It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure a Routed VPN Network

  • Last updated on

In cases where Traffic Intelligence cannot handle failover scenarios in your VPN network, use a routed VPN network. A routed VPN network uses the IP addresses assigned to the VPNR interface of the TINA VPN tunnels as gateways. This means that the routing table and the assigned route metrics of the routes determine which tunnel is chosen. When a VPN tunnel goes down, the gateway IP address on the other side of the VPN is no longer reachable and the route metric for the failing route is automatically increased to 65556. The backup route with the lower metric now matches and redirects the traffic over the failover route to its destination. As soon as the VPN tunnel is back up, the original route becomes available again, and traffic is sent through the direct VPN tunnel again.

vpn_routing.png

Before You Begin

  • A free subnet (e.g., 192.168.20.0/24) for the intermediary network is needed.

Step 1. Add a VPN Next Hop Interface to Each Firewall

Add a VPN next hop interface using a /24 subnet (e.g., 192.168.20.0/24). Use the same VPNR index for each firewall.

  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings.
  2. Click Lock.
  3. In the Settings tab, click the Click here for Server Settings link. The Server Settings window opens.
  4. In the Server Settings window, click the Advanced tab.
  5. Next to the VPN Next Hop Interface Configuration table, click Add.
  6. In the VPN Interface Properties window, configure the following settings, and then click OK.
    1. In the VPN Interface Index field, enter a number between 0 and 999. E.g., 20
    2. In the IP Addresses field, enter a free IP address for the VPN interface IP address, including the subnet. E.g., 192.168.20.1/24
      routed_VPN_01.png
    3. Click OK. The interface is now listed in the VPN Next Hop Interface Configuration table.
    routed_VPN_02.png
  7. In the Server Settings window, click OK.
  8. Click Send Changes and Activate.

Repeat for each firewall in the VPN network. If possible, use the same VPNR interface index on each firewall.

Step 2. Add the VPN Next Hop Interface IP Address to the Virtual Server Listening IP Addresses for Each Firewall

Introduce the IP address of the VPN next hop interface as a virtual server ­IP address on each Firewall.

  1. Go to CONFIGURATION Configuration Tree > Box > Virtual Servers > your virtual server > Server Properties .
  2. Click Lock.
  3. In the Additional IP table, click + to add the IP address of the VPNR interface. 
    routed_VPN_03.png
  4. In the left menu click Networks.
  5. Remove all entries from the Server/GTI Networks table.
    routed_VPN_03a.png
  6. Click Send Changes and Activate.

Repeat for each firewall in the VPN network.

Step 3. Configure the TINA Site-to-Site VPN Tunnel between the Firewalls

You can configure the VPN tunnels connecting the firewalls using the GTI Editor for managed CloudGen Firewalls, or using the Site-to-Site configuration dialog if you are using standalone CloudGen Firewalls.

In the GTI Editor

Remove the local and remote networks and add the VPN Next Hop interface ID to the VPN tunnels.

  1. Go to the global/range/cluster GTI Editor.
  2. Click Lock.
  3. Click on the VPN tunnel, and click on the first Transport to edit the VPN tunnel configuration. For more information, see How to Create a VPN Tunnel with the VPN GTI Editor.
    routed_VPN_GTI_00.png
  4. Verify that the Local Networks for the remote and local VPN services are empty. If not, go back to step 2 and remove the entries from the Server/GTI Networks table in the Server Properties.
  5. Enter the VPN Next Hop interface ID for the remote and local VPN services. E.g., 20
    routed_VPN_GTI_01.png
  6. Click OK.
  7. Click Send Changes and Activate.
Stand-alone CloudGen Firewalls

Configure a TINA VPN tunnel using the VPN next hop interface between all firewalls.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site.
  2. Click Lock.
  3. Right-click in the TINA Tunnels tab, and select New TINA tunnel. The TINA tunnel window opens.
  4. Enter a Name.
  5. Configure the Transport, Encryption and Authentication settings as well as the Local and Remote public IP addresses. For more information, see How to Create a TINA VPN Tunnel between CloudGen Firewalls.

