It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

Standards for IPSec tunnel configuration between NG Firewall and 3rd party gateways

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00005161 
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x


Are there any standards that should be observed when constructing IPSec tunnels between NG Firewall and 3rd party gateways?



As the following IPSec implementations have proven to be frequent cause of configuration problems, it is advisable to stick to the following list of recommendations when constructing IPSec tunnels between NG Firewall and 3rd party gateways:


- "Aggressive mode" for negotiation of the keying channel or ISAKMPD SA is supported since firmware version 4.2.3 and above.
- "NAT traversal (NAT-T)" is supported since firmware version 4.2.3 and above.
- Do not use "Supernetting" (not supported).
- Do not use special characters or umlauts in the shared secret.
- Configure Lifetimes (i.e. tunnel rekeying times) as time and not as KB-values.
- Phase 1 and Phase 2 lifetime should never have the same value.
- Tunnel partners must be active at one and passive at the other end.
- Encryption and DH-Group settings must be identical on both tunnel ends. Thereby, PFS (Perfect Forward Security) configuration matches DH-Group / Phase 2 configuration on NG Firewall systems.
- Lifetimes in Phase 1 must be greater than Lifetimes in Phase 2.
- A dynamic local or peer IP ( is not configurable on firmware versions below 4.2.x 
- local and remote network must not contain singe IPs - they must be at least a network with mask /30
- Do not use IPSec-SA bundling (not supported).
- Since firmware 3.4.4 and above the NG Firewall ISAKMPD supports "DPD" (Dead Peer Detection). If the remote IPSec gateway does not support DPD, you have to disable it (set value to "0" in the VPN Settings)
- Do not set the "Tunnel Check Interval (s)" to 0 seconds. Default value is 5 seconds, less than 5 seconds will generate too much traffic.
- The NG Firewall
ISAKMPD implementation uses the "IPv4_net" and not "IPv4_address" as ID-Type.

- Only net announcement from type "IPv4_net" is supported. Other announcement methods are not supported (may generate "Supernetting" errors).

- Do not use identical or overlapping remote networks in different configured IPSec tunnels, the remote network is used for authentication.


Link to This Page: