It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Half-Side VPN Tunnel Setup

  • Last updated on

In a half-side transparent tunnel, only a local network is granted access to a partner network; the partner network cannot access the local network. The internal IP structure of the local network is hidden from the partner network. In such a setup, it is crucial that you correctly configure the firewall rules that handle traffic in the VPN tunnel.

The following figure illustrates such a VPN tunnel setup where the network for VPN server 1 is hidden from the network for VPN server 2. In the example setup, only one IP address (10.0.35.32) is explicitly directed into the tunnel.

stealth_tunnel.png

VPN Server 1 Settings

TabSettingValueComment
Basic

 

Transport

UDP&TCP (or whatever is needed)

-

Encryption

AES (or whatever is needed)

May be unencrypted for intranet connections only aiming at routing assistance.

AdvancedTunnel Timeout 
  • For intranet: 10
  • For Internet-like connections: 30
-
Local NetworksCall DirectionActive or PassiveConverse to the partner’s configuration.
LocalIP Address or Interface Used for Tunnel Address10.0.35.32Only this IP address is directed into the tunnel.
Remote Networks

Remote Network

10.0.21.0/24-
RemoteRemote Peer IP Addresses

192.168.3.101

-

Firewall Rule for VPN Server 1

When creating a Pass access rule for VPN server 1 to redirect traffic into the tunnel, explicitly specify the Connection Type as Explicit: 10.0.35.32.

VPN Server 2 Settings

TabSettingValueComment

Basic

Encryption

Same value as on the local side

-

AdvancedTunnel Timeout 
  • For intranet: 10
  • For Internet-like connections: 30
-
Local NetworksCall DirectionActive or PassiveConverse to the partner’s configuration.
Network Address10.0.21.0/24-
LocalIP Address or Interface Used for Tunnel AddressDynamic (via routing)Only one IP address is assumed on the outside interface.
Remote Networks

Remote Network

10.0.35.32-
RemoteRemote Peer IP Addresses

192.168.3.1

-

Firewall Rule for VPN Server 2

Because the tunnel terminates at a point located previous to the firewall engine, create a Pass access rule that allows the 10.0.35.32 IP address into the local network.

Further Remarks

The proxy address may be chosen without restrictions. Half-side transparent tunneling is suitable as an alternative to personal VPN access. The local network IP address is then derived from the personal VPN networks. Stealth mode tunnels may as well be operated without personal access configuration. Because the tunnels are not fully transparent, there is no need to set up network routes, proxy ARPs, etc.

Optionally, a local IP address (e.g. 10.0.21.156) may be defined as the tunnel endpoint. In this case, the VPN server must request traffic being directed to this address. You can either introduce this IP address as a personal access network or create a standalone proxy ARP for it.