We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure a Client-to-Site IPsec VPN

  • Last updated on

To let mobile workers securely connect to corporate information resources, you can implement a client-to-site VPN. This article provides instructions on how to configure a client-to-site VPN with IPsec and external username and password authentication using MSAD.

Client2SiteIPsecVPN.png

 

In this article:

Supported VPN Clients

You can use any standard-based IPsec VPN client. However, only the following clients are supported with the Barracuda NG Firewall:

Before You Begin

Before you implement a client-to-site VPN with IPsec and MSAD:

  • Verify that MSAD is configured. For more information, see How to Configure MSAD Authentication.
  • Identify the subnet and gateway address for the VPN service in your network (e.g., 192.168.6.0/24 and 192.168.6.254).

Configure the Client-to-Site VPN Service

To implement a client-to-site VPN with IPsec and external username and password authentication using MSAD, complete the following steps.

Step 1. Configure the Client Network and Gateway
  1. Open the VPN Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > VPN Service > VPN Settings).
  2. Click Lock.
  3. Verify that the default server certificate and key are valid.
    1. Right-click the Settings table and select Edit Server Settings.
    2. Verify that the Default Server Certificate and Default Key are both valid (green). If the Default Server Certificate and Default Key are not valid, see How to Set Up VPN Certificates.
    3. Close the Server Settings window.
  4. Configure the client network.
    1. Click the Client Networks tab.
    2. Right-click the table and select New Client Network.
    3. In the Client Network window, configure the following settings:

      SettingDescription
      NameA descriptive name for the network (e.g., Client to Site VPN Network).
      Network AddressThe default network address. All VPN clients will receive an IP address in this network (e.g., 192.168.6.0).
      Network MaskThe appropriate subnet mask (e.g., 24).
      GatewayThe gateway network address (e.g., 192.168.6.254).
      Type

      The type of network that is used for VPN clients.

      From this list, select routed (Static Route). VPN clients are assigned an address via DHCP (fixed or dynamic) in a separate network reserved for the VPN. A static route on the Barracuda NG Firewall leads to the local network.

  5. Click OK.
  6. Click Send Changes and then click Activate.
Step 2. Configure VPN Group Match Settings

Configure the global authentication settings for VPN tunnels using an external X.509 certificate and group configurations.

  1. Open the Client to Site page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > VPN Service > Client to Site).
  2. Click Lock.
  3. Click the External CA tab.
  4. Click the Click here for options link.
  5. In the Group VPN Settings window, configure the following settings:
    1. In the X509 Client Security section, select the External Authentication check box.
    2. In the Server section, select msad from the Authentication Scheme list.
  6. Click OK.
  7. Click Send Changes and then click Activate.
Step 3. Create a VPN Group Policy

The VPN Group Policy specifies the network IPsec settings. You can group patterns to require users to meet certain criteria, as provided by the group membership of the external authentication server (e.g., CN=vpnusers*). You can also define conditions to be met by the certificate (e.g., O(Organization) must be the company name).

  1. Open the Client to Site page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > VPN Service > Client to Site).
  2. Click Lock.
  3. Click the External CA tab and then click the Group Policy tab.
  4. Right-click the table and select New Group Policy. The Edit Group Policy window opens.
  5. Enter a name for the Group Policy. For example, Group Policy.
  6. From the Network list, select the VPN client network.
  7. In the Network Route section, enter the network that must be reachable through the VPN connection. For example, 10.0.0.0/24.
  8. Configure the group policy.
    1. Right-click the Group Policy Condition table and select New Rule.
    2. In the Group Pattern field, define the groups that will be assigned the policy. For example: CN=vpnusers*
    3. Click OK.
  9. To change the encryption algorithm:
    1. Click the IPSec tab.
    2. Clear the check box in the right top corner.
    3. From the IPsec Phase II - Settings list, select the entry that includes (Create New) in its name. For example, if you chose Group Policy as a name, the entry would be listed as Group Policy (Create new)
    4. Select an encryption algorithm. For speed and security, it is recommended that you select AES256.
    5. Adapt to your own needs.
    6. Click Edit IPsec Phase 1 and select the encryption algorithm in the For Certificate Authentication section.
    7. Click OK to close the Change IPSec Phase 1 window.
  10. Click OK.
  11. Click Send Changes and then click Activate.
Step 4. Add Firewall Rules

Add two forward firewall rules to connect your client-to-site VPN to your network. For more information, see How to Configure a Forwarding Firewall Rule for a Client-to-Site VPN.

Monitoring VPN Connections

On the VPN > Client-to-Site page, you can monitor VPN connections.

ngadmin_vpn_status_client_to_site.PNG

The page lists all available client-to-site VPN tunnels. In the Tunnel column, the color of the square indicates the status of the VPN:

  • Blue – The client is currently connected.
  • Green  The VPN tunnel is available but currently not in use. 
  • Grey – The VPN tunnel is currently disabled. To enable the tunnel, right-click it and select Enable Tunnel.

For more information about the VPN > Client-to-Site page, see VPN Tab.

Troubleshooting

To troubleshoot VPN connections, see the /yourVirtualServer/VPN/VPN and /yourVirtualServer/VPN/ike log files. For more information, see Logs Tab.

Last updated on