It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

How to Configure a TINA Site-to-Site VPN Tunnel When One Side is Using a Dynamic IP

  • Last updated on

In this example setup, two CloudGen Firewalls are connected via a TINA site-to-site VPN tunnel over the Internet. The firewall on the local site is using a WAN connection with a static public IP address. The remote firewall uses a dynamic WAN connection. Since the dynamic IP address of the remote firewall is volatile and can change, the remote firewall must be configured as the active VPN endpoint of the VPN tunnel.

tina_isp.png

The following table refers to the image and serves as an example. You must adjust the settings to your specific network and host IP values.

 Local FirewallRemote Firewall
External IP address62.99.0.21/32 (static)Dynamic via DHCP
Local Networks10.0.10.0/2510.0.80.0/24
Remote Networks10.0.80.0/2410.0.10.0./25
State of Tunnel ServerPassiveActive

Step 1. Configure the TINA Site-to-Site VPN Tunnel on the Local Firewall

Traffic coming from the internal network 10.0.80.0/24 behind the remote firewall is forwarded through the TINA site-to-site VPN tunnel to the internal network 10.0.10.0/25 behind the local firewall. Since the public IP address of the remote firewall is dynamic, the Call Direction of the local firewall must be set to Passive.

  1. Log into the local firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > Site to Site.
  3. Click Lock.
  4. Click the TINA Tunnels tab.
  5. Right-click the table and select Add new TINA Tunnel. Alternatively, you can click the + sign in the top-right corner of the window. 
  6. Select Add Tunnel.
  7. In the Tunnel Name field, enter a name for the new VPN tunnel.
  8. Select a configured Scheme for the local network (optional), or select explicit. To configure a scheme, click the Local Networks tab and create a New Local Network. Then, enter a Name and add the network address.
  9. In the Local section, enter the Network Address(es) of your local network(s) in CIDR-notation and click Add. (i.e. 10.0.10.0./25)
  10. In the Remote section, enter the local network address(es) of the remote peer in CIDR-notation and click Add. (i.e. 10.0.80.0/24)
    loc_fw_loc_rem_net.png
  11. In the left menu, click Transports.
  12. Click + to add a new transport for the VPN tunnel. The Edit Transport window opens, showing the Basic tab.

  13. Set the Call Direction to Passive so that the local firewall listens for incoming VPN tunnel requests.
    tina02_dir.png

  14. Configure the Basic transport settings. For more information, see TINA Tunnel Settings.

    • (optional) Provider – If providers have been configured by a name in CONFIGURATION > Configuration Tree > Network > IP Configuration > Shared Networks and IPs, select a provider for the transport source and SD-WAN classification.ult.
    • Transport – Select the transport encapsulation (recommended: UDP).
    • Encryption – Select the data encryption algorithm.
    • Authentication – Select the hashing algorithm for packet authentication.

  15. In the left menu, click Peers.

  16. Select a configured Template for the transport source, or select explicit and choose the IP address(es) or interface(s) that should be used to establish the VPN connection from the Transport Source list (To configure a template, click the Parameter Templates tab and create a New Tunnel Parameter Template. Then, enter a Name and add the tunnel address.):

    • First Server IP – The connection gets established from the first shared IP address.
    • Second-IP – The connection gets established from the second shared IP address.
    • Dynamic (via routing) – The firewall uses a routing table lookup to determine the IP address.
    • Explicit List – Enter one or more explicit IP addresses. Multiple IP addresses are tried in the listed order. Click + and add the IP address(es) or interface(s) used as tunnel address.
  17. In the Remote section, enter 0.0.0.0/0 for tunnel requests coming from the second firewall via the Internet.
    loc_fw_loc_rem_peer.png

  18. Configure SD-WAN and Advanced transport settings to match the settings configured for the local firewall. For more information, see the lower section in TINA Tunnel Settings.

    In the Advanced tab, you can select the Accepted Algorithms. To use a cipher, the list must match the Encryption settings configured in the Basic tab.

  19. Click OK. The TINA Tunnel configuration window opens.
  20. Configure the Advanced tunnel settings to match the settings configured for the local firewall. For more information, see the lower section in TINA Tunnel Settings.
  21. Click OK.
  22. Click Send Changes and Activate.

Step 2. Configure the TINA Site-to-Site VPN Tunnel on the Remote CloudGen Firewall

Since the local firewall's tunnel is working in passive mode, only the remote firewall can initiate a tunnel connection. Therefore, the Call Direction must be set to Active.