  6. Leave the Local and Remote Network empty.

  7. In the Remote Networks tab, enter the VPN Interface Index number that you created in the VPN Interface Configuration in step 1. E.g., 20
    routed_VPN_04.png

  8. Click OK.
  9. Click Send Changes and Activate.

Repeat this step until all three firewalls are connected via a TINA Site-to-Site VPN tunnel with each other.

Step 3. Configure Gateway Routes for the Location 1 Firewall

Create the following primary and backup gateway routes on the Location 1 firewall.  For more information, see How to Configure Gateway Routes

  1. Log into the Location 1 firewall.
  2. Create a gateway route to Location 3:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.60.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.3
    • Metric – Enter 10.
  3. Create a gateway route to Location 2:
    • Target Network Address – Enter the Location 2 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 2 firewall: 192.168.20.2
    • Metric – Enter 10.
  4. Create a backup gateway route to Location 3 via Location 2:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.60.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.2
    • Metric – Enter 20.
  5. Create a backup gateway route to Location2 via Location 3:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.3
    • Metric – Enter 20.
  6. Activate the network configuration on the Location 3 firewall. For more information, see How to Activate Network Changes.

The Location 1 routing table now includes all gateway routes to reach the remote networks with failover routes in case the VPN tunnel goes down.

routed_VPN_05.png

Step 4. Configure Gateway Routes for the Location 2 Firewall

Create the following primary and backup gateway routes on the Location 1 firewall. For more information, see How to Configure Gateway Routes

  1. Log into the Location 2 firewall.
  2. Create a gateway route to Location 3:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.60.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.3
    • Metric – Enter 10.
  3. Create a gateway route to Location 1:
    • Target Network Address – Enter the Location 2 network in CIDR format: 10.0.15.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 2 firewall: 192.168.20.1
    • Metric – Enter 10.
  4. Create a backup gateway route to Location 3 via Location 1:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.1
    • Metric – Enter 20.
  5. Create a backup gateway route to Location1 via Location 3:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.15.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.3
    • Metric – Enter 20.
  6. Activate the network configuration on the Location 3 firewall. For more information, see How to Activate Network Changes.

The Location 2 routing table now includes all gateway routes to reach the remote networks with failover routes in case the VPN tunnel goes down.

routed_VPN_06.png

Step 5. Configure Gateway Routes for the Location 3 Firewall

Create the following primary and backup gateway routes on the Location 3 firewall. For more information, see How to Configure Gateway Routes

  1. Log into the Location 3 firewall.
  2. Create a gateway route to Location 1:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.15.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.1
    • Metric – Enter 10.
  3. Create a gateway route to Location 2:
    • Target Network Address – Enter the Location 2 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 2 firewall: 192.168.20.2
    • Metric – Enter 10.
  4. Create a backup gateway route to Location 1 via Location 2:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.15.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.2
    • Metric – Enter 20.
  5. Create a backup gateway route to location 2 via location 1:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.1
    • Metric – Enter 20.
  6. Activate the network configuration on the Location 3 firewall. For more information, see How to Activate Network Changes.

The Location 3 routing table now includes all gateway routes to reach the remote networks with failover routes in case the VPN tunnel goes down.

routed_VPN_07.png

Monitoring

The VPN tunnels are now monitored like all other gateway routes. When a tunnel goes down, the VPNR interface IP address of the remote firewall is no longer reachable and the gateway route metric is automatically increased to 65556. Traffic will then use the backup route with the lower metric to reach the destination through the other VPN tunnel. Go to CONTROL > Network to see the routing table.

routed_VPN_08.png

Go to FIREWALL > Live to see which VPN tunnel is used.

routed_VPN_09.png

Go to VPN > Status to see if the VPN tunnels are up.

routed_VPN_10.png