The Barracuda NextGen S-Series devices use a single site-to-site VPN tunnel to connect to the Secure Access Concentrator (SAC). The VPN tunnel is used for both user and management traffic and runs on ports TCP/UDP 692. To be able to have both managed NextGen F-Series Firewalls and S-Series devices connect to an Access Concentrator and Control Center behind the same border firewall, you must use either two public IP addresses or configure the VPN connection to use another, free port. The VPN service can be configured in two modes:
- Operational Mode – Standard, certificate authenticated VPN tunnel.
- Deployment Mode – Passphrase authenticated VPN tunnel. Only use deployment mode to transfer the certificates, or to deploy remote S-Series devices. For more information, see S-Series Deployment.
In this article:
Configure VPN in Operational Mode using the SC Web Interface
You can use the web interface of the SC to configure the VPN in override mode.
- Log into the web interface.
- Go to the CONFIGURATION > VPN page.
- Click Retrieve Lock.
- Select Enabled.
- Enter the Box Unique Identifier. Use the following format: RANGENUMBER-CLUSTERNAME-SCNAME E.g., 3-myScCluster-SC1.
- Set the Server Mode to Operative-Mode.
- Enter the Virtual IP. The IP address must be the first IP address of the subnet assigned to the SC by the Control Center.
- Enter the Entry Point Address. Typically this is the public IP of your SAC, or the public IP address of the border firewall in front of your SAC.
692as the Entry Point Port.
- (optional) Select the Tunnel Mode.
- (optional) Select the Encryption.
- Click Save Changes.
- On the top of the page, click Activate Configs.
- Click Release Lock.
The SC connects via VPN to the SAC and authenticates using the deployment password. Once connected, the Control Center pushes the configuration stored for the device to the SC, and the VPN is switched to operational mode.
Configure VPN in Operational Mode in the Secure Connector Editor
To configure the VPN settings to connect to the SAC in operational mode, you must use the Secure Connector Editor.
- Go to your Cluster > Cluster Settings > Secure Connector Editor.
- Click Lock.
- Double-click to edit the device or SC template.
- In the left menu, click VPN Settings.
- From the VPN Mode drop-down list, select Operative-Mode.
- Select the VPN enabled check box.
- Click New Key to create a new Private Key.
- Click Edit and create a new Certificate.
- From the Tunnel Mode drop-down list, select TCP or UDP. Use UDP for response-optimized tunnels, TCP for greater stability when using unstable Internet connections.
- From the Encryption drop-down list, select one of the encryption algorithms: DES, 3DES, CAST, Blowfish, AES, or AES256.
- Click + and enter the Remote Networks you want to route through the VPN tunnel. Enter
0.0.0.0/0to send all traffic through the VPN tunnel and to allow the devices behind the SC to access the Internet.
- Click OK and Activate.