.
  • RIPEMD160 RACE Integrity Primitives Evaluation Message Digest. The hash length is 160-bit. (Highly recommended.)
  • SHA256 Secure Hash Algorithm. The hash length is 256-bit. (Highly recommended.)
  • SHA512 – Secure Hash Algorithm. The hash length is 512-bit.
  • GCM Galois/Counter Mode (GCM). The hash length is 128-bit. Provides assurance of confidential data authenticity up to about 64 GB per invocation using a universal hash function defined over a binary Galois field.
Peers
SettingDescription
Endpoint Type

Enable to use IPv4 or IPv6 addresses for the VPN tunnel envelope.

Transport SourceSelect the IP address that will be used for establishing a VPN tunnel/transport.
Explicit IP or Interface

Set a default explicit address or interface instead of a predefined one.

Explicitly assigned addresses must be included in the service configuration as well.

Remote Peer Add one or more IP addresses or hostnames to connect to.
Identity
SettingDescription
Identification Type

From the list, you can select one of the following options to specify if a public key or certificate is to be used:

  • Public Key
  • X509 Certificate (CA signed)
  • X509 Certificate (explicit)
  • Box SCEP Certificate (CA signed)

When using certificate authentication, the tunnel name must be the same in both configurations.

Local / RemoteFor certificates, configure the  Server Certificate and/or Server Protocol Key settings to select the certificate and protocol key.
SD-WAN

From the SD-WAN - Bandwidth Protection and SD-WAN - VPN Envelope Protection tabs, configure the SD-WAN settings for the tunnel. For more information, see SD-WAN.

SD-WAN - Bandwidth Protection
SettingDescription
Dynamic Bandwidth Detection

When using traffic shaping, select the monitoring policy:

  • Disabled
  • Active Probing and Passive Monitoring
  • Active Probing Only
  • No Probing - use Estimated Bandwidth

For more information, see SD-WAN.

Bandwidth Policy

Chose a policy to define how traffic shaping is applied:

  • None – No traffic shaping policy is used.
  • Consolidated Shaping – Enable to shape VPN twice: Once on a per-transport basis and the second time for all VPN traffic.
  • Assign QoS Profile – Apply a QoS profile. Select the Assigned QoS Profile for transports not using Dynamic Bandwidth and Latency Detection. Bandwidth Policy must be set to Assign QoS Profile.
  • Assign QoS Profile with Consolidated Shaping – Apply QoS with Consolidated Shaping.
  • TCP Buffer Shaping – Only for TCP transports using the TCP protocol for ingress shaping. Cannot be used in combination with Dynamic Bandwidth and Latency Detection.
  • Static Bandwidth – Static outbound shaping based on the Estimated Bandwidth. Cannot be used in combination with Dynamic Bandwidth and Latency Detection.
Estimated BandwidthEnter the outbound bandwidth in kps.
Inbound/ReverseEnter the inbound bandwidth in kps or -1 to use the same value as the outbound bandwidth.
Upper LimitDefine an upper limit in percent of the available bandwidth (default: 20).
Low Priority Upper LimitDefine a lower limit in percent of the available bandwidth (default: 60).
SD-WAN - VPN Envelope Protection
SettingDescription
TOS Policy

This policy setting specifies how Type of Service (ToS) information contained within a packet’s IP header is handled. In networks, the ToS may be used to define the handling of the datagram during transport. If the ToS is enveloped, this information is lost. You can select one of the following options:

  • Copy TOS From Payload to Envelope – Use this option with non-TCP transports. The packet’s original ToS information is copied onto the envelope so that it stays available for use.
  • Fixed Envelope TOS – The ToS information is masked by enveloping it without consideration.
Envelope TOS Value

Enter the fixed ToS value. The same ToS information is then assigned to all packets. For example:

DSCPPrecedencePurpose
00Best effort
81Class 1
162Class 2
243Class 3
324Class 4
405Express Forwarding
486Control
567Control

For more information about precedence values, see http://www.bogpeople.com/networking/dscp.shtml and http://www.tucny.com/Home/dscp-tos.

QoS Policy

The QoS Policy settings rely on connection objects that are assigned to bands in the firewall rulesets and specify bandwidth assignment to transports as a whole. Multiple transports can share a single band if they are processed by the same interface.

You can select one of the following options:

  • Use Band According to Rule Set – Use the band from the firewall rule, allowing traffic between the tunnel endpoints.
  • Copy Band From Payload To Envelope – Use the band from the firewall rule, redirecting traffic to the VPN tunnel entry point. The band setting for the rule that configures traffic between the tunnel endpoints is then ignored.
  • Fixed Envelope Band – Use a static band. From the Envelope Band Value list, select one of the available bands (System, Band A to Band G).
QoS Connector IDThe unique access ID for the connection.
Replay Window Size

If ToS policies assigned to VPN tunnels or transport packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance and to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding any global policy settings. Set to -1 to disable Replay Protection.

  • To view or edit the global replay window size, see the VPN server settings.
  • To view the replay window size for a tunnel, double-click the tunnel on the VPN page to open the Transport Details window (attribute: transport_replayWindow).

On-Demand Transport Timeout

Transport will be disabled if no traffic has been sent within this period of time.
On-Demand Transport DelayInstead of being processed the moment it arrives, the traffic is delayed for the specified time span until more traffic has accumulated.
Advanced
SettingDescription
Encryption

Select the accepted data encryption algorithm for the VPN transport. This is applied when the remote peer initiates the transport.

