We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

  • Last updated on

The Barracuda NextGen Firewall F-Series can establish IPsec VPN tunnels to any standard-compliant third party IKEv1 IPsec VPN gateway. The Site-to-Site IPsec VPN tunnel must be configured with identical settings on both the Barracuda NextGen Firewall F-Series and the third-party IPsec gateway. The Barracuda NextGen Firewall F-Series supports authentication with a shared passphrase as well as X.509 certificate-based (CA-signed as well as self-signed) authentication. To allow traffic into the VPN tunnel, an access rule is required.

ipsec_tunnel-01.png

Before you Begin

Step 1. Create an IKEv1 IPsec Tunnel on the Barracuda NextGen Firewall F-Series

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site.
  2. Click the IPSEC IKEv1 Tunnels tab.
  3. Click Lock.
  4. Right-click the table and select New IPSec IKEv1 tunnel. The IPsec Tunnel window opens.
  5. Enter a Name for the tunnel. E.g., HQRemoteFW
  6. Select the Phase 1 settings:
    • Encryption – Select the encryption algorithm: AESAES256, 3DESCASTBlowfish, DES, or Null.
    • Authentication – Select the hashing algorithm: MD5, SHA, SHA256, or SHA512.
    • DH-Group –  Select the Diffie-Hellman Group. The Barracuda NextGen Firewall F-Series supports Group1 to Group 18
    • Lifetime [sec]Enter the phase 1 lifetime in seconds. Default: 28800
    • Min. Lifetime [sec] –  Enter the phase 1 minimum lifetime in seconds. Default: 25200
    • Max. Lifetime [sec]Enter the phase 1 maximum lifetime in seconds. Default: 32400

  7. Select the Phase 2 settings:
    • Encryption – Select the encryption algorithm: AESAES256, 3DESCASTBlowfish, DES, or Null.
    • Authentication – Select the hashing algorithm: MD5, SHA, SHA256, or SHA512.
    • DH-Group –  Select the Diffie-Hellman Group. The Barracuda NextGen Firewall F-Series supports Group1 to Group 18 
    • Lifetime [sec]Enter the phase 1 lifetime in seconds. Default: 3600
    • Min. Lifetime [sec] –  Enter the phase 1 minimum lifetime in seconds. Default: 1200
    • Max. Lifetime [sec]Enter the phase 1 maximum lifetime in seconds. Default: 4800

    • Enable Perfect Forward Secrecy – Enable if the remote VPN gateway supports perfect forward secrecy (PFS).
    IPSEC_S2S_01.png
  8. Click the Local Networks tab and configure the following settings:
    • Initiates Tunnel– Select Yes (active IKE) for the Barracuda NextGen Firewall F-Series to initiate the VPN Tunnel.
    • Local IKE Gateway – Enter the external IP address of the Barracuda NextGen Firewall F-Series. If you are using a dynamic WAN IP address, enter 0.0.0.0 .

    • ID-type – Select the IPsec ID-type. For more information, see IPsec IKEv1 Tunnel Settings.
    • Network Address – Add the local networks you want to reach through the VPN tunnel, and click Add.
    IPSEC_S2S_02.png
  9. Click the Remote Networks tab, and configure the following settings:
    • Remote IKE GatewayEnter the external IP address of the third-party appliance. If the remote appliance is using dynamic IP addresses, you can also enter 0.0.0.0/0. In this case, you must use aggressive mode.
    • ID-type – Select the IPsec ID-type. For more information, see IPsec IKEv1 Tunnel Settings.
    • Network Address – Add the IP address of the remote network, and enable Advertise Route if you want to propagate it via RIP, OSPF, or BGP. (e.g., 10.0.81.0/24). Enter the address and then click Add.
    IPSEC_S2S_03.png
  10. Click the Peer Identification tab, and enter the shared passphrase in the Shared Secret field. The passphrase may not contain the pound (#) character.
    IPSEC_S2S_04.png
  11. If the remote IPsec gateway does not support Dead Peer Detection (DPD), disable it:
    1. Click the Advanced tab.
    2. In the DPD interval (s) field, enter 0
  12. Switch to aggressive mode if the remote IP address is unknown and you are using a Shared Secret to authenticate.
    1. Click the Identity tab.
    2. From the Mode dropdown, select Aggressive
    3. Enter the Aggressive-ID.
  13. Click OK.
  14. Click Send Changes and Activate.

Step 2. Create an IPsec Tunnel on the Remote Appliance

Configure the remote Barracuda NextGen Firewall F-Series or third-party appliance as passive tunnel partner. The remote VPN gateway must be configured with the same encryption settings. Only the local and remote networks and the IP address for the remote VPN gateway must be mirrored.

Step 3. Create Access Rules for VPN Traffic

To allow traffic in and out of the VPN tunnel, create a PASS access rule on the Barracuda NextGen Firewall F-Series. For more information, see How to Create Access Rules for Site-to-Site VPN Access.

VPN_Access_rule01.png

Monitoring a VPN Site-to-Site Tunnel

To verify that the VPN tunnel was initiated successfully and traffic is flowing, go to VPN > Site-to-Site or VPN > Status 

IPSEC_S2S_05.png

IPSEC_S2S_06.png

Troubleshooting

  • Ping a host in the remote network. If the network host is unavailable, attempt to ping the IP address of the remote IPsec gateway.
  • Go to the FIREWALL > Live page and ensure that network traffic is matching the access rule created in Step 3.

Most of the IPsec implementations represent a single IP address as a network address in combination with a subnet mask (255.255.255.255). The IKE protocol is difficult to debug. Therefore, Barracuda NextGen Admin displays a warning message if IPsec networks contain single IP addresses. If the IPsec connection cannot be established and the error no compatible proposals chosen is displayed,

  • Verify that the IPsec settings on both IPsec peers match. (encryption, hash method, etc...).
  • If you are using single IP addresses as the local or remote network, try to use network addresses (using netmask 255.255.255.252) for the local and remote network settings. If the tunnel can be be established, the third-party IPsec implementation most likely is not compatible with the use of single IP addresses. In this case, use a larger network as the remote and local network.

Checklist for Connecting to Third-Party IPsec VPN Gateways

  • Tunnel partners must be active at one end and passive at the other end.
  • Phase 1 and Phase 2 settings must be identical on both VPN gateways.
  • The local and remote network must not contain single IP addresses; they must be at least a network with mask /30.
  • Do not use identical or overlapping remote networks when using multiple IPSec tunnels because the remote network is used for authentication.

When creating IPsec tunnels between F-Series Firewall and third-party gateways, consider the following:

  • Phase 1 and Phase 2 settings must match the requirements of the remote peer.
  • Configure lifetimes, also known as tunnel rekeying times, in seconds and not as KB-values.
  • The Phase 1 and Phase 2 lifetime must be different.
  • Only use Dead Peer Detection if the remote VPN gateway also supports this feature.
  • Supernetting is not supported
  • Do not use IPsec-SA bundling.
Last updated on