User`s guide

ManualsBrandsBarracuda Networks ManualsNetworkingFirewall X100
100
1. 
2. 
3. 
1. 
2. 
In this article:
Step 1. Identify the User Authentication Mechanism
Step 2. Configure the Barracuda Firewall VPN Server and Firewall Rule
Static WAN IP Address
Dynamic WAN IP Address
Step 3. Configure the VPN Server Certificates
Create a Self-Signed Certificate on the Barracuda Firewall
Import External Certificates
Certificates for  Clients iOS
Step 4. Configure VPN Access Policy
Step 5. Configure the Client
Step 1. Identify the User Authentication Mechanism
If you want to limit access to specific users and groups:
Using an external authentication method such as a Microsoft Active Directory, RADIUS, or LDAP server, go to the USERS Au > External 
  . Use these services to authenticate VPN users. You can control access to the VPN by only allowing specific users orthentication  page
groups. For more information on how to set up an external authentication method, see How to Integrate with an External Authentication
.Service
Using local authentication, go to the    . In the   table, add users andUSERS Local Authentication >  page Local Users and Groups
groups.
Step 2. Configure the Barracuda Firewall VPN Server and Firewall Rule
The VPN service that runs on the Barracuda Firewall must listen on an external IP interface (WAN). You must   andconfigure the WAN interface
create a firewall rule to grant access to the VPN. Depending on whether VPN connections to the Barracuda Firewall are made to a static or
dynamically-assigned WAN IP address, complete the steps in either the following   or   section. Static WAN IP Address Dynamic WAN IP Address
Static WAN IP Address
To allow VPN connections using a static WAN IP address  the Barracuda  : on  FirewallI
Go to the   page.NETWORK > IP Configuration
In the   section, or on any     address, verify that the Static Interface Configuration Secondary IP Address of the management IP VPN
check box  the interface is selected.Server   for
Go to the   page and verify that the pre-installed VPNCLIENTS-2-LAN rule is enabled. You do not have toFIREWALL > Firewall Rules
create a new rule. If VPN access is provided with a static WAN IP address, VPN client traffic is allowed by the VPNCLIENTS-2-LAN rule.
This rule allows unrestricted access for VPN clients coming in through interface pvpn0 to the trusted LAN. 
VPNCLIENTS-2-LAN Values:
Action Source Destination Service Interface Group Connection
Allow Any Trusted LAN Any VPNClients No SNAT (the
original source IP
address is used) 
Dynamic WAN IP Address
To allow VPN connections using a dynamically assigned WAN IP address  the Barracuda Firewall, follow the steps in  on How to Allow VPN
.Access via a Dynamic WAN IP Address
Step 3. Configure the VPN Server Certificates
For the VPN server to authenticate with the VPN client, either create self-signed certificates on the Barracuda Firewall or import certificates signed
by an external Certificate Authority (CA or PKI). If you have  clients, configure additional XAUTH certificates. iOS
Create a Self-Signed Certificate on the Barracuda Firewall
To create self-signed certificates on the Barracuda Firewall:
Go to the   page.VPN > Certificates