We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Attention

Barracuda CloudGen Firewall version 8.0 is a cloud-only version. It is currently not available for on-premises deployments and can only be deployed in Microsoft Azure, Amazon Web Services, or Google Cloud Platform public clouds.

Half-Side VPN Tunnel Setup

  • Last updated on

In a half-side transparent tunnel, only a local network is granted access to a partner network; the partner network cannot access the local network. The internal IP structure of the local network is hidden from the partner network. In such a setup, it is crucial that you correctly configure the firewall rules that handle traffic in the VPN tunnel.

The following figure illustrates such a VPN tunnel setup where the network for VPN server 1 is hidden from the network for VPN server 2. In the example setup, only one IP address (10.0.35.32) is explicitly directed into the tunnel.

stealth_tunnel.png

VPN Server 1 Settings

Tab Setting Value Comment
Basic

 

Transport

UDP&TCP (or whatever is needed)

-

Encryption

AES (or whatever is needed)

May be unencrypted for intranet connections only aiming at routing assistance.

Advanced Tunnel Timeout 
  • For intranet: 10
  • For Internet-like connections: 30
-
Local Networks Call Direction Active or Passive Converse to the partner’s configuration.
Local IP Address or Interface Used for Tunnel Address 10.0.35.32 Only this IP address is directed into the tunnel.
Remote Networks

Remote Network

10.0.21.0/24 -
Remote Remote Peer IP Addresses

192.168.3.101

-

Firewall Rule for VPN Server 1

When creating a Pass access rule for VPN server 1 to redirect traffic into the tunnel, explicitly specify the Connection Type as Explicit: 10.0.35.32.

VPN Server 2 Settings

Tab Setting Value Comment

Basic

Encryption

Same value as on the local side

-

Advanced Tunnel Timeout 
  • For intranet: 10
  • For Internet-like connections: 30
-
Local Networks Call Direction Active or Passive Converse to the partner’s configuration.
Network Address 10.0.21.0/24 -
Local IP Address or Interface Used for Tunnel Address Dynamic (via routing) Only one IP address is assumed on the outside interface.
Remote Networks

Remote Network

10.0.35.32 -
Remote Remote Peer IP Addresses

192.168.3.1

-

Firewall Rule for VPN Server 2

Because the tunnel terminates at a point located previous to the firewall engine, create a Pass access rule that allows the 10.0.35.32 IP address into the local network.

Further Remarks

The proxy address may be chosen without restrictions. Half-side transparent tunneling is suitable as an alternative to personal VPN access. The local network IP address is then derived from the personal VPN networks. Stealth mode tunnels may as well be operated without personal access configuration. Because the tunnels are not fully transparent, there is no need to set up network routes, proxy ARPs, etc.

Optionally, a local IP address (e.g. 10.0.21.156) may be defined as the tunnel endpoint. In this case, the VPN server must request traffic being directed to this address. You can either introduce this IP address as a personal access network or create a standalone proxy ARP for it.

Last updated on