  • AES | AES256 | AES-CTR | AES256-CTR – The Advanced Encryption Standard (default). AES works with 128-bit key length and AES256 works with 256-bit long keys. With AES 256, the security of the encrypted data is increased, but more CPU capacity is required. Only use AES256 when required. Represents a very good compromise between key length and encryption speed. AES encryption speed can also be improved with hardware acceleration. (Recommended.)

  • 3DES Further developed DES encryption. Three keys each having a 56-bit length are used sequentially, providing a key length of 168-bit. (Not recommended.)

    Avoid using 3DES because this algorithm works very slowly and only offers acceptable performance with the help of special hardware acceleration cards.

  • CAST Algorithm similar to DES with a key length of 128-bit.
  • Blowfish Works with a variable key length up to 128-bit.
  • DES – Digital Encryption Standard. Because DES is only capable of a 56-bit key length, it can no longer be considered safe. (Not recommended.)
  • Null – No encryption.
Authentication

 Select the accepted hashing algorithm for the VPN transport. This is applied when the remote peer initiates the transport.

  • MD5 Message Digest 5. The hash length is 128-bit. (Not recommended. High performance, but theoretically vulnerable.)
  • SHA Secure Hash Algorithm. The hash length is 160-bit. (Not recommended. High performance, but theoretically vulnerable.)
  • NOHASH Use NOHASH for systems with hardware encryption support because it allows for hardware-accelerated high encryption performance on these systems.
  • RIPEMD160 RACE Integrity Primitives Evaluation Message Digest. The hash length is 160-bit. (Highly recommended.)
  • SHA256 Secure Hash Algorithm. The hash length is 256-bit. (Highly recommended.)
  • SHA512 – Secure Hash Algorithm. The hash length is 512-bit.
  • GCM Galois/Counter Mode (GCM). The hash length is 128-bit. Provides assurance of confidential data authenticity up to about 64 GB per invocation using a universal hash function defined over a binary Galois field.
Key Time Limit 

The period of time after which the re-keying process is started. You can select 5, 10 (default), 30, or 60 minutes.

Key Traffic Limit

The key traffic limit. You can select No Limit, 1 GB, 500 MB, 100 MB, 50 MB, 10 MB (default), 5 MB, or 1 MB.

Transport ProbingThe interval between tunnel probes. If probes are not answered in the time period specified by the Tunnel Timeout setting, the tunnel is terminated. You can select Silent (no probes are sent), 1 secs, 10 secs, 20 secs, 30 secs (default), or 60 secs.
Transport Timeout

The length of time in which tunnel probes must be correctly answered before the tunnel is terminated. If, for some reason, the enveloping connection breaks down, the tunnel must be re-initialized. This is extremely important in setups with redundant possibilities to build the enveloping connection. You can select 3 secs, 10 secs, 20 secs (default), 30 secs, or 60 secs.

CompressionEnable to compress traffic transmitted through the VPN tunnel.
Dynamic Mesh on Dynamic Interface

Enable if Dynamic Mesh is used in combination with dynamic interfaces. For more information, see Dynamic Mesh VPN Networks.

High Performance Settings

To allow multiple CPUs and cores to be assigned to a single VPN tunnel to increase VPN performance, select this check box.

As of firmware 9.0.1, this option is enabled by default.

Proxy TypeFrom this list, you can select one of the following options:
  • Direct (no Proxy) – The standard connection.
  • HTTP Proxy An HTTP proxy server with optional user/password authentication is used.
  • Socks 4 Proxy A SOCKS4 server is used.
  • Socks 5 Proxy A SOCKS5 server is used.
  • Like System Settings Use the proxy settings configured on the CloudGen Firewall.

Proxy Server IP [:port]

Enter the network address and (optionally) port of the HTTP proxy.

Proxy User

Specify a username for authentication at the HTTP proxy.

Proxy Password

Specify a password for authentication at the HTTP proxy.

Start Script

Add a script that should be executed when connecting via VPN.

Stop ScriptAdd a script that should be executed when disconnecting from the VPN.

Peer Identification

Depending on whether the tunnel direction is passive or active, the partner server may be a whole subnet (passive mode) or may need to be defined by single IP addresses (active and bi-directional mode). Import the public key of the tunnel partner via a clipboard or file. Principally, the public key is not needed. However, it is highly recommended to use strong authentication to build up the tunnel enveloping connection. If you have two different tunnel connections configured between the same two peers, the keys are mandatory.

Perfect Forward Secrecy for TINA Tunnels

By default, the Barracuda CloudGen Firewall supports Perfect Forward Secrecy (PFS) and Elliptic Curve Cryptography (ECC). The VPN service sends and responds to PFS/EC requests and uses ECC if it is also supported by the remote firewall. To determine if PFS/EC is used, go to the VPN logs and check for the following log messages:

  • DH attributes found in request, generating a new key
  • DH attributes found in the response, deriving the shared secret

Clearing the DNS Cache of the VPN Service

To clear the cache and manually trigger a DNS lookup, open the VPN page. Right-click on the VPN tunnel and select Show Runtime information. Right-click on the IKE entry in the Worker section, and select Flush DNS Cache.

To clear the cache using the command line, log in as root and enter:

/opt/phion/bin/ipsecctrl isa flushdns