The Barracuda NextGen Firewall F-Series VPN Graphical Tunnel Interface (GTI) provides you with a graphical interface to create and manage TINA and IPsec VPN tunnels. When configuring VPN tunnels manually, there are many identical configuration steps and settings. The GTI editor eliminates many of these redundant steps, helping you configure your VPN tunnels more quickly and with less errors. Environments with many VPN tunnels especially benefit by using the GTI editor. The GTI editor is available on the Barracuda NextGen Control Center and can be used on a global, range, or cluster level.
VPN groups contain VPN services running in the same scope as the GTI editor. You can create as many groups as needed and then assign the available VPN service to the individual groups. When using the GTI on the cluster or range level, only include VPN services running on virtual servers of that range or cluster.
VPN GTI Settings per VPN Service
For each VPN service you want to use in the GTI Editor, you must configure a few basic parameters:
- Transport Source IP – This is a list of one of more IP addresses the VPN service is listening on. They can be entered explicitly or selected by the system using a rooting table lookup (Dynamic - via routing). You can also use all IP addresses configured in the VPN service properties by selecting All Service IPs.
- Transport Listening IP – Use an external IP address, which remote firewalls use as a destination IP address to establish a VPN tunnel. Use an external IP address through which the VPN service on the F-Series Firewall can be reached . If only active VPN connections are going to be configured on this unit, no listening IP is needed (set it to 127.0.0.1).
- Networks – In the Server Properties of the virtual server your VPN service is running on, set the on-premise network(s) that are made available via VPN tunnel.
All other settings for the VPN tunnels are taken from the GTI Editor Defaults that are defined for each VPN Group.
For more information, see How to Configure VPN GTI Settings for a VPN Service.
VPN tunnels are created by dragging a connection from one firewall to the other. The tunnel configuration parameters stored for each VPN service are then used to create the VPN tunnel. It might be necessary to configure some settings or remove a listening IP address, depending on how you configured the VPN GTI Settings.
For more information, see How to Create a VPN Tunnel with the VPN GTI Editor
The GTI editor allows you to add additional transport tunnels when using Traffic Intelligence by a simple drag-and-drop operation. The tunnel configuration for the new transport can then be configured just like the primary transport.
For more information, see How to Configure VPN Traffic Intelligence.
GTI Editor Limitations
There are a some limitations you need to consider when using the GTI editor.
- You cannot import manually configured VPN tunnels into the GTI editor - Recreate the manually configured VPN tunnels in the GTI Editor. After creating the VPN tunnels in the GTI editor, remove the manually configured tunnels. Otherwise the VPN tunnel is configured twice and will not work correctly.
- Remember to create firewall rules that allow traffic in your VPN tunnels - The GTI Editor only creates VPN tunnels. Firewall rules must still be created manually to allow traffic to and from your VPN tunnels.
- The GTI Editor is only available in the Barracuda NextGen Control Center - When you go to the VPN page while logged into an F-Series Firewall, only the VPN tunnels are listed. You will not see the VPN groups and VPN tunnel diagram.