Since the TINA protocol offers significant advantages over IPsec, it is the main protocol used for VPN connections between CloudGen Firewalls. Many of the advanced VPN features, such as SD-WAN or WAN Optimization, are supported only for TINA site-to-site tunnels.
You must complete this configuration on both the local and the remote Barracuda CloudGen Firewall by using the respective values below:
Setting | Example values for the local firewall | Example values for the remote firewall |
---|---|---|
VPN local networks | 10.0.10.0/25 | 10.0.81.0/24 |
VPN remote networks | 10.0.81.0/24 | 10.0.10.0/25 |
External IP address (listener VPN service) | 62.99.0.40 | 212.86.0.10 |
Before You Begin
If not already present, configure the Default Server Certificate in CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > VPN Settings. For more information, see VPN Settings
Step 1. Configure the VPN Service Listeners
Configure the IPv4 and IPv6 listener addresses for the VPN service.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > Service Properties.
- Click Lock.
- From the Listening IP list, select the source for the IPv4 listeners:
- First+Second-IP – The VPN service listens on the first and second virtual server IPv4 address.
- First-IP – The VPN service listens on the first virtual server IPv4 address.
- Second-IP – The VPN service listens on the second virtual server IPv4 address.
- Explicit – For each IP address, click + and enter the IPv4 addresses in the Explicit IPs list.
- Click + to add an entry to the Explicit IPv6 IPs.
- Select an IPv6 listener from the list of configured explicit IPv6 virtual server IP addresses.
- Click Send Changes and Activate.
Step 2. Configure the TINA Tunnel at Location 1
For the firewall at Location 1, configure the network settings and export the public key. For more information on specific settings, see TINA Tunnel Settings
- Log into the firewall at Location 1.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > Site to Site.
- Click Lock.
- Click the TINA Tunnels tab.
- Right-click the table, and select New TINA tunnel.
- In the Name field, enter the name for the new VPN tunnel.
If providers have been configured by a name in CONFIGURATION > Configuration Tree > Network > IP Configuration > Shared Networks and IPs, the check box Use Provider as Tunnel Address will be selected by default.
- (IPv6 only). Select IPv6.
- Configure the Basic TINA tunnel settings. For more information, see TINA Tunnel Settings.
Depending on whether providers have been configured by a name in CONFIGURATION > Configuration Tree > Network > IP Configuration > Shared Networks and IPs, you will have two options for configuring:- If Use Provider as Tunnel Address is not selected:
- Transport – Select the transport encapsulation: UDP (recommended), TCP, TCP&UDP, ESP, or Routing.
- Encryption – Select the encryption algorithm: AES, AES256, 3DES, CAST, Blowfish, DES, or Null.
- Authentication – Select the hashing algorithm: MD5, SHA, SHA256, SHA512, NOHASH, RIPEMD160, or GCM.
- (optional) SD-WAN Classification / SD-WAN-ID – For more information, see SD-WAN.
- (optional) Compression – Select yes to enable VPN compression. Do not use in combination with WAN Optimization.
- (optional) Use Dynamic Mesh / Dynamic Mesh Timeout – For more information, see Dynamic Mesh VPN Networks.
- If Use Provider as Tunnel Address is selected:
- Transport – Select the transport encapsulation: UDP (recommended), TCP, TCP&UDP, ESP, or Routing.
- Encryption – Select the encryption algorithm: AES, AES256, 3DES, CAST, Blowfish, DES, or Null.
- Authentication – Select the hashing algorithm: MD5, SHA, SHA256, SHA512, NOHASH, RIPEMD160, or GCM.
- Provider – Select from the list of configured providers.
NOTE: If providers are configured, only bulk providers will be available in the list. - (optional) Compression – Select yes to enable VPN compression. Do not use in combination with WAN Optimization.
- (optional) Use Dynamic Mesh / Dynamic Mesh Timeout – For more information, see Dynamic Mesh VPN Networks.
- If Use Provider as Tunnel Address is not selected:
In the Local Networks tab, select the Call Direction. At least one of the firewalls must be active.
- Click the Local tab, and configure the IP address or Interface used for Tunnel Address:
- (IPv4 only) First Server IP – First IP address of the virtual server the VPN service is running on.
- (IPv4 only) Second Server IP – Second IP address of the virtual server the VPN service is running on.
- Dynamic (via routing) – The firewall uses a routing table lookup to determine the IP address.
- Explicit List (ordered) – Enter one or more explicit IP addresses. Multiple IP addresses are tried in the listed order.
- In the Remote tab, enter one or more IPv4 or IPv6 addresses or an FQDN as the Remote Peer IP Addresses, and click Add.
- In the Remote tab, select the Accepted Algorithms. To use a cipher, the list must match the Encryption settings previously configured.
- For each local network, enter the Network Address in the Local Networks tab and click Add. E.g.,
10.0.10.0/25
- For each remote network enter the Network Address in the Remote Networks tab and click Add. E.g.,
10.0.81.0/24
- (optional) To propagate the remote VPN network via dynamic routing enable Advertise Route.
- Click on the Identity tab.
- From the Identification Type list, select Public Key.
- Click Ex/Import and select Export Public Key to Clipboard.
- Click OK.
- Click Send Changes and Activate.
Step 3. Create the TINA Tunnel at Location 2
- Log into the firewall at Location 2.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN > Site to Site.
- Click Lock.
- Click the TINA Tunnels tab.
- Right-click the table, and select New TINA tunnel.
- In the Name field, enter the name for the new VPN tunnel.
- (IPv6 only) Click the IPv6 check box.
- Configure the Basic TINA tunnel settings to match the settings configured for the Location 1
In the Local Networks tab, select the Call Direction. Make sure that one or both firewalls are set to active.
- Click the Local tab, and configure the IP address or Interface used for Tunnel Address:
- (IPv4 only) First Server IP – First IP address of the virtual server the VPN service is running on.
- (IPv4 only) Second Server IP – Second IP address of the virtual server the VPN service is running on.
- Dynamic (via routing) – The firewall uses a routing table lookup to determine the IP address.
- Explicit List (ordered) – Enter one or more explicit IP addresses. Multiple IP addresses are tried in the listed order.
- Click the Remote tab, enter one or more IP addresses or a FQDN as the Remote Peer IP Addresses, and click Add.
- In the Remote tab, select the Accepted Algorithms. To use a cipher, the list must match the Encryption settings previously configured.
- For each local network, enter the Network Address in the Local Networks tab and click Add. E.g.,
10.0.81.0/24
behind Location 2 CloudGen Firewall. - For each remote network, enter the Network Address in the Remote Networks tab and click Add. E.g.,
10.0.10.0/25
behind Location1 CloudGen Firewall.
- Click on the Peer Identification tab.
- Click Ex/Import and select Import from Clipboard.
- Click on the Identity tab.
- From the Identification Type list, select Public Key.
- Click Ex/Import and select Export Public Key to Clipboard.
- Click OK.
Click Send Changes and Activate.
Step 4. Import the Public Key for Location 1
The VPN tunnel is not activated until the public key of Location 2 is imported to Location 1.
- Log into the firewall at Location 1.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Site to Site.
- Click Lock.
- Open the configuration for the site-to-site tunnel created in Step 1.
- Click the Peer Identification tab.
- Click Ex/Import and select Import from Clipboard.
- Click OK.
- Click Send Changes and Activate.
After configuring the TINA VPN tunnel on both firewalls, you must also create an access rule on both systems to allow access to the remote networks through the VPN tunnel.
Next Step
Create access rules to allow traffic in and out of your VPN tunnel: How to Create Access Rules for Site-to-Site VPN Access.