configuring a site-to-site ipsec vpn in firewall tunnel
DESCRIPTION
hftjgykhg bjgfyjkyfgjyTRANSCRIPT
-
+1 408 342 5400 / 888 268 4772 Dashboard (http://techlib.barracuda.com/) Contact (https://w w w .barracuda.com/company/contact)
(https://www.barracuda.com)
Last update: Tuesday, 10. Dec 2013
Barracuda Firewall
Articles Tree
Example - Configuring a Site-to-Site IPsecVPN Tunnel
This article provides an example of how to configure an IPsec VPN tunnel between two Barracuda Firewalls with shared
passphrase authentication. The example uses the following networks and default VPN tunnel settings:
IP Addresses Location 1 Location 2
Local Networks 10.10.10.0/24 10.10.20.0/24
Local Address 212.86.0.253 213.47.0.253
Tunnel Settings Location 1 Location 2
Tunnel initiation Active Passive
Encryption Phase 1 & 2 AES256
Hash Method Phase 1 & 2 MD5
DH Group Phase 1 & 2 Group 1
Lifetime Phase 1 28800
Lifetime Phase 2 3600
Authentication Shared Passphrase
In this article:
Step 1. Create the IPsec Tunnel on the Barracuda Firewall at Location 1
Step 2. Create the IPsec Tunnel on the Barracuda Firewall at Location 2
Step 3. Configure the Firewall Rule for VPN Traffic
Step 4. Verify the Order of the Firewall Rules
Step 5. Verify Successful VPN Tunnel Initiation and Traffic Flow
Step 1. Create the IPsec Tunnel on the Barracuda Firewall atLocation 1
To create the IPsec tunnel:
-
1. Log into the Barracuda Firewall at Location 1.
2. Go to the VPN > Site-to-Site Tunnels page.
3. In the Site-to-Site IPSec Tunnels section, click Add .
4. Enter a Name for the new VPN tunnel.
5. In the Phase 1 and Phase 2 sections, specify these settings:
Setting Value
Encryption Phase 1 & 2 Select AES256.
Hash Method Phase 1 & 2 Select MD5.
DH Group Phase 1 & 2 Select Group 1.
Lifetime Phase 1 Enter 28800.
Lifetime Phase 2 Enter 3600.
6. Specify these network settings:
Setting Value
Local End Select Active.
Local Address Select one of the available IP addresses. If you have dynamic ISPs configured,
select Dynamic.
Local Networks
Enter 10.10.10.0/24.
The network address for the locally configured LAN.
Remote Address Enter 213.47.0.253.
The WAN IP address of location 2.
Remote
Networks
Enter 10.10.20.0/24.
The remote LAN.
7. Specify these authentication settings:
Setting Value
Authentication Select Shared Passphrase.
Passphrase Enter the shared secret.
8. Click Add.
Step 2. Create the IPsec Tunnel on the Barracuda Firewall atLocation 2
-
To create the IPsec tunnel:
1. Log into the Barracuda Firewall at Location 2.
2. Go to the VPN > Site-to-Site Tunnels page.
3. In the Site-to-Site IPSec Tunnels section, click Add .
4. Enter a Name for the new VPN tunnel.
5. In the Phase 1 and Phase 2 sections, specify these settings:
Setting Value
Encryption Phase 1 & 2 Select AES256.
Hash Method Phase 1 & 2 Select MD5.
DH Group Phase 1 & 2 Select Group 1.
Lifetime Phase 1 Enter 28800.
Lifetime Phase 2 Enter 3600.
6. Specify these network settings:
Setting Value
Local End Select Passive.
Local Address Select one of the available IP addresses. If you have dynamic ISPs configured,
select Dynamic.
Local Networks
Enter 10.20.10.0/24.
The network address for the locally configured LAN.
Remote Address Enter 213.47.0.253.
The WAN IP address of location 1.
Remote
Networks
Enter 10.10.10.0/24.
The remote LAN.
7. Specify these authentication settings:
Setting Value
Authentication Select Shared Passphrase.
Passphrase Enter the shared secret.
8. Click Add.
Step 3. Configure the Firewall Rule for VPN Traffic
-
(http://techlib.barracuda.com/display/BFWv10/pdf/Example+-+Configuring+a+Site-to-Site+IPsec+VPN+Tunnel)
(http://techlib.barracuda.com/attachments/product/BFWv10)
(http://techlib.barracuda.com/display/BFWv10/Example+-+Configuring+a+Site-to-
Site+IPsec+VPN+Tunnel/printable)
(mailto:?body=Greetings -%0A%0AThis article from the Barracuda Networks TechLibrary may be useful for solving
your technical issue:http://techlib.barracuda.com/R4Pa%0A%0AVisit the Barracuda Networks TechLibrary at
http://techlib.barracuda.com for all Barracuda Networks technical documentation.&subject=Barracuda Networks
TechLibrary: Barracuda Firewall)
To allow network traffic between both networks, create a firewall rule. You must create the same rule on both Barracuda
Firewalls.
This example configures a firewall rule to allow traffic between the 10.0.10.0/24 and 10.0.20.0/24 networks.
1. Log into the Barracuda Firewall at Location 1.
2. Go to FIREWALL > Firewall Rules page.
3. Add a firewall rule with the following settings:
Action Connection Bi-directional Service Source Destination
Allow No SNAT Select the Bi-directional check box. Any 10.0.10.0/24 10.0.20.0/24
With the Any service object, all types of network traffic are allowed between the remote and local network. For VPN
tunnels, you must select the No SNAT connection object.
4. At the top of the Add Access Rule window, click Add.
5. Log into the Barracuda Firewall at Location 2 and repeat steps 2 to 4.
Step 4. Verify the Order of the Firewall Rules
New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule
set, ensure that you arrange your rules in the correct order. You must especially ensure that your rules are placed
above the BLOCKALL rule; otherwise, the rules are blocked. Check the order of the firewall rules in the rule sets for both
Barracuda Firewalls.
After adjusting the order of rules in the rule set, click Save Changes.
Step 5. Verify Successful VPN Tunnel Initiation and Traffic Flow
To verify that the VPN tunnel was initiated successfully and traffic is flowing, go to the VPN > Site-to-Site Tunnels
page. Verify that green check marks are displayed in the Status column of the VPN tunnel.
Use ping to verify that network traffic is passing the VPN tunnel. Open the console of your operating system and ping a
host within the remote network. If no host is available, you can ping the management IP address of the remote
Barracuda Firewall. Go to the NETWORK > IP Configuration page and ensure that Services to Allow: Ping is
enabled for the management IP address of the remote firewall.
If network traffic is not passing the VPN tunnel, go to the BASIC > Recent Connections page and ensure that network
traffic is not blocked by any other firewall rule.
-
Back to top
Feedback
If you have a technical issue with the product, please contact Barracuda Networks Technical Support
(https://www.barracudanetworks.com/support).
Did you find this article helpful: Yes | No
Contact Us (https://www.barracuda.com/company/contact) | Privacy Policy
(http://techlib.barracuda.com/display/CP/Privacy+Policy) | Terms & Conditions (https://www.barracuda.com/legal/terms) |
2003 - 2013 Barracuda Networks, Inc. All rights reserved.