How to Configure a Site-to-Site IPsec IKEv2 VPN Tunnel on SecureEdge Using Dynamic Routing (BGP)

Barracuda SecureEdge can establish IPsec VPN tunnels to any standard-compliant third-party IKEv2 IPsec VPN gateway. IPsec IKEv2 tunnels can be created on all types of site devices and all Edge Services. The site-to-site IPsec VPN tunnel must be configured with identical settings on both SecureEdge and the third-party IKEv2 IPsec gateway.

Requirements and Limitations

• For IPsec traffic, do not configure your SD-WAN policy with ACTION set to PIN; otherwise, site-to-site traffic over IPsec tunnels might be blocked.

• If you want to connect the stand-alone site to the Edge Service for vWAN for an IPsec tunnel using BGP, you must first delete the stand-alone site configuration completely and re-configure the same settings via the new site setup wizard.

• If you configure an IPsec IKEv2 VPN tunnel with BGP enabled, you can add more than one destination. However, you must ensure that two destinations of the same tunnel do not have the same remote gateway value.

Step 1. Create an IKEv2 IPsec Tunnel with BGP Enabled

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.
2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to configure the IPsec IKEv2 tunnel for.
3. Go to Integration > IPsec VPN.
   
4. The IPsec VPN page opens. To add a tunnel, click Add IPsec Tunnel.
   
5. The Create IPsec Tunnel window opens. 
6. In the General tab, specify values for the following:
   
   • Enable – Click to enable/disable tunnel status.
   • Initiates – Initiates tunnel. Click to enable/disable.
     
     • If enabled, the appliance is the active unit and continuously attempts to connect to the remote VPN gateway until a VPN tunnel is established. 
     • If disabled, the appliance is the passive unit and waits for connection attempts from the remote VPN gateway.
   In the GENERAL INFORMATION section, specify values for the following: 
   
   • Name – Enter a unique tunnel name.
   • Description – Enter a brief description.
   In the AUTHENTICATION section, specify values for the following: 
   
   1. Authentication – Select the authentication method from the drop-down menu.

   2. Shared Secret – Enter the shared secret to use a shared passphrase to authenticate.

      The shared secret can consist of small and capital characters, numbers, and non-alphanumeric symbols, except the hash sign (#).

      

7. Click Next.
8. In the Source/Destination tab, specify values for the following:
   • Enable BGP – Click to enable.
   • In the SOURCE section, specify values for the following:

     • Type – Select the type from the drop-down list. You can choose either Edge Service or Site.

       If you configure multiple IPs for a static WAN interface for a Site or a private Edge Service, you must select one of the IP addresses configured on this static WAN interface: either the primary IP address or an additional IP address. By default, the primary IP address is used. For more information, see How to Configure Additional IP Addresses to a Static WAN Interface

     • Peer – Select the peer on which the tunnel will be configured from the drop-down list.
     • Local ID – Enter the local ID.
     • Peering Address – Enter the peering address of the local network, e.g., 169.254.25.2/24

     • ASN – Enter the ASN of the local side, e.g., 65002.


       Note that the specified local ASN must not be used by another IPsec tunnel or by any other SecureEdge deployment in the same workspace.

     • In the DESTINATION section, specify values for the following:

       • Remote Gateway – Enter a remote gateway.

       • Remote ID – Enter a unique ID. VPN tunnels without remote ID will not establish successfully.

       • Peering Address – Enter the remote BGP peer IP address, e.g., 169.254.25.1

       • ASN – Enter the ASN of the remote side, e.g., 65003


         For the remote ASN, you can specify ASN from 1 to 4294967294. However, if it collides with other ASNs that are configured in the existing SecureEdge setup or at the remote side, connectivity might be unavailable between LANs on each side of the IPsec tunnel.

         

         
9. Click Next. 
10. In the Phases tab, specify values for the following:
    In the PHASE 1 section, specify the values for the following: 
    • Encryption – Select the encryption algorithm from the drop-down list. You can choose between AES, 3DES, Blowfish, or AES256.
    • Hash – Select the hashing algorithm from the drop-down list. You can choose between MD5, SHA, SHA256, or SHA512.
    • DH-Group – Select the Diffie-Hellman Group from the drop-down list. Supported groups are: 1, 2, 5, 14 - 24.
    • Proposal Handling – Select the proposal handling from the drop-down list. You can choose between the following: 
      • Strict – The effective encryption is strictly determined by the proposed set of Encryption, Hash, and Group. The communication partner must agree with the proposed set; otherwise, no communication will be established due to a missing common encryption agreement.
      • Negotiate – This option lets a communication partner decrease the strength of the encryption if it cannot support the proposed encryption from the initiator.
    • Lifetime – Enter the number of seconds until the IPsec SA is re-keyed. Default: 28800
    In the PHASE 2 section, specify the values for the following: 
    • Encryption – Select the encryption algorithm from the drop-down list. You can choose between AES, 3DES, Blowfish, or AES256.

