The CloudGen Firewall VPN service can handle protected connections in various ways. Each connection type is characterized by special properties that, in turn, depend on numerous settings. To access the VPN settings in Firewall Admin:
- On single boxes, go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > VPN Settings.
- On CC-managed boxes, go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Box > Assigned Services > VPN > VPN Settings.
The following configuration options are available in the VPN Settings menu:
General
This option contains sections for configuring settings for the VPN base service, usage of the TINA tunneling protocol, and the Access Control Service.
The VPN service relies on several settings necessary for operation. The parameters are grouped into the following subsections:
Service
| Setting | Value(s)
*=default | Description |
|---|
| Listen on port 443 | Deactivated | The TCP tunnel transport usually uses TCP connections on port 691, the default.
However, if a connection is necessary through SOCKS4 or HTTP proxies, port 443 can be used as an alternative. Port 443 can be used only by one service. If this port is redirected to another machine by the firewall service or if an SSL VPN is running, disable port 443 for client-to-site VPN connections. |
| Local VPN listen port | | TCP tunnel transports use port 691 as default. If you want to use a different port number, you must enter it in this field. |
| Maximum number of tunnels | *Auto
1
64
512
2048
8192 | This value sets the maximum number of concurrent client-to-site and site-to-site tunnels accepted by the VPN service. |
| CRL poll time [min.] | 0 | The time interval in minutes for fetching the Certificate Revocation List. Entering 0 results in a poll time of 15 minutes. |
| Site to Site authentication | Selected Deselected | Typically, a tunnel registers itself at the firewall by creating an auth.db entry with the tunnel network and the tunnel credentials. You can then create an access rule with the tunnel name or credentials as a condition. This feature is rarely used. |
| Add VPN routes to main routing table | Selected Deselected | Add the routes for published VPN networks to the main routing table with a metric of 10. For more information, see Authentication, Encryption, Transport, IP Version and VPN Routing. |
| Allow concurrent user sessions | Selected Deselected | Allow a user to connect multiple times via client-to-site VPN. An Advanced Remote Access subscription is required. |
| Use Perfect Forward Secrecy | Enforced
Yes
No | Enable perfect forward secrecy and elliptic curve cryptography for TINA site-to-site VPN tunnels. For more information, see Authentication, Encryption, Transport, IP Version and VPN Routing. |
| Accounting information storage time [days] | 14 | Stores information on client-to-site connections and site-to-site VPN tunnels using the TINA VPN protocol in the /VPNservice/VPN log file. For client-to-site VPN connections, both the login and logout are logged. To disable this feature, set to 0. This information is also used by the Report Creator. For more information, see Barracuda Report Creator.
Example login log entry:Session PGRP-AUTH-user1-b607769a27fdf6e: Accounting LOGIN - user=user1 IP=REMOTE_IP start="2016/05/27 15:00:00" Example logout log entry:Session PGRP-AUTH-user1-b607769a27fdf6e: Accounting LOGOUT - user=user1 IP=REMOTE_IP start="2016/05/27 15:00:00" duration=0:03:36 inBytes=0 outBytes=0 lastOS="Android 6.0" lastClient="Android 2.0.1" |
| Send SDWAN data to Control Center | Yes
Auto
No | Defines how SD-WAN data is propagated to the Control Center. |
| Log VPN user accounting | On Off | If set to On, this option creates a log entry for every user log-in and log-off for a client-to-site connection. |
| Log SDWAN | On Off | If set to On, the firewall stores the Min/Avg/Max value of the throughput rate every 5 minutes. |
| Default Server Certificate | Selected Deselected | Select the check box to use self-signed certificates. |
| Private Key | - - | Click the "add" icon to create a new private key. Click the blue "up arrow" icon to clear, import, or export the certificate. |
| Certificate | - - | Click the "certificate" icon to edit the current certificate. Click the "pen" icon to clear, import, or export the certificate. |
| Certificate Chain | - | Enter a chain of server certificates if necessary. |
TINA
| Setting | Value(s)
*=default | Description |
|---|
| Handshake Timeout [sec] | 10 | Set the time in seconds until a handshake request times out. |
| Tunnel HA Sync | | During an HA takeover, the initialization of all VPN tunnels and transports requires a very CPU-intensive RSA handshake procedure. As long as less than approximately 200 tunnels and transports are terminated, this initialization happens very quickly and does not decrease overall system performance. Due to real-time synchronization to the HA partner unit, the system load during a takeover can be decreased, providing faster tunnel re-establishment. |
| Pending session limit | Selected Deselected | Enforces a limit of five sessions. Additional session requests are dropped. |
| Prebuild cookies on startup | | Pre-builds the cookies when the VPN service is started. This can slow the VPN service startup but increases the speed of tunnel builds. Typically, cookies are built on demand while a VPN tunnel is initiated. Enable this setting to prevent high system load on CloudGen Firewalls that are concentrating a large number of VPN tunnels. High system load caused by the VPN service can occur if a large number of VPN tunnels are established simultaneously after a reboot or Internet Service Provider outage. |
| Global TOS copy | Selected *Deselected | Enables the Type of Service (ToS) flag for site-to-site tunnels. By default, the ToS flag is globally disabled (setting: Off). Individual tunnel ToS policies override global policy settings. |
| Global replay window size [packets] | 256 | If ToS policies assigned to VPN tunnels or transport packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding global policy settings. To specify that tunnel and transport settings should be used, enter 0 (default). To view the specified replay window size, double-click the tunnel on the VPN page to open the Transport Details window (attribute: transport_replayWindow). |
| Allow Dynamic Mesh | Selected Deselected | Enable Dynamic Mesh for this VPN service. For more information, see Dynamic Mesh VPN Networks. |
Acccess Control Service
| Setting | Value(s)
*=default | Description |
|---|
| IP Address | | The IP address of the Access Control Service. |
| Sync Authentication Trust Zone | Selected Deselected | If activated, propagates authentication information to systems in the same trustzone. |
IPSec
This menu contains settings for the usage of the IPSec tunneling protocol.
| Setting | Value(s)
*= default | Description |
|---|
| Use IPsec dynamic IPs | Selected Unselected* | Select the checkbox if the service is connected to the Internet via a dynamic link (dynamic IP address). The server IP address is not yet known at configuration time and IKE then listens to all local IP addresses. |
IKEv1
| Setting | Value(s)
*=default | Description |
|---|
| Timeout | 30 | The maximum period to wait until the request for IPsec tunnel connection establishment must be approved by the remote peer. |
| Tunnel check interval [s] | 30 | The interval between queries for a valid exchange that is assignable to an IPsec tunnel. |
| Dead Peer Detection Interval [s] | 5 | Tunnels can be configured to be Active or Passive. An active tunnel is capable of establishing a connection while a passive tunnel is waiting for a connection request. This parameter sets the interval between keep-alive checks on the remote peer. |
| IKEv1 Log Class | ALL* | The debug log class of IKEv2. Do not select a log class different than ALL if the log is not required for solving issues. |
| IKEv1 Log Level | 0* | The debug log level of IKE. The debug log may be very “noisy.” Do not select a log level greater than 0 if the log is not required for solving an issue. |
| Pre-shared key (PSK) | - | Holds the pre-shared IKE key. |
IKEv2
| Setting | Value(s)
*=default | Description |
|---|
| Start IKEv2 | Selected* Deselected | If selected, IKEv2 will be used. If deselected, IKEv2 will be disabled and some additional memory will be saved. |
| IKEv2 Make Before Break | Selected Deselected | Selecting this option creates a duplicate of the IKE and all IPsec SAs, and the deletes the old ones. This setting requires that both peers can handle overlapping SAs. |
| IKEv2 Log Class | All* | The debug log class of IKEv2. Do not select a log class different than ALL if the log is not required for solving issues. |
| IKEv2 Log Level | 0 | The debug log level of IKEv2. Do not select a log level greater than 0 if the log is not required for solving an issue. |
| IKEv2 Suppress Network Change Events | Selected Deselected* | This is an advanced setting. If selected, network interface/address/route changes which may cause an automatic reconnect of the VPN tunnel will be ignored. This parameter becomes active after a restart of the IKEv2 daemon. Restart the VPN service or execute ipsec restart in a shell. |
Routed VPN
The following settings apply both to the VPN interface and the next-hop interface. The interface configuration is mainly used for static routing (e.g., when configuring VPN on VRFs, or when changing the vpn0 interface IP address), whereas the next-hop interface must be configured when using routed VPN or dynamic routing protocols (e.g., BGP or OSPF over VPN). After assigning the interface with a local IP address, it may be directly used within the OSPF or BGP router configuration.
