
The combination of Restart SA on Close and IKE Reauthentication is not supported. This setting must be disabled if the remote device is a Microsoft Azure Dynamic VPN Gateway. IKE Reauthentication – Reauthenticate during every IKE rekeying. This is needed if the remote device is a Checkpoint firewall. Universal Traffic Selector – Instruct peer to route all traffic into tunnel.Force UDP Encapsulation – Use UDP encapsulation (4500) for ESP traffic even if no NAT is detected.If you connect to Sophos, the check box must not be selected! This is needed if the remote device is a Cisco ASA. One VPN Tunnel per Subnet Pair – Creates a dedicated security association for each subnet pair.(optional) Select Advanced Network Settings.IP Version – Click IPv4 or IPv6 to match the Local Gateway and Remote Gateway IP address IP versions.Select the IP Version of the local listener and the remote gateway.Lifetime (KB) – Enter the number of KB after which the IPsec SA is re-keyed.Lifetime (seconds) – Enter the number of seconds until the IPsec SA is re-keyed.Negotiate – This option lets a communication partner decrease the strength of the encryption if it cannot support the proposed encryption from the initiator.The communication partner must agree with the proposed set otherwise, no communication will be established due to a missing common encryption agreement. Strict – The effective encryption is strictly determined by the proposed set of Encryption, Hash and Group.DH-Group – Select the Diffie-Hellman Group.Hash – Select the hashing algorithm: MD5, SHA, SHA256, or SHA512.Encryption – Select the encryption algorithm: AES, 3DES, Blowfish, or AES256.X509 certificate (explicit) – Select a Server Certificate and import an Explicit X509 certificate.CA certificate – Select a Server Certificate, CA Root certificate, and enter a X509 Condition to use certificate authentication.The shared secret can consist of small and capital characters, numbers, and non alpha-numeric symbols, except the hash sign (#). No – Close the VPN connection if the tunnel terminates unexpectedly.Yes – Restart the connection if the tunnel terminates unexpectedly.No – The firewall is the passive unit and waits for connection attempts from the remote VPN gateway.Yes – The firewall is the active unit and continuously attempts to connect to the remote VPN gateway until a VPN tunnel is established.Right-click the table and select New IKEv2 Tunnel.Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Site to Site.Create an IKEv2 IPsec Tunnel on the CloudGen Firewall Select an IPv6 listener from the list of configured explicit IPv6 service IP addresses.Click + to add an entry to the Explicit IPv6 Service IPs.When selecting Explicit, click + for each IP address and enter the IPv4 addresses in the Explicit Service IPs list. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Service Properties.įrom the Service Availability list, select the source for the IPv4 listeners of the VPN service.

Configure the VPN Service ListenersĬonfigure the IPv4 and IPv6 listener addresses for the VPN service. If not already present, configure the Default Server Certificate in CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > VPN Settings. The site-to-site IPsec VPN tunnel must be configured with identical settings on both the firewall and the third-party IKEv2 IPsec gateway. The Barracuda CloudGen Firewall can establish IPsec VPN tunnels to any standard compliant IKEv2 IPsec VPN gateway.
