The Barracuda NextGen FSC-Series devices use a single site-to-site VPN tunnel to connect to the Secure Access Concentrator (FSAC). The VPN tunnel is used for both user and management traffic and runs on ports TCP/UDP 692. To be able to have both managed NextGen F-Series Firewalls and FSC-Series devices connect to an Access Concentrator and Control Center behind the same border firewall, you must use either two public IP addresses or configure the VPN connection to use another, free port. The VPN service can be configured in two modes:
- Operational Mode – Standard, certificate authenticated VPN tunnel.
- Deployment Mode – Passphrase authenticated VPN tunnel. Only use deployment mode to transfer the certificates, or to deploy remote FSC-Series devices. For more information, see FSC-Series Deployment.
Configure VPN in Operational Mode using the FSC Web Interface
You can use the web interface of the FSC to configure the VPN in override mode.
- Log into the web interface.
- Go to the CONFIGURATION > VPN page.
- Click Retrieve Lock.
- Select Enabled.
- Enter the Box Unique Identifier. Use the following format: RANGENUMBER-CLUSTERNAME-FSCNAME E.g., 3-myScCluster-SC1.
- Set the Server Mode to Operative-Mode.
- Enter the Virtual IP. The IP address must be the first IP address of the subnet assigned to the FSC by the Control Center.
- Enter the Entry Point Address. Typically this is the public IP of your FSAC, or the public IP address of the border firewall in front of your FSAC.
692as the Entry Point Port.
- (optional) Select the Tunnel Mode.
- (optional) Select the Encryption.
- Click Save Changes.
- On the top of the page, click Activate Configs.
- Click Release Lock.
The FSC connects via VPN to the FSAC and authenticates using the deployment password. Once connected, the Control Center pushes the configuration stored for the device to the FSC, and the VPN is switched to operational mode.
Configure VPN in Operational Mode in the Secure Connector Editor
To configure the VPN settings to connect to the FSAC in operational mode, you must use the Secure Connector Editor.
- Go to your cluster > Cluster Settings > Secure Connector Editor.
- Click Lock.
- Double-click to edit the device or FSC template.
- In the left menu, click VPN Settings.
- From the VPN Mode drop-down list, select Operative-Mode.
- Select the VPN enabled check box.
- Click New Key to create a new Private Key.
- Click Edit and create a new Certificate.
- Click + and enter the Remote Networks you want to route through the VPN tunnel. Enter
0.0.0.0/0to send all traffic through the VPN tunnel and to allow the devices behind the FSC to access the Internet.
- From the Tunnel Mode drop-down list, select TCP or UDP. Use UDP for response-optimized tunnels; use TCP for greater stability when using unstable Internet connections.
- From the Encryption drop-down list, select one of the encryption algorithms: DES, 3DES, CAST, Blowfish, AES, or AES256.
- Click OK and Activate.