It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Create a VPN Tunnel with the VPN GTI Editor

  • Last updated on

VPN services on the Control Center are organized in VPN groups. Create VPN tunnels via drag and drop between two VPN services. To configure an IPv6 VPN tunnel, both VPN services must support IPv6.

Before You Begin

  • To use the GTI Editor on the range or cluster level, enable Own VPN GTI Editor in the range or cluster Property Settings.
  • Configure the GTI Settings for the VPN services on the managed CloudGen Firewalls. For more information, see How to Configure VPN GTI Settings for a VPN Service.
  • To use Dyn Mesh go to the VPN Settings and verify that Disable Dyn Mesh is set to no for each VPN service.

Step 1. Create a VPN Group

VPN Groups contain the default setting for all VPN tunnels in the group and the list of VPN services used to create the tunnels. 

  1. Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > VPN GTI Editor.
  2. Click Lock
  3. Click + to add a new VPN Group.
    gti_groups01.png
  4. Enter the Name.
  5. Click OK. The Group window opens.
  6. Edit the default TINA settings.
  7. Configure the following optional settings:
    • Transport – This setting defines the transport protocol to be used and offers the following options:
      • UDP – Tunnel uses UDP port 691 to communicate. This connection type is best suited for response-optimized tunnels.

      • TCP – Tunnel uses TCP connection on port 691 or 443 (for HTTP proxies). This mode is required for connection over SOCKS4 or HTTP proxies.

      • UDP & TCP – Tunnel uses TCP and UDP connections. The tunnel engine uses the TCP connection for UDP requests and the UDP connection for TCP requests and ICMP-based applications.

      • ESP – Tunnel uses ESP (IP protocol 50) to communicate. This connection type is best suited for performance-optimized tunnels.

        Do not use ESP if there are filtering or NAT interfaces in between.

      • Routing – This transport type is only of interest in combination with SD-WAN configuration. Specifying routing as transport disables data payload encryption within the tunnel. This transport should only be used for uncritical bulk traffic. Transport type Routing activates the parameter Routing Next-Hop in the tunnel configuration dialog, where the next-hop address for routed data packets must be specified. To enter a routing next-hop address when the Direction is Passive, follow these steps: 

        1. Select Direction: Active

        2. Select Transport: Routing

        3. Enter the Routing Next-Hop address.

        4. Select Direction: Passive

    • Encryption – Select the encryption mode required for the tunnel.
    • Authentication – Select the authentication method.
    • Dynamic Mesh – Set to yes to use allow the VPN services to create on-demand IPv4 VPN tunnels. For more information, see How to Configure a Dynamic Mesh VPN with the GTI Editor.
    • Dynamic Mesh Timeout – Enter the number of seconds before a dynamic tunnel is shut down.
    • SD-WAN Bandwidth Protection – Set to use advanced SD-WAN features such as Performance Based Transport Selection, or Adaptive Bandwidth Protection, For more information, see SD-WAN.
    • WANOpt Policy – If you want to use WAN Optimization, select one of the policies from the drop-down list.
    • Default IP Version – Select the default IP version used when creating the VPN tunnels or adding transports. To use IPv6, both VPN services must support IPv6 VPN.
    • Hide in Barracuda Earth – Set to yes to not display these tunnels in Barracuda Earth. This also disables the tunnel icon on the Control Center status page.
    • Meshed – Set to yes to automatically create a static fully meshed VPN network.
    • Hub for this Group – If you already added VPN services to the Group, select the VPN hub.
    • Service Placement – Select Classic circular to automatically arrange all VPN services in a circular pattern. If one service is selected as the VPN hub, it is placed in the center of the circle. User allows the user to arrange the VPN services.
  8. (optional) Click Edit IPSec and edit the default IPsec settings.
  9. Click OK.
  10. Click Send Changes and Activate.

The VPN group is now listed in the Groups tab.

gti_groups02.png

Step 2. Add VPN Services to the VPN Group

Add the VPN services to the VPN group. If you are using the GTI editor on the range or cluster level, only add VPN services from the range or cluster you are in to the VPN group.

  1. Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > VPN GTI Editor.
  2. Click Lock.
  3. In the Group tab click on the VPN group. The VPN group name is displayed in the top status bar of the GTI map. 
    gti_add_VPN01.png
  4. Click on the Services tab.
  5. To display the available VPN services click Other on the top right.
    gti_add_VPN01a.png
  6. For each VPN service you want to add to the VPN group:
    1. Right click on the VPN service
      gti_add_VPN01b.png
    2. Click Add to current Group. The VPN service is added to the map area below. 
      gti_add_VPN02.png
  7. Click Send Changes and Activate.

Step 3. Create a VPN Tunnel

Create VPN tunnels by drag and dropping connections from one VPN service to the other. Per default the VPN service you start with is the active unit, the destination the passive unit. This can be changed in the tunnel configuration settings.

  1. Go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > VPN GTI Editor.
  2. Click Lock
  3. In the Group tab click on the VPN group. The VPN group name is displayed in the top status bar of the GTI map.
  4. Click on the Server tab. In the GTI map area the VPN services icons in the VPN are displayed. 
    gti_map_01.png
  5. Create a VPN tunnel by drag and drop from the active VPN service to the passive VPN service. A line is displayed between the VPN services.
  6. Click on the connection between the two VPN services and click on the transport you want to edit. Per default TINA VPN tunnels are created with one transport. 
    gti_map_02.png
  7. You can now modify the VPN tunnel as needed:
    • IP Version – Select IPv4 or IPv6. To use IPv6, both VPN services must support it.
    • Direction – You can create VPN tunnels using the following modes: active-activeactive-passiveon-demand.
    • Transport Source IP/Interface – If needed you can modify the transport source IP.
    • Transport Listening IP/Interface – If needed you can modify the transport listening IP. 
    • Local Network – If needed modify the networks that are available through this VPN tunnel. 
  8. Click Send Changes and Activate.

You can view the collective state of all GTI VPN tunnels on the Status page of the Control Center.

gti_map_03.png

Step 4. Create Access Rules to Allow VPN Traffic

You must create access rules on both firewalls involved in the VPN tunnel to allow traffic in and out of the VPN tunnel.

Example Access Rule for a VPN tunnel from Branch Office 1 (BO1) to the Headquarters (HQ). The access rules need to be added to the BO1 and HQ forwarding firewall:

  • Action – Select PASS.
  • Bi-Directional – Select the check box.
  • Source – Select the network object for the BO1 LAN.
  • Service – Select ALL.
  • Destination – Select the network object for the HQ LAN.
  • Connection Method – Select Original Source IP.

gti_fw_rule01.png

Next Steps