AutoVPN is a feature that is available only for CloudGen Firewalls in the cloud. The feature creates a session that automatically configures a TINA VPN tunnel between two CloudGen Firewalls and handles the traffic through it. Configuration must be initiated in two steps by an administrator on the command line. The first step is to initiate a server session on the first firewall that listens to incoming VPN connection requests from the second firewall. The second step is to connect from the second firewall to the first one by authenticating with a password that was previously generated on the first firewall.
|First Firewall||Second Firewall|
Before You Begin
- You must have root level access on the command line to both CloudGen Firewalls to initiate the configuration of an AutoVPN TINA tunnel.
- AutoVPN uses port 694. Ensure that this port is not used for any other purpose. For more information, see Best Practice - Core System Configuration Files and Ports Overview.
- You must preserve a 2-bit network (e.g., 192.168.255.252/30) within a private network common for both firewalls, e.g., 192.168.224.0/19.
Step 1. Create a Session on the First Firewall Initiating a Listener
The listener will wait for connection requests from a firewall in the network 184.108.40.206/24.
- Log into the first firewall (e.g., 220.127.116.11) as user root.
- On the command line, enter the following command to create a listener:
autovpn -l 18.104.22.168/24.
- AutoVPN will display an output to inform you that the listener is up and running:
Created new server session <sessionID>: peer(s) 22.214.171.124/24, valid for 24 hours.
- AutoVPN will also display a password generated for authentication of the second firewall:
Please use this password on the other side of AutoVPN connection: <password>.
- Double-click the password to copy the password to the clipboard.
Step 2. Create a Session on the Second Firewall to Connect to the First Firewall Waiting for Connection Requests
- Log into the second firewall (e.g., 126.96.36.199) as user root.
- On the command line, enter the following command to connect to the listener on the first firewall:
autovpn -c 188.8.131.52 -p <password>
To enter the password, right-click with your mouse at the cursor position.
- AutoVPN will display an output to inform you that the connection has been established successfully:
Created new client session <sessionID>: peer(s)
184.108.40.206, valid for 24 hours
Step 3. Activate Routing Between Local Cloud Networks
Activate the access rule CLOUD-NET-2-VPN-SITE. Repeat the following steps for both firewalls:
- Go to CONFIGURATION > Configuration Tree> Box > Virtual Server > your virtual server > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- Right-click the access rule CLOUD-NET-2-VPN-SITE.
- Click Activate in the list.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
- In the left menu, click Networks.
- In the list, double-click the network object VPN-Networks for modifying.
- Click + to add
IP 0.0.0.0/0with interface
vpnr694to the network object VPN-Networks.
- Click OK.
- Click Send Changes.
Step 4. Verify that the AutoVPN TINA Tunnel is Set Up Correctly on the First Firewall
Log into the first firewall. Verify that the VPN and dynamic routing services have been set up correctly and that the AutoVPN TINA tunnel is up:
- On your first firewall, go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services. Because no VPN service has been set up prior to this configuration, you will now see the new, automatically configured VPN service:
- Also, you can see the service node created for dynamic routing (RIP):
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN > Site to Site. You will see that the VPN tunnel is up and running.
- Go to CONFIGURATION > Configuration Tree > Box > Network to verify that local cloud networks are propagated via the AutoVPN tunnel using RIP:
Step 5. (optional) Verify that the AutoVPN TINA Tunnel is Set Up Correctly on the Second Firewall
If you want to verify the state of the AutoVPN TINA tunnel, log into the second firewall and repeat all steps from Step 3 above. For the services, the output will be the same. However, the entries for the network will be different on the second firewall: