See below for a complete list of all TINA tunnel settings.
In this article
The tunnel name. You can enter a maximum of 64 characters.
To manually disable the tunnel, select this check box.
The transport type for the tunnel. You can select one of the following options:
The data encryption algorithm. You can select one of the following options:
The hashing algorithm for the VPN tunnel. You can select one of the following options:
The VPN transport classification for this tunnel. The first VPN tunnel is always classified as bulk-0. For more information, see Traffic Intelligence.
|TI-ID||The Traffic Intelligence transport ID.|
|Compression||Enable to compress traffic transmitted through the VPN tunnel. VPN compression is not compatible with WAN Optimization.|
|Use Dynamic Mesh||Enable to allow this NextGen F-Series Firewall to create and accept dynamic VPN tunnels. For more information, see Dynamic Mesh VPN Networks.|
|Dynamic Mesh Timeout||Dynamic tunnels are terminated after the timeout (in second) passes without traffic being sent through the VPN tunnel.|
TI (Traffic Intelligence)
From the TI - Bandwidth Protection and TI - VPN Envelope Policy tabs, configure the Traffic Intelligence settings for the tunnel.
Specifies if HW acceleration or CPU acceleration should be used. You can select one of the following options:
|Key Time Limit|
The period of time after which the re-keying process is started. You can select 5, 10 (default), 30, or 60 minutes.
|Key Traffic Limit|
The key traffic limit. You can select No Limit, 1 GB, 500 MB, 100 MB, 50 MB, 10 MB (default), 5 MB, or 1 MB.
|Tunnel Probing||The interval between tunnel probes. If probes are not answered in the time period specified by the Tunnel Timeout setting, the tunnel is terminated. You can select Silent (no probes are sent), 1 secs, 10 secs, 20 secs, 30 secs (default), or 60 secs.|
The length of time in which tunnel probes must be correctly answered before the tunnel is terminated. If, for some reason, the enveloping connection breaks down, the tunnel must be re-initialized. This is extremely important in setups with redundant possibilities to build the enveloping connection. You can select 3 secs, 10 secs, 20 secs (default), 30 secs, or 60 secs.
|High Performance Settings||To allow multiple CPUs and cores to be assigned to a single VPN tunnel to increase VPN performance, select this check box.|
From the Scripts tab, add scripts in the following sections to start or stop processes:
- Start Script – This script is executed when connecting via VPN.
- Stop Script – This script is executed when disconnecting from VPN.
From this list, you can select one of the following options to specify if the local network is active or passive:
|Network Address||The local networks that should be able to reach the partner networks.You can enter a list of networks or single IP addresses. Because this setting is typically shared by several tunnels, it may be defined from the Local Networks setting and referenced within the single tunnel configurations.|
|Tunnel Parameter Template||From this list, you can select a template that has been configured from the Parameter Templates tab on the Site to Site page. To explicitly configure the settings, select -explicit- .|
|IP Address or Device used for Tunnel Address||From this list, you can select one of the following options:|
|Proxy Type||From this list, you can select one of the following options:|
From the Identification Type list, you can select one of the following options to specify if a public key or certificate is to be used:
- Public Key
- X509 Certificate (CA signed)
- X509 Certificate (explicit)
- Box SCEP Certificate (CA signed)
For certificates, configure the Server Certificate and/or Server Protocol Key settings to select the certificate and protocol key.
From this tab, specify the partner networks that are accessible through the VPN tunnel.
|VPN Device Index||By default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field.|
|Remote Network||The partner networks that are accessible through the VPN tunnel. Enter the network address, and then click Add.|
|Advertise Route||To propagate routes to the partner networks using OSPF or RIP, select this check box. For more information, see Dynamic Routing Protocols (OSPF/RIP/BGP).|
From this tab, specify the IP addresses and host names of the VPN partner system.
|Remote Peer Tunnel Name||The name of the VPN partner.|
|Remote Peer IP Addresses|
The IP addresses, hostname, or, if the call direction is passive, enter the subnet of the VPN partner.
When using a hostname as the destination, the VPN service caches the resolved IP address for the TTL of the DNS record. This may result in problems with DynDNS domains using a long TTL. For more information on how to clear the cache manually, seebelow.
|Accepted Ciphers||The ciphers that can be used to establish the connection.|
Depending on whether the tunnel direction is passive or active, the partner server may be a whole subnet (passive mode) or may need to be defined by single IP addresses (active and bi-directional mode). Import the public key of the tunnel partner via clipboard or file. Principally, the public key is not needed. However, it is highly recommended to use strong authentication to build up the tunnel enveloping connection. If you have two different tunnel connections configured between the same two peers, the keys are mandatory.
Perfect Forward Secrecy for TINA Tunnels
By default, firewalls running 6.2.0 or higher support Perfect Forward Secrecy (PFS) and Elliptic Curve Cryptography (ECC). The VPN service sends and responds to PFS/EC requests and uses ECC if it is also supported by the remote firewall. To determine if PFS/EC is used, go to the VPN logs and check for the following log messages:
- DH attributes found in request, generating new key
- DH attributes found in response, deriving shared secret
Clearing the DNS Cache of the VPN Service
Using Barracuda NextGen Admin
To clear the cache and manually trigger a DNS lookup, open the VPN page. Right-click on the VPN tunnel and select Show Runtime information. Right-click on the IKE entry in the Worker section, and select Flush DNS Cache.
Log in as root and enter:
/opt/phion/bin/ipsecctrl isa flushdn