    • Hash – Select the hashing algorithm from the drop-down list. You can choose between MD5, SHA, SHA256, SHA512, or GCM.
      

      Note that the GCM hash algorithm can be used only in combination with one of the AES encryption algorithms (such as AES, AES256, or AES512).

    • DH-Group – Select the Diffie-Hellman Group from the drop-down list. You can choose either Disable PFS or supported groups. Supported groups are: 1, 2, 5, 14 - 24.
    • Proposal Handling – Select the proposal handling from the drop-down list. You can choose between the following:
      • Strict – The effective encryption is strictly determined by the proposed set of Encryption, Hash, and Group. The communication partner must agree with the proposed set; otherwise, no communication will be established due to a missing common encryption agreement.
      • Negotiate – This option lets a communication partner decrease the strength of the encryption if it cannot support the proposed encryption from the initiator.
    • Life time – Enter the number of seconds until the IPsec SA is re-keyed. Default: 3600.
    • Traffic Volume Enabled – Click to enable/disable. 
      • If enabled, specify the value for the following:
        • Traffic Volume KB  – Enter the number of KB after which the IPsec SA is re-keyed.
      
11. Click Next.
12. In the Network tab, specify the values for the following:
    In the NETWORK SETTINGS section, specify the values for the following:
    • Force UDP Encapsulation – Click to enable/disable. Use UDP encapsulation (4500) for ESP traffic even if no NAT is detected. 

    • IKE Reauthentication – Click to enable/disable. Reauthenticate during every IKE rekeying. This setting must be disabled if the remote device is a Microsoft Azure Dynamic VPN Gateway. 

    In the DEAD PEER DETECTION section, specify the values for the following: 
    • Action When Detected – Select the action from the drop-down list. You can choose between the following:

      • None – Disable DPD.

      • Clear – Connection with the dead peer is stopped, and routes removed.

      • Restart – Connection is restarted.

    • Delay – Enter the number of seconds after which an empty INFORMATIONAL message is sent to check if the remote peer is still available. Note: DPD Delay is required when detected DPD action is set anything other than None.
      
13. Click Save. 
14. Verify that your IPsec tunnel configuration has been created successfully.
    
15. Click Finish.

After the configuration is complete, you can see a new IPsec tunnel is shown on the IPsec VPN page, and the status of the field names (e.g., Enabled) can be verified.

(Optional) Restart the IPsec Tunnel

Monitoring a VPN Site-to-Site Tunnel

To verify that the VPN tunnel was initiated successfully and traffic is flowing, proceed with the following steps:

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.
2. In the left menu, click the Tenants/Workspaces icon and select the workspace containing your site. 
3. Go to Infrastructure > Sites. The Sites page opens.
4. Select the site you want to verify the status for. Click on the arrow icon next to the site.
   
5. In the Site menu, the Dashboard page opens. You can see the status of all VPN tunnels for the corresponding sites.
   

Edit an Existing IPsec VPN Tunnel

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to edit the IPsec IKEv2 tunnel for.

3. Go to Integration > IPsec VPN.

4. The IPsec VPN page opens.  Click on the pencil icon next to the IPsec IKEv2 tunnel you want to edit.
   

5. The Edit IPsec Tunnel window opens. Edit the value you are interested in.

6. Click Save.

Remove an Existing IPsec VPN Tunnel

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to remove the IPsec IKEv2 tunnel for.

3. Go to Integration > IPsec VPN.

4. The IPsec VPN page opens.  Click on the trashcan icon next to the IPsec IKEv2 tunnel you want to remove.
   
5. The Delete IPsec Tunnel <Name of Tunnel> window opens.
   
6. Click Ok to confirm.

Further Information

• How to Configure a Site-to-Site IPsec IKEv2 VPN Tunnel on SecureEdge Using Static Routing
• How to Configure Additional IP Addresses to a Static WAN Interface