  1. Go to CONFIGURATION > Configuration Tree > Box > your remote firewall > Assigned Services > VPN > Site to Site.
  2. Click Lock.
  3. Click the TINA Tunnels tab.
  4. Right-click the table and select Add new TINA Tunnel. Alternatively, you can click the + sign in the top-right corner of the window. 
  5. Select Add Tunnel.
  6. In the Tunnel Name field, enter a name for the new VPN tunnel.
  7. Select a configured Scheme for the local network, or select explicit.
  8. In the Local section, enter the Network Address(es) of your local network(s) in CIDR-notation. (i.e., 10.0.80.0./24)
  9. n the Remote section, enter the local network address(es) of the remote peer in CIDR-notation. (i.e., 10.0.10.0/25)
    rem_fw_loc_rem_net.png
  10. In the left menu, click Transports.
  11. Click + to add a new transport for the VPN tunnel. The Edit Transport window opens, showing the Basic tab.

  12. Set the Call Direction to Active so that the firewall can initiate a VPN tunnel after being connected to the Internet via DHCP.
    call_active.png

  13. Configure the Basic transport settings. For more information, see TINA Tunnel Settings.

    • (optional) Provider – If providers have been configured by a name in CONFIGURATION > Configuration Tree > Network > IP Configuration > Shared Networks and IPs, select a provider for the transport source and SD-WAN classification.ult.
    • Transport – Select the transport encapsulation (recommended: UDP).
    • Encryption – Select the data encryption algorithm.
    • Authentication – Select the hashing algorithm for packet authentication.

  14. In the left menu, click Peers.

  15. For the Transport Source, select Dynamic (via routing). The firewall must do a routing table lookup to determine the IP address.
  16. In the Remote section, enter the point of entry of the first firewall. (i.e., 62.99.0.21)

  17. Configure SD-WAN and Advanced transport settings to match the settings configured for the local firewall. For more information, see the lower section in TINA Tunnel Settings.

    In the Advanced tab, you can select the Accepted Algorithms. To use a cipher, the list must match the Encryption settings configured in the Basic tab.

  18. Click OK. The TINA Tunnel configuration window opens.
  19. Configure the Advanced tunnel settings to match the settings configured for the local firewall. For more information, see the lower section in TINA Tunnel Settings.
  20. Click OK
  21. Click Send Changes and Activate.

Exchange the Public Keys Between the Local and Remote Firewall

Start with exporting the public key in the displayed window on the remote firewall.

  1. Go to CONFIGURATION > Configuration Tree > Box > your remote firewall > Assigned Services > VPN > Site to Site.
  2. Edit the transport for the TINA tunnel.
  3. In the left menu, click Identity.
  4. From the Identification Type list, select Public Key.
  5. In the Local section, click the cog wheel icon next to Server Protocol Key, and export the public key to clipboard.
    export_public.png

  6. Click OK and close the TINA Tunnel configuration.

  7. Go to CONFIGURATION > Configuration Tree > Box > your local firewall > Assigned Services > VPN > Site to Site.
  8. Click Lock.
  9. Select TINA Tunnels.
  10. Open the configuration for the site-to-site tunnel transport created in Step 1.
  11. In the left menu, click Identity.
  12. In the Remote section, click the cog wheel icon next to Public Key, and import the key from the clipboard.
    import_public.png
  13. Click OK.
  14. Click Send Changes and Activate
  15. In the Local section, click the cog wheel icon next to Server Protocol Key, and export the key to clipboard.
  16. Click OK to close the TINA Tunnel window.
  17. Go to CONFIGURATION > Configuration Tree > Box > your remote firewall > Assigned Services > VPN > Site to Site.
  18. Click Lock.
  19. Select TINA Tunnels.
  20. Open the configuration for the site-to-site tunnel transport.
  21. Click the Identity tab.
  22. In the Remote section, click the cog wheel icon next to Public Key, and import the public key from the clipboard.
  23. Click OK and close the TINA Tunnel window.
  24. Click Send Changes and Activate.

Access Rules

You must create Pass access rules on both systems to allow traffic between the two peers. For more information, see How to Create Access Rules for Site-to-Site VPN Access.

Verify that the TINA site-to-site tunnel is established on both firewalls:

TINA_tunnel_first_firewall.png

TINA_tunnel_second_firewall.png