How to Configure a Site-to-Site IPsec VPN Tunnel
Allowing VPN Access via Dynamic WAN IP Address How to Configure a Client-to-Site VPN with PPTP
How to Allow VPN Access for Clients with IPsec (Client-to-Site VPN)
Using VPNs, mobile workers can securely access corporate information and resources. The Barracuda Firewall allows remote clients running iOS, Android, or Windows operating systems to connect via a client-to-site VPN.
In this article:
1. Identify the User Authentication Mechanism
2. Configure the Barracuda Firewall VPN Server and Firewall Rule Static WAN IP Address
Dynamic WAN IP Address 3. Configure VPN Access Policy 4. Configure the Client
1. 2.
3.
Additional XAUTH Certificates for Apple iOS Devices
1. Identify the User Authentication Mechanism
If you want to limit access to specific users and groups:
When using an external authentication method, use the USERS > External Authentication page. When using local authentication, use the USERS > Local Authentication page.
2. Configure the Barracuda Firewall VPN Server and Firewall Rule
The VPN server that runs on the Barracuda Firewall needs to listen on the appropriate IP address for the clients. You must configure the interface and firewall rule to allow VPN access. Depending on whether VPN connections to the Barracuda Firewall are made to a static or dynamically-assigned WAN IP address, complete the steps in the following Static WAN IP Address or Dynamic WAN IP Address section.
Static WAN IP Address
To allow VPN connections using a static WAN IP address on the Barracuda FirewallI: Go to the NETWORK > IP Configuration page.
In the Static Interface Configuration section, or on any Secondary IP Address of the Management IP a ddress, make sure that the VPN Server check box for the interface is selected.
Go to the FIREWALL Firewall Rules > page and make sure that the pre-installed VPNCLIENTS-2-LAN rule is enabled. There is no need to create a new rule. If VPN access is provided with a static WAN IP address, VPN client traffic is allowed by the VPNCLIENTS-2-LAN rule. This rule allows unrestricted access for VPN clients coming in through interface pvpn0 to the trusted LAN.
VPNCLIENTS-2-LAN Values:
Action Source Destination Service Interface
Group
Connection
Allow Any Trusted LAN Any VPNClients No SNAT
(original source IP address is used)
Dynamic WAN IP Address
To allow VPN connections using a dynamically-assigned WAN IP address on the Barracuda Firewall, follow the steps in Allowing VPN Access via Dynamic WAN IP Address.
3. Configure VPN Access Policy
You must configure a VPN policy to specify which clients are allowed to connect. If there is no policy that matches a client, or the policy allowing the client is disabled, the client connection is rejected.
Before you begin:
If you have iOS clients, you must configure additional XAUTH certificates. The certificate provides identity information from the Barracuda Firewall to the client. Usually, the default certificate is sufficient. However, there are special requirements for iOS clients. For instructions on how to configure the XAUTH certificates, see Additio
1.
2.
. nal XAUTH Certificates for Apple iOS Devices To configure the VPN access policy:
Go to the VPN > Client-To-Site VPN page and complete the fields.
The Phase 1 IPsec encryption settings are global for all clients that wish to connect. Phase 2 is chosen when you create the access policy; be sure to create an IPsec Phase 2 Settings entry. Optionally, you can set a message and image to be displayed when the client connects.
For additional assistance, click Help on the Client-To-Site VPN page.
Add a VPN access policy. This policy defines the network settings and restrictions that apply to groups of VPN users. Users and user groups that are not included in any access policy will not be able to connect to the VPN service.
Allowed Peers defines the type of VPN clients that are allowed to connect to the Barracuda
Firewall. This can either be the Barracuda Network Access Client or any third-party client that uses default IPsec.
4. Configure the Client
On the IPsec client system, you must enter the following key parameters to establish a connection to the Barracuda Firewall:
Key Parameter Description
VPN Server The external IP address or DNS hostname of your
Barracuda Firewall.
Encryption Make sure that the client-side VPN configuration
matches the IPsec Phase 1 and Phase 2 settings on the Barracuda Firewall. If the incorrect encryption, hash, or DH group are selected, the client can still reach the VPN server but will be unable to
communicate. Also, the tunnel will not be established. Lifetimes must be identical; a mismatch can lead to brief tunnel terminations whenever one side reaches its lifetime, instead of the renegotiation that is supposed to happen transparently.
Authentication The username is case-insensitive, but the password
is case-sensitive. If the client is unable to connect due to authentication problems, make sure that you have entered the correct password.
Additional XAUTH Certificates for Apple iOS Devices
If the client system is an iOS device such as an iPhone or an iPad, more configuration steps are required. Due to restrictions of iOS, you must use a certificate and user/password-based authentication combination called XAUTH.
Because certificate-based authentication is required, you must have three types of X.509 certificates that come with a valid chain of trust. The trust anchor is the Certificate Authority (CA) signed root certificate. The end instances are the server certificate for the Barracuda Firewall and the client certificate for the iOS device. If you do not have CA-signed X.509 certificates available, you can use self-signed certificates instead. These
1. 2. 3. 1. 2. 3.
certificates must also have a valid chain of trust. Typically, X.509 certificates are created through a Public Key Infrastructure (PKI) that allows creating, signing, or revoking certificates. Examples include Microsoft's PKI with Active Directory, and XCA - X Certificate and key management.
The following table lists the required X.509 certificates, their settings, and where they must be installed.
X.509 Certificate Type
Where to Install File Type Chain of Trust X.509 Extensions and Values
Root Certificate Barracuda Firewall & Apple iOS Device
PEM Trust Anchor Mandatory option
for key usage: Certi
ficate sign; CRL sign.
Server Certificate Barracuda Firewall PKCS12 End Instance Subject Alternative Name
—IP address of the Barracuda Firewall or the DNS hostname. Examples: IP:80.55 .133.55 or DNS:xy.abc.com Key Usage —Inclu
ding the "Digital Signature" flag.
Client Certificate Apple iOS Device PKCS12 End Instance Key Usage—Includ
ing the "Digital Signature" flag.
To import the certificates to the Barracuda Firewall: Go to the VPN Certificates> page.
In the Upload Certificate section, upload both the Root and the Server certificates. Ensure that they have different, distinct names on the Barracuda Firewall.
If needed, you can upload intermediary certificates on the same page.
After you import the certificates, complete the remaining configurations as you would for other types of client systems. However, you must select the server certificate from the Local Certificate list in the Settings section of the VPN Client-To-Site VPN> page.
On the iOS device, import both the Root and the Client certificates. You can import the certificate via email or by downloading it from a web server.
To create a new VPN connection on the iOS device:
On the iOS device, go to Settings > General > VPN. Click Add VPN Configuration and then click the IPsec tab. Edit the following settings:
3. 1. 2. 3. 4. 1. 2.
Server — Enter the Subject Alternative Name used in your certificates.
Account and Password — Enter the XAUTH user and password.
Use Certificate — Enable it.
Certificate — Select your X.509 client certificate.