It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Authentication, Encryption, Transport, IP Version and VPN Routing

  • Last updated on

VPN clients must authenticate themselves to the VPN server. A valid certificate is required for the client to verify the identity of the VPN server. To meet the security needs of your network, you can define username/password authentication and strict certificate requirements.

The Barracuda CloudGen Firewall supports multiple encryption algorithms for VPN connections. For TINA VPNs, multiple transport types are also available.

VPN Authentication Certificates

X.509 certificates are used by IPsec, L2TP/IPsec, and TINA (the Barracuda proprietary transport protocol). The certificates contain the following information:

  • Public key.
  • Some data signed by the private key for verification. 
  • Identity of the the CA.
  • Identity of the owner.
  • Key usage. Depending on what type of VPN and which clients you use, certain X.509 extensions might be required when creating the certificate.

For PPTP VPNs, external certificates are not needed because certificates are generated by the server at runtime.

Special settings might be required when creating the following types of certificates:

Certificate CA (PKI)

Use an external CA (PKI) for firewalls that are standalone.

Depending on the certificate, you must export it in one of the following formats after it is created and signed:

CertificateFile Format
Root CertificatePEM or CER
Server CertificatePKCS12, CER, or CRT
Service Certificate/KeyPEM
Client Certificate (if needed)PEM

Example Certificates for IPsec, L2TP, and iOS Clients

If you encounter any problems with your certificates, compare your settings to those of the example certificates. Especially verify the X509 Basic Constraints and X509v3 Key Usage settings.

Root Certificate

TabSettingValue
StatusSignature Algorithmsha1WithRSAEncryption
SubjectRFC 2253emailAddress=support@barracuda.com,OU=documentation,O=Barracuda Networks,L=Innsbruck,ST=Tirol,C=AT
Hash7b6d2374
ExtensionsX509v3 Basic ConstraintsCA:TRUE
X509v3 Key UsageDigital Signature, Key Agreement, Certificate Sign
Server Certificate
TabSettingValue
StatusSignature Algorithmsha1WithRSAEncryption
SubjectRFC 2253

emailAddress=support@barracuda.com,OU=docu,O=Barracuda Network AG,L=Innsbruck,ST=Tyrol,C=AT

Hashcc0460b5
IssuerRFC 2253

emailAddress=support@barracuda.com,OU=documentation,O=Barracuda Networks,L=Innsbruck,ST=Tirol,C=AT

Hash7b6d2374
ExtensionsX509v3 Key Usage

Digital Signature, Key Agreement, Certificate Sign

X509v3 Subject Alternative NameDNS:vpnserver.yourdomain.com
Client Certificate
TabSettingValues
StatusSignature Algorithmsha1WithRSAEncryption
SubjectRFC 2253

emailAddress=support@barracuda.com,OU=documentation,O=Barracuda Networks,L=Innsbruck,ST=Tyrol,C=AT

Hashc2b06d20
IssuerRFC 2253

emailAddress=support@barracuda.com,OU=documentation,O=Barracuda Networks,L=Innsbruck,ST=Tirol,C=AT

Hash7b6d2374
ExtensionsX509v3 Key Usage

Digital Signature

Supported Encryption Algorithms

The Barracuda CloudGen Firewall supports the following encryption algorithms for TINA, IPsec, and L2TP/IPsec VPN connections:

AlgorithmDescription
AES256Advanced Encryption Standard with 256-bit encryption.
AESAdvanced Encryption Standard with 128-bit encryption. AES is often chosen because it provides a good performance and security ratio.
3DESTriple DES. This algorithm is considered most secure but results in high system loads and lower VPN performance.
BlowfishA keyed, symmetric block cipher developed to replace DES.
CASTA 128-bit block cipher.
DES

Digital Encryption Standard. DES is the only export restricted algorithm available.

DES is not recommended because it is considered unsafe.

NULLNo encryption.

TINA Transport Protocols

For TINA VPNs, the following transport types are available:

Transport ProtocolDescription
UDPStateless protocol that is best used for response-optimized tunnels. UDP is not recommended for unstable Internet connections.
TCPStateful protocol that is used if the tunnel runs over a proxy server. Higher protocol overhead limits the response time. TCP is preferred for unstable Internet connections.
UDP & TCPHybrid mode that creates two transport tunnels. To compensate for the weakness of both protocols, UDP is used for TCP connections, and TCP is used for stateless connections.
ESPThe tunnel uses ESP (IP protocol 50). ESP is best for performance-optimized tunnels, but it does not work if NAT routers must be traversed.

IPv6 Support

s_to_s_ipv6_tina-01.png

The VPN service supports IPv6 for the VPN envelope. This means that the site-to-site and client-to-site VPN tunnels can be created between two IPv6 endpoints, but only IPv4 traffic can be sent through the tunnel. IPv6 is not supported for:

  • Dynamic Mesh
  • L2TP
  • PPTP
  • SSL VPN

VPN Routing Tables

You can configure how the VPN routes are introduced into the firewall's routing table.

  • Separate Routing Table – By default, the CloudGen Firewall uses source-based routing and creates separate premain routing tables for every VPN tunnel.
  • Single Routing Table – All VPN routes are inserted into the main routing table. VPN routes are inserted with a preference of 10.
Handling of Duplicate Routes
  • When a duplicate route to an existing VPN route in the main routing table is announced to the CloudGen Firewall via RIP, OSPF, or BGP, a duplicate routing entry is created and the route that was added last is used.
  • Creating a direct or gateway route with the same metric and destination as a VPN route in the main routing table results in duplicate routes. The route added last is used.

In case you are – as most users do - using policy-based routing and want to switch to main table routing, you must be aware that in some rare cases, traffic from the same source subnet can not reach a different destination subnet if the source subnet is configured in a different VPN tunnel.

If you increasingly experience issues like that, it is recommended to switch back to policy-based routing to avoid further unexpected issues.

Enable the Single Routing Table for VPN Routes

If you are using source-based VPN routing tables, you have the option of moving the entries to the main routing table. Because entries with identical destination addresses in the main routing table are aggregated regardless of their source address, you must be aware that when moving source-based VPN routing entries to the main routing table, the source address of a VPN routing entry will be ignored.

Using this option without a proper migration plan may break your current setup, forward traffic into wrong tunnels and cause loss of connectivity!

Therefore, if you want to route VPN traffic based on a special source address, it is recommended not to use this option.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > VPN Settings.
  2. In the left menu, select General.
  3. Click Lock
  4. Set Add VPN routes to main routing table to Yes.
  5. Click Send Changes and Activate.e
Enabling Local Out Traffic when using a Single Routing Table for VPN Routes

To send the local out traffic through the VPN tunnel, you must configure an IP address from the source network for the VPN interface.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > VPN Settings.
  2. Click Lock.
  3. In the left menu, select Routed VPN.
  4. Next to the Interface Configuration table, click Add.
  5. In the VPN Interface Properties window, configure the following settings and then click OK.
    • In the VPN Interface Index field, enter the number of the VPN interface. E.g., 0 for vpn0
    • In the IP Addresses field, enter a box IP address that is also part of a published VPN network. E.g., 192.168.200.200 if one of the Local Networks of the VPN tunnel is 192.168.200.0/24.
      maintable_routing_01.png
    • Click OK. The interface is now listed in the Interface Configuration table.
      maintable_routing_02.png
  6. Click Send Changes and Activate.

Local Out traffic is now sent and received correctly through the Site-to-Site VPN tunnel.