We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure OSPF Routing over TINA VPN

  • Last updated on

To dynamically learn OSPF-propagated routes from a remote location connected via TINA VPN tunnel, VPN Next Hop interfaces are used to create an intermediary network.

 

You must complete this configuration on both the local and the remote Barracuda NextGen F-Series Firewalls by using the respective values below:

 Example Values for the Local Barracuda NextGen Firewall F-SeriesExample Values for the Remote Barracuda NextGen Firewall F-Series
VPNR Next Hop Interface Index
11
VPN Next Hop Interface IP Address192.168.20.1/24192.168.20.2/24
Virtual Server Additional IP192.168.20.1192.168.20.2
VPN Local Networksemptyempty
VPN Remote Networksemptyempty
Router ID192.168.20.1192.168.20.2

 

In this article:

Before You Begin

  • A free /24 subnet (e.g., 192.168.20.0/24) for the intermediary network is required.

Step 1. Add a VPN Next Hop Interface

Add a VPN Next Hop interface using a /24 subnet (e.g., 192.168.20.0/24).

  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings .
  2. Click Lock.
  3. In the Settings tab, click the Click here for Server Settings link. The Server Settings window opens.
  4. In the Server Settings window, click the Advanced tab.
  5. Next to the VPN Next Hop Interface Configuration table, click Add.
  6. In the VPN Interface Properties window, configure the following settings and then click OK.
    • In the VPN Interface Index field, enter a number between 0 and 999. E.g., 11
    • In the IP Addresses field, enter the VPN interface IP address including the subnet. E.g., 192.168.20.1/24 for the local NextGen Firewall F-Series, or 192.168.20.2/24 for the remote NextGen Firewall F-Series. 
    • In the Multicast Addresses field, enter the OSPF Multicast Addresses: 224.0.0.5 224.0.0.6
      OSPF_VPN_01.png
    • Click OK. The interface is now listed in the VPN Next Hop Interface Configuration table.
      OSPF_VPN_02.png
  7. In the Server Settings window, click OK.
  8. Click Send Changes and Activate.

Step 2. Add the VPN Next Hop Interface IP Address to the Virtual Server Listening IP Addresses

Introduce the IP address of the VPN Next Hop interface as a virtual server ­IP address.

  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties .
  2. Click Lock .
  3. In the Additional IP table, add the IP address of the VPN Next Hop interface. 
    OSPF_VPN_03.png
  4. Click Send Changes and Activate .

Step 3. Configure the TINA Site-to-Site VPN Tunnels

You can configure the VPN tunnel using the GTI Editor for managed F-Series Firewalls, or using the Site-to-Site configuration dialog if you are using standalone F-Series Firewalls.

In the GTI Editor

Edit the VPN tunnel to remove the local and remote networks and add the VPN Next Hop interface ID.

  1. Go to the global/range/cluster GTI Editor.
  2. Click Lock.
  3. Click on the VPN tunnel, and click on the first Transport to edit the VPN tunnel configuration. For more information, see How to Create a VPN Tunnel with the VPN GTI Editor.
    OSPF_VPN_GTI_01.png
  4. Remove all Local Networks from the remote and local VPN services. 
  5. Enter the VPN Next Hop interface ID for the remote and local VPN services. E.g., 11
    OSPF_VPN_GTI_02.png
  6. Click OK.
  7. Click Send Changes and Activate.
Standalone F-Series Firewalls

On both the remote and local firewalls, configure a TINA VPN tunnel with the VPN Interface Index. Leave the local and remote networks empty.

  1. Log into the local NextGen Firewall F-Series
  2. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site.
  3. Click Lock.
  4. Right-click in the TINA Tunnels tab and select New TINA tunnel. The TINA tunnel window opens.
  5. Enter a Name.
  6. Configure the Transport, Encryption and Authentication settings as well as the Local and Remote public IP addresses. For more information, see How to Create a TINA VPN Tunnel between F-Series Firewalls.

  7. Exchange the Peer Identification keys.
  8. In the Remote Networks tab, enter the VPN Interface Index number that you created in the VPN Interface Configuration in step 1. E.g. 11
    S2S_routed_VPN.png

  9. Click OK.
  10. Click Send Changes and Activate.

Step 4. Configure the OSPF Service

The OSPF setup must be completed on both the local and remote firewalls. The configuration steps and values are the same except for the Router ID and propagated networks.

Step 4.1 Configure which Routes to Propagate into OSPF

Select the routes you want to propagate.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. Click Lock.
  3. To propagate the management network, set Advertise Route to yes in the Management IP and Network section.
    tina_bgp06d.png
  4. In the left menu, click on Routing.
  5. Double-click on the direct attached and gateway routes you want to propagate. The Routes window opens.
  6. Set Advertise Route to yes and click OK.
    tina_bgp06c.png
  7. Click Send Changes and Activate.
Step 4.2 Configure the OSPF Router

Enable OSPF and use the VPN Next Hop interface IP address as the Router ID.

  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings .
  2. Click Lock.
  3. Set Run OSPF Router to Yes.
  4. Set Operation Mode to advertise-learn.
  5. Enter the Router ID. Typically the VPN Next Hop interface IP address is used. E.g., 192.168.20.1 for the local NextGen Firewall F-Series, or 192.168.20.2 for the remote NextGen Firewall F-Series.
    OSPF_VPN_05.png
  6. In the left menu, click OSPF Router Setup.
  7. Select Cisco Type from the ABR Type dropdown.
  8. Enter the Terminal Password. Use this password if you must directly connect to the dynamic routing daemon via command line for debugging purposes.
  9. Click + to add an entry to the Network Prefix table. The Network Prefix windows opens. 
  10. Enter the VPN Next Hop interface network as the Network Prefix. E..g, 192.168.20.0/24
  11. Enter the Network Area. E.g., 0 because we are using OSPF area 0 for our example. This value must match with the OSPF Area configured below.
    OSPF_VPN_06.png
  12. Click OK.
  13. Click Send Changes and Activate.
Step 4.3.  Create an OSPF Area Setup
  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings .
  2. Click Lock.
  3. In the left menu click OSPF Area Setup.
  4. In the OSPF Area Configuration, click + to add Areas.
  5. Enter the OSPF area Name
  6. Click OK. The Areas window opens. 
  7. From the Area ID Format dropdown, select Integer.
  8. Enter the Area ID[Int]. Use the same Area ID you used for the Network Area in Step 4.2. E.g., 0
  9. (optional) Select the Authentication Type and configure the necessary parameters. 
    OSPF_VPN_07.png
  10. Click OK.
  11. Click Send Changes and Activate.

Step 6. Verify the OSPF Service Configuration

On the CONTROL > Network page, verify that OSPF is active on the VPN Next Hop interface and that the remote NextGen Firewall F-Series is listed as an OSPF neighbor. The routes learned via OSPF are listed with a type of gateway-ospf in the routing table. The Interface is the VPN Next Hop interface and the Gateway the IP address of the remote VPN Next Hop interface IP address.

Local Firewall CONTROL > Network > OSPF page:

OSPF_VPN_08.png

Remote Firewall CONTROL > Network > OSPF page:

OSPF_VPN_09.png

Step 6. Create Access Rules for VPN Traffic

Create access rules on both local and remote firewalls to allow traffic from the learned networks through the VPN tunnel. For more information, see How to Create Access Rules for Site-to-Site VPN Access.

Last updated on