| Setting | Description |
|---|
| VPN Interface | The unique index number for the VPN interface. |
| MTU | The Maximum Transmission Unit size. Values may be within the range of 576 and 9000. The MTU size applies to all VPN clients that connect to the VPN server. It is not necessary to configure the MTU size on a VPN client. |
| IPs | The IP addresses that will be started on the vpnX interface. Multiple IP addresses can be entered by delimiting them with a blank character. |
| Multicast | Holds all multicast IP addresses. They can be entered by delimiting them with a blank character. |
Client Networks
When the VPN client connects, it is assigned an IP address out of the VPN client network configured in the VPN profile. The meaning of the editable fields applies both to IPv4 and IPv6 addresses.
| Setting | Value(s)
*=default | Description |
|---|
| Name | - | The name of the client network. |
| Type | routed (Static Route) local (Proxy ARP) | routed (Static Route) – The client network is a separate network. Routed networks can be extended more easily, but require access rules to be able to access the on-premises networks. local (Proxy ARP) – To use a part of an existing local network for the VPN clients, use a local client network. The firewall automatically enables Proxy ARPs for the IP addresses in the local client network. |
| Advertise route | Selected Deselected | Select the check box to propagate this network route via the OSPF/RIP/BGP service. |
| Network Address | - | The address of the client network in CIDR notation, e.g., 192.168.0.0/24 |
| Gateway | - | The address of the gateway in the client network. |
| IP Range Base | Only editable for the network type 'local' | When selecting the network type 'local', the IP Range Base specifies a subnet that must be within the range of the configured Network Address, e.g.,
Network Address = 192.168.0.0./24 and IP Range Base = 192.168.0.0/8 |
Service Keys
The Service Certificates/Keys table lists all configured service certificates and keys.
| Setting | Description |
|---|
| Keyname | The name of the service key. |
| Hash | The hash value of the key. |
| Comment | The comment describes a certain aspect concerning the key. |
| Bits | The length of the key is in bits. |
For more information on how to fill these fields, see How to Set Up Barracuda VPN CA VPN Certificates.
Root Certificates
The Root Certificates table lists all configured root certificates. A root certificate applies to the X.509 standard.
| Setting | Description |
|---|
| Certname | The name of the certificate. |
| Usage | Describes the usage of the root certificate. |
| CRL URI | The URL for revoking the certificate. |
| Status | Reflects whether the certificate is valid. |
| Issued To | The receiver whom the certificate is issued to. |
| Issued By | The source who issued the certificate. |
| Comment | Holds a comment that relates to the certificate. |
For more information on how to import a root certificate, see How to Set Up External CA VPN Certificates.
Service Certificates
The Service Certificates table lists all certificates that are related to the VPN service running on the CloudGen Firewall.
| Setting | Description |
|---|
| Certname | The name of the certificate. |
| Status | Reflects whether the certificate is valid. |
| Private Key | The private key. |
| Bits | The length of the key is in bits. |
| Chain | The chain of certificates. |
