The Barracuda NextGen Firewall F-Series can establish IPsec VPN tunnels to any standard compliant IKEv2 IPsec VPN gateway. The Site-to-Site IPsec VPN tunnel must be configured with identical settings on both F-Series Firewalls and the third-party IKEv2 IPsec gateway.
In this article:
Before You Begin
Create a VPN and Firewall service. For more information, see How to Configure Services.
Step 1. Create an IKEv2 IPsec Tunnel on the F-Series Firewall
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site.
- Click the IPsec IKEv2 Tunnels tab.
- Click Lock.
- Right-click the table and select New IKEv2 Tunnel. The IKEv2 Tunnel window opens.
- Enter a Tunnel Name.
- Set Initiates Tunnel:
- yes – The firewall is the active unit and continuously attempts to connect to the remote VPN gateway until a VPN tunnel is established.
- no – The firewall is the passive unit and waits for connection attempts from the remote VPN gateway.
- Set Restart child on close:
- yes – Restart the connection if the tunnel terminates unexpectedly.
- no – Close the VPN connection if the tunnel terminates unexpectedly.
- Select the Authentication Method:
- Pre-shared key – Enter the Shared Secret to use a shared passphrase to authenticate.
- CA certificate – Select a Server Certificate, CA Root certificate, and enter a X509 Condition to use certificate authentication.
- X509 certificate (explicit) – Select a Server Certificate and import an Explicit X509 certificate.
- Box SCEP certificate (CA signed) – Enter a Shared Secret, CA Root certificate, X509 Condition, and upload an Explicit X509 certificate to use SCEP to authenticate.
- Select the Phase 1 settings:
- Encryption – Select the encryption algorithm: AES, 3DES, Blowfish, or AES256.
- Hash – Select the hashing algorithm: MD5, SHA, SHA256, or SHA512.
- DH-Group – Select the Diffie-Hellman Group. Supported groups are: 1, 2, 5, 14 - 30.
- Lifetime (seconds) – Enter the number of seconds until the IPsec SA is re-keyed. Default:
3600
- Select the Phase 2 settings:
- Encryption – Select the encryption algorithm: AES, 3DES, Blowfish, or AES256.
- Hash – Select the hashing algorithm: MD5, SHA, SHA256, or SHA512.
- DH-Group – Select the Diffie-Hellman Group. Supported groups are: 1, 2, 5, 14 - 30.
- Lifetime (seconds) – Enter the number of seconds until the IPsec SA is re-keyed. Default:
3600
. - Lifetime (KB) – Enter the number of KB after which the IPsec SA is re-keyed.
- Enter the Network Local settings:
Local Gateway – Enter the external IP address of the F-Series Firewall. If you are using a dynamic WAN IP address, enter
0.0.0.0
.- Local ID– Enter an IP address, FQDN, email or a distinguished name if left blank the local gateway IP is used.
- Network Address – Add the local networks you want to reach through the VPN tunnel, and click Add.
- Enter the Network Remote settings:
- Remote Gateway – Enter the external IP address of the third-party appliance. If the remote appliance is using dynamic IP addresses, enter
0.0.0.0
. - Remote ID – Enter a unique ID.
- Network Address – Add the IP address of the remote network, and click Add.
- Remote Gateway – Enter the external IP address of the third-party appliance. If the remote appliance is using dynamic IP addresses, enter
- Enter the Dead Peer Detection settings:
- Action:
- None – Disable DPD.
- Clear – Connection with the dead peer is stopped, routes removed.
- Hold – Connection is put in hold state.
- Restart – Connection is restarted.
- Delay (seconds) – Enter the number of seconds, after which an empty INFORMATIONAL message is sent to check if the remote peer is still available.
- Action:
- Click OK.
- Click Send Changes and Activate.
Step 2. Create an IPsec Tunnel on the Remote Appliance
Configure the remote F-Series Firewall or third-party VPN gateway with the same settings. Only the local and remote networks and the IP address for the remote VPN gateway must be interchanged.
Step 3. Create Access Rules for VPN Traffic
To allow traffic in and out of the VPN tunnel, create a PASS access rule.
For more information, see How to Create Access Rules for Site-to-Site VPN Access.
Monitoring a VPN Site-to-Site Tunnel
To verify that the VPN tunnel was initiated successfully and traffic is flowing, go to VPN > Site-to-Site or VPN > Status.
Go to LOGS and select the /