We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

TINA Tunnel Settings

  • Last updated on

See below for a complete list of all TINA tunnel settings.

In this article

Basic

SettingDescription
Name

The tunnel name. You can enter a maximum of 64 characters.

Disabled

To manually disable the tunnel, select this check box.

Transport

The transport type for the tunnel. You can select one of the following options:

  • UDP – The tunnel uses UDP port 691 to communicate. This connection type is suited best for response-optimized tunnels. It allows fast transport and generates the least overhead.
  • TCP – The tunnel uses TCP connection on port 691 or 443 (for HTTP proxies). This mode is required for connection over SOCKS4 or HTTP proxies. It is useful for unreliable lines where packet loss is common.
  • UDP&TCP – The tunnel uses TCP and UDP connections. The tunnel engine uses the TCP connection for UDP requests and the UDP connection for TCP requests and ICMP-based applications.
  • ESP – The tunnel uses ESP (IP protocol 50) to communicate. This connection type is best suited for performance-optimized tunnels. This option is useful for a private link such as MPLS, or when ESP is not blocked by NAT.

    • Do not select ESP if there are filtering or NAT interfaces in between.
    • Some routers, especially DSL routers for home accounts and cable modems, block ESP traffic. In this case, select TCP or UDP.
  • Routing – Use this option with Traffic Intelligence. It disables data payload encryption within the tunnel and should only be used for uncritical bulk traffic.

    Unencrypted data.

    With this option, you can also specify the next hop address for the routed data packets when configuring the TI traffic transport classification.

Encryption 

The data encryption algorithm. You can select one of the following options:

  • AES | AES256 – The Advanced Encryption Standard (default). AES works with 128-bit key length and AES256 works with 256-bit long keys. With AES 256, the security of the encrypted data is increased, but more CPU capacity is required. Only use AES256 when required. Represents a very good compromise between key length and encryption speed. AES encryption speed can also be improved with hardware acceleration. (Recommended.)

  • 3DES – Further developed DES encryption. Three keys each having a 56-bit length are used sequentially, providing a key length of 168-bit. (Not recommended.)

    Try to avoid using 3DES because this algorithm works very slowly and only offers acceptable performance with the help of special hardware acceleration cards.

  • CAST – Algorithm similar to DES with a key length of 128-bit.
  • Blowfish – Works with a variable key length up to 128-bit.
  • DES – Digital Encryption Standard. Because DES is only capable of a 56-bit key length, it cannot be considered safe any longer. (Not recommended.)
  • Null – No encryption.
Authentication

The hashing algorithm for the VPN tunnel. You can select one of the following options:

  • MD5 – Message Digest 5. Hash length is 128-bit. (Not recommended. High performance, but theoretically vulnerable.)
  • SHA – Secure Hash Algorithm. Hash length is 160-bit. (Not recommended. High performance, but theoretically vulnerable.)
  • NOHASH – Use NOHASH for systems with hardware encryption support because it allows for hardware-accelerated high encryption performance on these systems.
  • RIPEMD160 – RACE Integrity Primitives Evaluation Message Digest. Hash length is 160-bit. (Highly recommended.)
  • SHA256 – Secure Hash Algorithm. Hash length is 256-bit. (Highly recommended.)
  • SHA512 – Secure Hash Algorithm. Hash length is 512-bit.
  • GCM – Galois/Counter Mode (GCM). Hash length is 128-bit. Provides assurance of confidential data authenticity up to about 64 GB per invocation using a universal hash function defined over a binary Galois field.

TI Classification

 

The VPN transport classification for this tunnel. The first VPN tunnel is always classified as bulk-0. For more information, see Traffic Intelligence.

  • Bulk
  • Quality
  • Fallback
TI-IDThe Traffic Intelligence transport ID.
CompressionEnable to compress traffic transmitted through the VPN tunnel. VPN compression is not compatible with WAN Optimization.
Use Dynamic MeshEnable to allow this NextGen F-Series Firewall to create and accept dynamic VPN tunnels. For more information, see Dynamic Mesh VPN Networks.
Dynamic Mesh TimeoutDynamic tunnels are terminated after the timeout (in second) passes without traffic being sent through the VPN tunnel.

TI (Traffic Intelligence)

From the TI - Bandwidth Protection and TI - VPN Envelope Policy tabs, configure the Traffic Intelligence settings for the tunnel.

Advanced

SettingDescription
HW Acceleration

Specifies if HW acceleration or CPU acceleration should be used. You can select one of the following options:

  • Use Acceleration Card – If a crypto accelerator hardware board is in use, select this option.
  • Use CPU – Use CPU acceleration.
Key Time Limit 

The period of time after which the re-keying process is started. You can select 5, 10 (default), 30, or 60 minutes.

Key Traffic Limit

The key traffic limit. You can select No Limit, 1 GB, 500 MB, 100 MB, 50 MB, 10 MB (default), 5 MB, or 1 MB.

