We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure OSPF Routing over TINA VPN

  • Last updated on

To dynamically learn OSPF-propagated routes from a remote location connected via TINA VPN tunnel, VPN Next Hop interfaces are used to create an intermediary network.

Limitations

  • Currently only available for NG Firewalls managed by an NG Control Center because the VPN Tunnel configuration requires the GTI Editor.
  • It is not possible to use both OSPF and BGP over the same VPN tunnel.

You must complete this configuration on both the local and the remote Barracuda NG Firewall by using the respective values below:

 Example Values for the Local Barracuda NG FirewallExample Values for the Remote Barracuda NG Firewall
VPNR Next Hop Interface Index
11
VPN Next Hop Interface IP Address192.168.20.1/24192.168.20.2/24
Virtual Server Additional IP192.168.20.1192.168.20.2
VPN Local Networksemptyempty
VPN Remote Networksemptyempty
Router ID192.168.20.1192.168.20.2

 

In this article:

Before You Begin

  • A free /24 subnet (e.g., 192.168.20.0/24) for the intermediary network is required.

Step 1. Add a VPN Next Hop Interface

Add a VPN Next Hop interface using a /24 subnet (e.g., 192.168.20.0/24).

  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings .
  2. Click Lock.
  3. In the Settings tab, click the Click here for Server Settings link. The Server Settings window opens.
  4. In the Server Settings window, click the Advanced tab.
  5. Next to the VPN Next Hop Interface Configuration table, click Add.
  6. In the VPN Interface Properties window, configure the following settings and then click OK.
    • In the VPN Interface Index field, enter a number between 0 and 999. E.g., 11
    • In the IP Addresses field, enter the VPN interface IP address including the subnet. E.g., 192.168.20.1/24 for the local NG Firewall, or 192.168.20.2/24 for the remote NG Firewall. 
    • In the Multicast Addresses field, enter the OSPF Multicast Addresses: 224.0.0.5 224.0.0.6
      OSPF_VPN_01.png
    • Click OK. The interface is now listed in the VPN Next Hop Interface Configuration table.
      OSPF_VPN_02.png
  7. In the Server Settings window, click OK.
  8. Click Send Changes and Activate.

Step 2. Add the VPN Next Hop Interface IP Address to the Virtual Server Listening IP Addresses

Introduce the IP address of the VPN Next Hop interface as a virtual server ­IP address.

  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties .
  2. Click Lock .
  3. In the Additional IP table, add the IP address of the VPN Next Hop interface. 
    OSPF_VPN_03.png
  4. Click Send Changes and Activate .

Step 3. Configure the TINA Site-to-Site VPN Tunnel in the GTI Editor

Edit the VPN tunnel to remove the local and remote networks and add the VPN Next Hop interface ID.

  1. Go to the global/range/cluster GTI Editor.
  2. Click Lock.
  3. Click on the VPN tunnel and click on the first Transport to edit the VPN tunnel configuration. For more information, see How to Create a VPN Tunnel with the VPN GTI Editor.
    OSPF_VPN_GTI_01.png
  4. Remove all Local Networks from the remote and local VPN services. 
  5. Enter the VPN Next Hop interface ID for the remote and local VPN services. E.g., 11
    OSPF_VPN_GTI_02.png
  6. Click OK.
  7. Click Send Changes and Activate.

Step 4. Configure the OSPF Service

The OSPF setup must be completed on both the local and remote NG Firewalls. The configuration steps and values are the same except for the Router ID and propagated networks.

Step 4.1 Configure which Routes to Propagate into OSPF

Select the routes you want to propagate.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. Click Lock.
  3. To propagate the management network, set Advertise Route to yes in the Management IP and Network section.
    tina_bgp06d.png
  4. In the left menu, click on Routing.
  5. Double-click on the direct attached and gateway routes you want to propagate. The Routes window opens.
  6. Set Advertise Route to yes and click OK.
    tina_bgp06c.png
  7. Click Send Changes and Activate.
Step 4.2 Configure the OSPF Router

Enable OSPF and use the VPN Next Hop interface IP address as the Router ID.

  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings .
  2. Click Lock.
  3. Set Run OSPF Router to Yes.
  4. Set Operation Mode to advertise-learn.
  5. Enter the Router ID. Typically the VPN Next Hop interface IP address is used. E.g., 192.168.20.1 for the local NG Firewall, or 192.168.20.2 for the remote NG Firewall.
    OSPF_VPN_05.png
  6. In the left menu, click OSPF Router Setup.
  7. Select Cisco Type from the ABR Type dropdown.
  8. Enter the Terminal Password. Use this password if you must directly connect to the dynamic routing daemon via command line for debugging purposes.
  9. Click + to add an entry to the Network Prefix table. The Network Prefix windows opens. 
  10. Enter the VPN Next Hop interface network as the Network Prefix. E..g, 192.168.20.0/24
  11. Enter the Network Area. E.g., 0 because we are using OSPF area 0 for our example. This value must match with the OSPF Area configured below.
    OSPF_VPN_06.png
  12. Click OK.
  13. Click Send Changes and Activate.
Step 4.3.  Create an OSPF Area Setup
  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings .
  2. Click Lock.
  3. In the left menu click OSPF Area Setup.
  4. In the OSPF Area Configuration, click + to add Areas.
  5. Enter the OSPF area Name
  6. Click OK. The Areas window opens. 
  7. From the Area ID Format dropdown, select Integer.
  8. Enter the Area ID[Int]. Use the same Area ID you used for the Network Area in Step 4.2. E.g., 0
  9. (optional) Select the Authentication Type and configure the necessary parameters. 
    OSPF_VPN_07.png
  10. Click OK.
  11. Click Send Changes and Activate.

Step 6. Verify the OSPF Service Configuration

On the CONTROL > Network page, verify that OSPF is active on the VPN Next Hop interface and that the remote NG Firewall is listed as an OSPF neighbor. The routes learned via OSPF are listed with a type of gateway-ospf in the routing table. The Interface is the VPN Next Hop interface and the Gateway the IP address of the remote VPN Next Hop interface IP address.

Local Firewall CONTROL > Network > OSPF page:

OSPF_VPN_08.png

Remote Firewall CONTROL > Network > OSPF page:

OSPF_VPN_09.png

Step 6. Create Access Rules for VPN Traffic

Create access rules on both local and remote NG Firewalls to allow traffic from the learned networks through the VPN tunnel. For more information, see How to Create Access Rules for Site-to-Site VPN Access.

Last updated on