We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How can support set up Client to Site VPN on NextGen Firewall F-Series with username and password authentication

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00007809

Scope: NextGen Firewall F

Answer:

Configure Basic VPN Settings, Cert, Client Networks: 
1. Go to CONFIGURATION  -> Configuration Tree -> Box -> Virtual Servers -> <Virtual Server Name> -> Assigned Services -> VPN Service ->  VPN Settings 
2. Lock the VPN Settings. 
3. Select "Click here for Server Settings…" 
4. Under "Default Server Certificate" select "Ex/Import" 
5. Select "New/Edit Certificate" 
6. Have customer Fill out all the info under "Subject" in the "Certificate View" window. 

1. For "Sub/alt Name" if they are using an IP use the following syntax   -  IP:<IP address> 
Click "OK" 

Under "Default Key" Click on "Ex/Import"   
Select "New 2048-bit RSA Key" 
Select "Yes" on the pop up window. 

1. The Key and Cert should now match and be GREEN 
Select "OK" to close the "Server Settings Window" 
Select the "Server Certificate 
Click the "Client Networks" tab 
Right-Click in the table and select "New Client Network", this will open a "Client Network" window. 
Configure the following fields: 

1. Name - Descriptive name for the network 
2. Network Address - the Base network for the VPN clients (An address that is NOT being used currently on the network. 
3. Network Mask - the subnet mask for the VPN client networks 
4. Gateway - Enter the gateway network address (most of the time this is the NG Firewall IP) 
5.

Type - Select "Routed (Static Route)" 
Click "OK" 
Click on "Service Certificates/Keys" 
Right-click the table and select "New Key" 
Enter a name for the key (Usually use 'server' for simplicity) 
Select "OK" 
Select "Send Changes" 
Select "Activation Pending…"  , then select "Activate" 

Configure The Group Policy: 
1. Navigate to Configuration Tree -> Box -> Virtual Servers ->  <Virtual Server Name> -> Assigned Services ->  VPN Service -> Client to Site 
2. Select  The "External CA" Tab 
3. Click on "Lock" 
4.

Select "Click here for options…" 
5. Change "Authentication Scheme" to the desired setting. 
6. Select "Ok" 
7. after the authentication scheme is selected, it needs to be configured. Box>>Infrastructure services>>Authentication service.

8. Right-Click in the Table and select "New Group Policy…" 
9. In the "Edit Group Policy" window fill out the following: 
1. Name - Simple Name for the Group Policy 
2. Common Settings - click on the drop-down menu and it should fill in with the same name as you entered in the "Name" field. 
3. Network - select the network associated with this policy 
4. DNS - enter the DNS that you want to use for this VPN 
5. Network Routes - add each network that the VPN clients should have access to  in 0.0.0.0/0 notation. 
6. Group Policy Condition - double click in table, place cursor in "Group Pattern", and press "Ok" 
7. Barracuda tab default settings are fine. 
8. IPSec tab, can configure if desired or disable all together if IPSec is not needed. 

1. To disable IPSec do the following: 
1. Click checkbox In the pull down menu. 
2. Select the "disabled" checkbox that is under "IPSec Phase II - Settings" 
3. Select "Disable" from the pull down menu next to the checkbox. 

Click "OK" to close the "Edit Group Policy" window 
Send Changes and Activate 

Configure the Firewall Rule (If needed): 

1. Navigate to Configuration Tree -> Box -> Virtual Servers ->  <Virtual Server Name> -> Assigned Services ->  Firewall -> Forwarding Rules 
2. Lock The Screen 
3. Create a New Rule with the following info: 

1. PASS 
2. Name : VPNCLIENTS-2-LAN 
3. Source: <explicit-src> - Enter IP range of the VPN client Network. 
4. Service: ALL 
5. Destination: Trusted LAN 
6. Authenticated User: Any 
7. Policy: leave at defaults or adjust as desired 
8. Connection Method: No Src NAT[Client] or NO SNAT 
Click "OK" 
Position the Rule so that it is above or the BLOCKALL Rule.




Link to This Page: