It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Dynamic Mesh VPN Networks

  • Last updated on

A Dynamic Mesh VPN network allows you to use the advantages of a fully meshed network without having to provide the resources needed for the large number of static VPN tunnels on every unit. All remote units are connected by a static TINA VPN tunnel to the central firewall acting as the VPN hub. VPN tunnels between IPv6 endpoints are not supported. When relay traffic from a remote location to another remote location is detected by the VPN hub, a dynamic VPN tunnel is initiated directly connecting the two remote firewalls. As soon as the dynamic VPN tunnel is up, traffic is transparently redirected through the VPN tunnel that now directly connects both locations. The dynamic tunnel is completely transparent to the user and offers better latency than relaying the traffic through the VPN hub. Dynamic tunnels are triggered by the Dynamic Mesh-enabled connection object of the VPN hub. Configure the VPN hub as the SD-WAN primary and the remote units as SD-WAN secondaries. The SD-WAN secondaries will automatically learn the Dynamic Mesh and SD-WAN settings from the primary. Traffic that does not match an access rule with a Dynamic Mesh-enabled connection object on the SD-WAN primary continues to be sent through the VPN hub. To prevent services such as OSPF or BGP from keeping dynamic tunnels open forever, you can disable resetting the idle timeout of the dynamic tunnel in the connection object of the matching access rule.



Initiating a Dynamic Tunnel

A dynamic tunnel is created when the following requirements are met:

  • All firewalls must use IPv4 transport source and listening IP addresses.
  • Both firewalls must be connected to the same VPN hub via TINA VPN tunnels.
  • The VPN hub must act as a relay. For example, traffic must pass through the VPN hub to the target CloudGen Firewall.
  • The VPN hub must be configured as the SD-WAN primary. 
  • The remote firewalls must be configured as SD-WAN secondaries.
  • The source CloudGen Firewall must be able to reach the public IP address of the target CloudGen Firewall. If multiple VPN listening IP addresses are present, the first IP address from the list is chosen.
  • Dynamic Mesh must be enabled on each CloudGen Firewall and the VPN hub in the VPN Settings
  • The VPN hub acting as the SD-WAN primary must have Allow Dynamic Mesh and Trigger Dynamic Mesh enabled in the connection object.
  • The tunnel is terminated if no traffic is sent through the tunnel for the configured timeout. (Min: 10 sec. Default 600 sec.)

Dynamic Tunnel Settings

Ideally, both VPN tunnels connecting to the hub use the same encryption and transport settings. If these settings differ, the dynamic tunnel uses the following preferences:

  • Transport – If the Transport settings differ, the dynamic tunnel chooses the transport protocol according to the following preferences: 
    1. ESP 
    2. UDP
    3. TCP 
  • Compression – Compression is enabled for the dynamic tunnel if at least one of the static tunnels also uses compression.
  • Encryption – If the Encryption settings differ, the dynamic tunnel chooses the cipher according to the following preferences:
    1. AES
    2. BLOW
    3. CAST
    4. 3DES
    5. DES
    6. NONE
  • Authentication – If the Authentication settings differ, the dynamic tunnel chooses the hash according to the following preferences:
    1. GCM
    2. SHA512
    3. SHA256
    4. MD160
    5. SHA
    6. MD5
    7. NONE

SD-WAN with Dynamic Mesh Tunnels


When a dynamic tunnel is created between two CloudGen Firewalls both using multiple transports, the dynamic tunnel will create a transport with the SD-WAN ID of 0 for Bulk and Quality SD-WAN classes used in at least one of the static VPN tunnels. This means that for two remote VPN services using multiple transports in the SD-WAN class bulk, the dynamic tunnel will be created with a single Bulk0 transport. The source networks from the static tunnels are assigned to the transports of the dynamic tunnel according to their SD-WAN class. For example, if a network was previously routed through the bulk3 transport, it will be assigned to the bulk0 transport of the dynamic tunnel. The VPN hub must act as SD-WAN primary, and the remote units as SD-WAN secondaries. The remote firewalls will learn the dynamic mesh settings from the SD-WAN primary. When two SD-WAN secondaries communicate with each other, the transport is chosen by the SD-WAN Transport Selection configured for the connection object of the CloudGen Firewall initiating the connection. Make sure the Fallback policy allows the use of the SD-WAN ID 0 of each transport. It is recommended to use identical firewall connection objects for all remote firewalls.


  • Traffic Shaping must be applied to the VPN interface and not directly to the transport.
  • Dynamic Mesh cannot be used for CloudGen Firewalls that are behind a NATed connection which hinders the VPN hub from finding out the public IP address of the remote unit.
  • VPN tunnel start/stop scripts are not executed on the remote CloudGen Firewalls

Dynamic Mesh Configuration via GTI Editor for Managed CloudGen Firewalls

The GTI Editor simplifies configuring a large Dynamic Mesh VPN network for firewalls managed by a Control Center.

For more information, see How to Configure a Dynamic Mesh VPN with the GTI Editor.

Dynamic Mesh Configuration on Stand-alone CloudGen Firewalls

Dynamic Mesh can be configured for VPN networks with three or more stand-alone firewalls, with the central CloudGen Firewall acting as a VPN relay and hub.

For more information, see How to Configure Dynamic Mesh VPN.