We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

IPsec Tunnel Settings

  • Last updated on

The following IPsec tunnel settings can be configured


NameThe tunnel name. You can enter a maximum of 26 characters.
DisabledTo manually disable the tunnel, select this check box.


In this tab, you can edit the following Phase 1 and Phase 2 settings.

EncryptionThe data encryption algorithm.
Hash Meth.

The hash algorithm.


The Diffie-Hellman Group that specifies the type of key exchange. You can select one of the following options:

  • Group1 – Default; 768-bit modulus.
  • Group2 – 1024-bit modulus.
  • Group5 – 1536-bit modulus.
  • None
Lifetime [sec]The rekeying time in seconds that the server offers to the partner.
Min. Lifetime [sec]The minimum rekeying time in seconds that the server accepts from its partner.
Max. Lifetime [sec]The maximum rekeying time in seconds that the server accepts from its partner.

TI - VPN Envelope Policy

TOS Policy

This policy setting specifies how Type of Service (ToS) information contained within a packet’s IP header is handled. In networks, the ToS may be used to define the handling of the datagram during transport. If the ToS is enveloped, this information is lost. You can select one of the following options:

  • Copy TOS From Payload to Envelope – Use this option with non-TCP transports. The packet’s original ToS information is copied onto the envelope, so that it stays available for use.
  • Fixed Envelope TOS – The ToS information is masked by enveloping it without consideration. In the Envelope TOS Value field, enter the fixed ToS value. The same ToS information is then assigned to all packets. For example:
00Best effort
81Class 1
162Class 2
243Class 3
324Class 4
405Express forwarding

For more information about precedence values, see http://www.bogpeople.com/networking/dscp.shtml and http://www.tucny.com/Home/dscp-tos.

Band Policy
For band policy settings to apply, you must configure traffic shaping. For more information, see Traffic Shaping. Band policy settings work independently from bandwidth protection settings.

The Band Policy settings rely on connection objects that are assigned to bands in the firewall rule sets and specify bandwidth assignment to transports as a whole. Multiple transports can share a single band if they are processed by the same interface.

You can select one of the following options:

  • Use Band According to Rule Set – Use the band from the firewall rule, allowing traffic between the tunnel endpoints.
  • Copy Band From Payload To Envelope – Use the band from the firewall rule, redirecting traffic to the VPN tunnel entry point. The band setting for the rule that configures traffic between the tunnel endpoints is then ignored.
  • Fixed Envelope Band – Use a static band. From the Envelope Band Value list, select one of the available bands (System, Band A to Band G).
Replay Window

If ToS policies assigned to VPN tunnels or transports packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance and to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding any global policy settings.

  • To view or edit the global replay window size, see the VPN server settings.
  • To view the replay window size for a tunnel, double-click the tunnel on the VPN Tab to open the Transport Details window (attribute: transport_replayWindow).


DPD Interval (s)Sets the time interval in seconds to perform Dead Peer Detection.
VPN Next Hop RoutingEnter the IP address of the remote VPN next hop interface. See How to Configure BGP Routing over IPsec VPN for a configuration example.
HW Accel.

Specifies the preferred encryption engine. This allows for load balancing between the CPU and an optional crypto card with more than one tunnel in use. You can select one of the following options:

  • Use Acceleration Card  – If a crypto accelerator hardware board is in use, select this option.
  • Use CPU – Use CPU acceleration.
Encaps. Mode Auto Detec.Automatically determines the IPSec encapsulation mode when NAT-T is used.
Interface Index

By default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field.

Before using this option, you must first create the indexed VPN interface in the VPN server settings.


In this section, you can add optional parameters for establishing IPsec tunnels. When appending a parameter, first specify the section that the parameter is assigned to. Then specify the new parameter itself in the next line. Enter one single value per line. For example:


The new sections are added to the end of the isakmpd.conf file. New parameters are added to the top of the specified section.

For more information on the syntax to be used in this field, see the isakmpd.conf man page at www.openbsd.org/cgi-bin/man.cgi.

Local Networks

Initiates Tunnel

Specifies whether the tunnel is active or passive. You can select one of the following options:

  • Yes (passive IKE)
  • No (active IKE)

Active also implies that incoming VPN connection attempts are accepted.

Local IKE GatewayThe IP address of the local IKE gateway. If you are using dynamic IP addresses, enter


From the Identification Type list, you can select one of the following options:

  • Shared Secret
  • X509 Certificate (CA signed)
  • X509 Certificate (explicit)
  • Box SCEP Certificate (CA signed)

Remote Networks

Remote IKE
The IP address of the remote IKE gateway. If the remote IPsec gateway is connected to the Internet with a dynamic IP address, enter the DDNS (Dynamic Domain Name System) hostname of the gateway.
Network AddressTo add the network address of the VPN partner, enter it in this field and then click Add.

Peer Identification

Depending on which identification type is selected, different fields are unlocked in the Peer Identification section. For more information on the different authentication options, see Site-to-Site VPN Encryption and Authentication. 

Last updated on