Tunnel ProbingThe interval between tunnel probes. If probes are not answered in the time period specified by the Tunnel Timeout setting, the tunnel is terminated. You can select Silent (no probes are sent), 1 secs, 10 secs, 20 secs, 30 secs (default), or 60 secs.
Tunnel Timeout

The length of time in which tunnel probes must be correctly answered before the tunnel is terminated. If, for some reason, the enveloping connection breaks down, the tunnel must be re-initialized. This is extremely important in setups with redundant possibilities to build the enveloping connection. You can select 3 secs, 10 secs, 20 secs (default), 30 secs, or 60 secs.

High Performance SettingsTo allow multiple CPUs and cores to be assigned to a single VPN tunnel to increase VPN performance, select this check box.

Scripts

From the Scripts tab, add scripts in the following sections to start or stop processes:

  • Start Script – This script is executed when connecting via VPN.
  • Stop Script – This script is executed when disconnecting from VPN.

Local Networks

SettingDescription
Call Direction

From this list, you can select one of the following options to specify if the local network is active or passive:

  • Active – An active VPN server accepts tunnel requests and initiates the tunnel connection. When the tunnel is down for a defined time, it cleans its state to accept retries from its partner. Furthermore, it tries to initiate the connection by itself.
  • Passive – A passive VPN server does not build up the tunnel. It merely accepts requests from its partner. If the tunnel is down for a defined time, it cleans its state to accept retries from its partner.
  • OnDemand – Use this option with Traffic Intelligence. The VPN server actively builds up a connection and terminates it during the time-outs specified by the On Demand Transport Timeout setting from the TI - VPN Envelope Policy tab.
Network AddressThe local networks that should be able to reach the partner networks.You can enter a list of networks or single IP addresses. Because this setting is typically shared by several tunnels, it may be defined from the Local Networks setting and referenced within the single tunnel configurations.

Local

SettingDescription
Tunnel Parameter TemplateFrom this list, you can select a template that has been configured from the Parameter Templates tab on the Site to Site page. To explicitly configure the settings, select -explicit- .
IP Address or Device used for Tunnel AddressFrom this list, you can select one of the following options:
  • First Server IP – The first server IP address is used.
  • Second Server IP – The second server IP address is used.
  • Dynamic (via routing) – The IP address is specified by the routing table.
  • Explicit (ordered list) – To explicitly specify the IP addresses or devices used, select this option. This option is important to ensure redundancy on the active side of the tunnel.
Proxy TypeFrom this list, you can select one of the following options:
  • Direct (no Proxy) – The standard connection.
  • HTTP Proxy – An HTTP proxy server with optional user/password authentication is used.
  • Socks 4 Proxy – A SOCKS4 server is used.
  • Socks 5 Proxy – A SOCKS5 server is used.

Identify

From the Identification Type list, you can select one of the following options to specify if a public key or certificate is to be used:

  • Public Key
  • X509 Certificate (CA signed)
  • X509 Certificate (explicit)
  • Box SCEP Certificate (CA signed)

For certificates, configure the Server Certificate and/or Server Protocol Key settings to select the certificate and protocol key.

Remote Networks

From this tab, specify the partner networks that are accessible through the VPN tunnel.

SettingDescription
VPN Device IndexBy default, the tunnel is fed through vpn0. To use another VPN interface, enter it in this field.
Remote NetworkThe partner networks that are accessible through the VPN tunnel. Enter the network address, and then click Add.
Advertise RouteTo propagate routes to the partner networks using OSPF or RIP, select this check box. For more information, see Dynamic Routing Protocols (OSPF/RIP/BGP).

Remote

From this tab, specify the IP addresses and host names of the VPN partner system.

SettingDescription
Remote Peer Tunnel Name
The name of the VPN partner.
Remote Peer IP Addresses

The IP addresses, hostname, or, if the call direction is passive, enter the subnet of the VPN partner.

When using a hostname as the destination, the VPN service caches the resolved IP address for the TTL of the DNS record. This may result in problems with DynDNS domains using a long TTL. For more information on how to clear the cache manually, see Clearing the DNS Cache of the VPN Service below.

Accepted Ciphers
The ciphers that can be used to establish the connection.

Peer Identification

Depending on whether the tunnel direction is passive or active, the partner server may be a whole subnet (passive mode) or may need to be defined by single IP addresses (active and bi-directional mode). Import the public key of the tunnel partner via clipboard or file. Principally, the public key is not needed. However, it is highly recommended to use strong authentication to build up the tunnel enveloping connection. If you have two different tunnel connections configured between the same two peers, the keys are mandatory.

Perfect Forward Secrecy for TINA Tunnels

By default, firewalls running 6.2.0 or higher support Perfect Forward Secrecy (PFS) and Elliptic Curve Cryptography (ECC). The VPN service sends and responds to PFS/EC requests and uses ECC if it is also supported by the remote firewall. To determine if PFS/EC is used, go to the VPN logs and check for the following log messages:

  • DH attributes found in request, generating new key
  • DH attributes found in response, deriving shared secret

PFS_VPN_Settings.png

Clearing the DNS Cache of the VPN Service

Using Barracuda NextGen Admin

To clear the cache and manually trigger a DNS lookup, open the VPN page. Right-click on the VPN tunnel and select Show Runtime information. Right-click on the IKE entry in the Worker section, and select Flush DNS Cache.

Command Line

Log in as root and enter:

/opt/phion/bin/ipsecctrl isa flushdn

 

 

Last updated on