+1 408 342 5400 / 888 268 4772

Dashboard (http://techlib.barracuda.com/)

Contact (https://w w w .barracuda.com/company/contact)

(https://www.barracuda.com)

Barracuda Firewall
Articles Tree

Example - Configuring a Site-to-Site IPsec

VPN Tunnel
Last update: Tuesday, 10. Dec 2013
This article provides an example of how to configure an IPsec VPN tunnel between two Barracuda Firewalls with shared
passphrase authentication. The example uses the following networks and default VPN tunnel settings:
IP Addresses

Location 1

Location 2

Tunnel Settings

Location 1

Location 2

Local Networks

10.10.10.0/24

10.10.20.0/24

Tunnel initiation

Active

Passive

Local Address

212.86.0.253

213.47.0.253

Encryption Phase 1 & 2

AES256

Hash Method Phase 1 & 2

MD5

DH Group Phase 1 & 2

Group 1

Lifetime Phase 1

28800

Lifetime Phase 2

3600

Authentication

Shared Passphrase

In this article:
Step 1. Create the IPsec Tunnel on the Barracuda Firewall at Location 1
Step 2. Create the IPsec Tunnel on the Barracuda Firewall at Location 2
Step 3. Configure the Firewall Rule for VPN Traffic
Step 4. Verify the Order of the Firewall Rules
Step 5. Verify Successful VPN Tunnel Initiation and Traffic Flow

Step 1. Create the IPsec Tunnel on the Barracuda Firewall at

Location 1
To create the IPsec tunnel:

1. Log into the Barracuda Firewall at Location 1.

2. Go to the VPN > Site-to-Site Tunnels page.
3. In the Site-to-Site IPSec Tunnels section, click Add .
4. Enter a Name for the new VPN tunnel.
5. In the Phase 1 and Phase 2 sections, specify these settings:
Setting

Value

Encryption Phase 1 & 2

Select AES256.

Hash Method Phase 1 & 2

Select MD5.

DH Group Phase 1 & 2

Select Group 1.

Lifetime Phase 1

Enter 28800.

Lifetime Phase 2

Enter 3600.

6. Specify these network settings:

Setting

Value

Local End

Select Active.

Local Address

Select one of the available IP addresses. If you have dynamic ISPs configured,
select Dynamic.

Local Networks

Enter 10.10.10.0/24.
The network address for the locally configured LAN.

Remote Address

Enter 213.47.0.253.
The WAN IP address of location 2.

Remote
Networks

Enter 10.10.20.0/24.
The remote LAN.

7. Specify these authentication settings:

Setting

Value

Authentication

Select Shared Passphrase.

Passphrase

Enter the shared secret.

8. Click Add.

Step 2. Create the IPsec Tunnel on the Barracuda Firewall at

Location 2

To create the IPsec tunnel:

1. Log into the Barracuda Firewall at Location 2.
2. Go to the VPN > Site-to-Site Tunnels page.
3. In the Site-to-Site IPSec Tunnels section, click Add .
4. Enter a Name for the new VPN tunnel.
5. In the Phase 1 and Phase 2 sections, specify these settings:
Setting

Value

Encryption Phase 1 & 2

Select AES256.

Hash Method Phase 1 & 2

Select MD5.

DH Group Phase 1 & 2

Select Group 1.

Lifetime Phase 1

Enter 28800.

Lifetime Phase 2

Enter 3600.

6. Specify these network settings:

Setting

Value

Local End

Select Passive.

Local Address

Select one of the available IP addresses. If you have dynamic ISPs configured,
select Dynamic.

Local Networks

Enter 10.20.10.0/24.
The network address for the locally configured LAN.

Remote Address

Enter 213.47.0.253.
The WAN IP address of location 1.

Remote
Networks

Enter 10.10.10.0/24.
The remote LAN.

7. Specify these authentication settings:

Setting

Value

Authentication

Select Shared Passphrase.

Passphrase

Enter the shared secret.

8. Click Add.

Step 3. Configure the Firewall Rule for VPN Traffic

To allow network traffic between both networks, create a firewall rule. You must create the same rule on both Barracuda
Firewalls.
This example configures a firewall rule to allow traffic between the 10.0.10.0/24 and 10.0.20.0/24 networks.
1. Log into the Barracuda Firewall at Location 1.
2. Go to FIREWALL > Firewall Rules page.
3. Add a firewall rule with the following settings:
Action

Connection

Bi-directional

Service

Allow

No SNAT

Select the Bi-directional check box.

Any

Source
10.0.10.0/24

Destination
10.0.20.0/24

With the Any service object, all types of network traffic are allowed between the remote and local network. For VPN
tunnels, you must select the No SNAT connection object.
4. At the top of the Add Access Rule window, click Add.
5. Log into the Barracuda Firewall at Location 2 and repeat steps 2 to 4.

Step 4. Verify the Order of the Firewall Rules

New rules are created at the bottom of the firewall rule set. Because rules are processed from top to bottom in the rule
set, ensure that you arrange your rules in the correct order. You must especially ensure that your rules are placed
above the BLOCKALL rule; otherwise, the rules are blocked. Check the order of the firewall rules in the rule sets for both
Barracuda Firewalls.
After adjusting the order of rules in the rule set, click Save Changes.

Step 5. Verify Successful VPN Tunnel Initiation and Traffic Flow

To verify that the VPN tunnel was initiated successfully and traffic is flowing, go to the VPN > Site-to-Site Tunnels
page. Verify that green check marks are displayed in the Status column of the VPN tunnel.
Use ping to verify that network traffic is passing the VPN tunnel. Open the console of your operating system and ping a
host within the remote network. If no host is available, you can ping the management IP address of the remote
Barracuda Firewall. Go to the NETWORK > IP Configuration page and ensure that Services to Allow: Ping is
enabled for the management IP address of the remote firewall.
If network traffic is not passing the VPN tunnel, go to the BASIC > Recent Connections page and ensure that network
traffic is not blocked by any other firewall rule.

(http://techlib.barracuda.com/display/BFWv10/pdf/Example+-+Configuring+a+Site-to-Site+IPsec+VPN+Tunnel)
(http://techlib.barracuda.com/attachments/product/BFWv10)
(http://techlib.barracuda.com/display/BFWv10/Example+-+Configuring+a+Site-toSite+IPsec+VPN+Tunnel/printable)
(mailto:?body=Greetings -%0A%0AThis article from the Barracuda Networks TechLibrary may be useful for solving
your technical issue:http://techlib.barracuda.com/R4Pa%0A%0AVisit the Barracuda Networks TechLibrary at
http://techlib.barracuda.com for all Barracuda Networks technical documentation.&subject=Barracuda Networks
TechLibrary: Barracuda Firewall)

Back to top

Feedback
If you have a technical issue with the product, please contact Barracuda Networks Technical Support
(https://www.barracudanetworks.com/support).
Did you find this article helpful: Yes | No

Contact Us (https://www.barracuda.com/company/contact) | Privacy Policy

(http://techlib.barracuda.com/display/CP/Privacy+Policy) | Terms & Conditions (https://www.barracuda.com/legal/terms) |
2003 - 2013 Barracuda Networks, Inc. All rights reserved.