It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure a Routed VPN Network

  • Last updated on

In cases where SD-WAN cannot handle failover scenarios in your VPN network, use a routed VPN network. A routed VPN network uses the IP addresses assigned to the VPNR interface of the VPN tunnels as gateways. This means that the routing table and the assigned route metrics of the routes determine which tunnel is chosen. When a VPN tunnel goes down, the gateway IP address on the other side of the VPN is no longer reachable, and the route metric for the failing route is automatically increased to 65556. The backup route with the lower metric now matches and redirects the traffic over the failover route to its destination. As soon as the VPN tunnel is back up, the original route becomes available again, and traffic is sent through the direct VPN tunnel again.

vpn_routing_overview.png

Before You Begin

  • A free subnet (e.g., 192.168.20.0/24) for the intermediary network is needed.

Step 1. Add a VPN Next Hop Interface to Each Firewall

Add a VPN next hop interface using a /24 subnet (e.g., 192.168.20.0/24). Use the same VPNR index for each firewall.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > VPN Settings.
  2. Click Lock.
  3. In the left menu, select Routed VPN.
  4. Next to the Next Hop Interface Configuration table, click Add.
  5. In the VPN Interface Properties window, configure the following settings, and then click OK.
    1. In the VPN Interface Index field, enter a number between 0 and 999. E.g., 20
    2. In the IP Addresses field, enter a free IP address for the VPN interface IP address, including the subnet. E.g., 192.168.20.1/24
      routed_VPN_01.png
      The interface is now listed in the Next Hop Interface Configuration table.
      routed_VPN_02.png
  6. Click Send Changes and Activate.

Repeat for each firewall in the VPN network. If possible, use the same VPNR interface index on each firewall.

Step 2. Add the VPN Next Hop Interface IP Address to the Shared Networks and IP Addresses for Each Firewall

Introduce the IP address of the VPN next hop interface on each Firewall.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. In the left menu, select IP Configuration.
  3. Click Lock.
  4. In the Shared Networks and IPs table, click + to add the IP address of the VPNR interface.
    shared.png
  5. Remove all entries from the GTI Networks table.
  6. Click Send Changes and Activate.

Repeat for each firewall in the VPN network.

Step 3. Configure the Site-to-Site VPN Tunnel between the Firewalls

You can configure VPN tunnels connecting the firewalls using the GTI Editor for managed CloudGen Firewalls, or using the site-to-site configuration dialog if you are using stand-alone CloudGen Firewalls. This procedure works for TINA, IPsec IKEv1, and IPsec IKEv2.

In the GTI Editor

Remove the local and remote networks and add the VPN next hop interface ID to the VPN tunnels.

  1. Go to the global/range/cluster GTI Editor.
  2. Click Lock.
  3. Click on the VPN tunnel, and click on the first transport to edit the VPN tunnel configuration. For more information, see How to Create a VPN Tunnel with the VPN GTI Editor.
    routed_VPN_GTI_00.png
  4. Verify that the Local Networks for the remote and local VPN services are empty. If not, go back to Step 2 and remove the entries from the Server/GTI Networks table in the Server Properties.
  5. Enter the VPN next hop interface ID for the remote and local VPN services. E.g., 20
    The following example shows the configuration for a TINA tunnel:
    routed_VPN_GTI_01.png
  6. Click OK.
  7. Click Send Changes and Activate.
Stand-Alone CloudGen Firewalls

Configure a VPN tunnel using the VPN next hop interface between all firewalls.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Site to Site. 
  2. Create a new TINA or IPsec VPN tunnel.
  3. Click Lock.
  4. Configure the Transport, Encryption and Authentication settings as well as the Local and Remote public IP addresses. For more information, see How to Create a TINA VPN Tunnel between CloudGen FirewallsHow to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel, or How to Configure a Site-to-Site IPsec IKEv2 VPN Tunnel.

  5. Leave the Local and Remote Network empty.

  6. In the Remote Networks tab, enter the VPN Interface Index number that you created in the VPN Interface Configuration in Step 1. E.g., 20
    The following example shows the configuration for a TINA tunnel:
    routed_VPN_04.png

  7. Click OK.
  8. Click Send Changes and Activate.

Repeat this step until all three firewalls are connected via a Site-to-Site VPN tunnel with each other.

Step 4. Configure Gateway Routes for the Location 1 Firewall

Create the following primary and backup gateway routes on the Location 1 firewall. For more information, see How to Configure Gateway Routes.

  1. Log into the Location 1 firewall.
  2. Create a gateway route to Location 3:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.60.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.3
    • Metric – Enter 10.
  3. Create a gateway route to Location 2:
    • Target Network Address – Enter the Location 2 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 2 firewall: 192.168.20.2
    • Metric – Enter 10.
  4. Create a backup gateway route to Location 3 via Location 2:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.60.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.2
    • Metric – Enter 20.
  5. Create a backup gateway route to Location2 via Location 3:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.3
    • Metric – Enter 20.
  6. Activate the network configuration on the Location 3 firewall. For more information, see How to Activate Network Changes.

The Location 1 routing table now includes all gateway routes to reach the remote networks with failover routes in case the VPN tunnel goes down.

routed_VPN_05.png

Step 5. Configure Gateway Routes for the Location 2 Firewall

Create the following primary and backup gateway routes on the Location 1 firewall. For more information, see How to Configure Gateway Routes.

  1. Log into the Location 2 firewall.
  2. Create a gateway route to Location 3:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.60.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.3
    • Metric – Enter 10.
  3. Create a gateway route to Location 1:
    • Target Network Address – Enter the Location 2 network in CIDR format: 10.0.15.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 2 firewall: 192.168.20.1
    • Metric – Enter 10.
  4. Create a backup gateway route to Location 3 via Location 1:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.1
    • Metric – Enter 20.
  5. Create a backup gateway route to Location1 via Location 3:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.15.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.3
    • Metric – Enter 20.
  6. Activate the network configuration on the Location 3 firewall. For more information, see How to Activate Network Changes.

The Location 2 routing table now includes all gateway routes to reach the remote networks with failover routes in case the VPN tunnel goes down.

routed_VPN_06.png

Step 6. Configure Gateway Routes for the Location 3 Firewall

Create the following primary and backup gateway routes on the Location 3 firewall. For more information, see How to Configure Gateway Routes.

  1. Log into the Location 3 firewall.
  2. Create a gateway route to Location 1:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.15.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.1
    • Metric – Enter 10.
  3. Create a gateway route to Location 2:
    • Target Network Address – Enter the Location 2 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 2 firewall: 192.168.20.2
    • Metric – Enter 10.
  4. Create a backup gateway route to Location 1 via Location 2:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.15.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.2
    • Metric – Enter 20.
  5. Create a backup gateway route to location 2 via location 1:
    • Target Network Address – Enter the Location 3 network in CIDR format: 10.0.51.0/24
    • Route Type – Select gateway.
    • Gateway – Enter the IP address assigned to the VPNR interface of the Location 3 firewall: 192.168.20.1
    • Metric – Enter 20.
  6. Activate the network configuration on the Location 3 firewall. For more information, see How to Activate Network Changes.

The Location 3 routing table now includes all gateway routes to reach the remote networks with failover routes in case the VPN tunnel goes down.

routed_VPN_07.png

Monitoring

The VPN tunnels are now monitored like all other gateway routes. When a tunnel goes down, the VPNR interface IP address of the remote firewall is no longer reachable, and the gateway route metric is automatically increased to 65556. Traffic will then use the backup route with the lower metric to reach the destination through the other VPN tunnel. Go to CONTROL > Network to see the routing table.

routed_VPN_08.png

Go to FIREWALL > Live to see which VPN tunnel is used.

routed_VPN_09.png

Go to VPN > Status to see if the VPN tunnels are up.

routed_VPN_10.png