Specifications
28 Barracuda Link Balancer Administrator’s Guide
Figure 3.1: Site-to-Site VPN
The Services > VPN page displays all tunnels and their status. You can add, disable, edit or delete a
tunnel from this page.
Creating VPN Tunnels
When creating a tunnel, make sure that the relevant tunnel parameters on both ends are in sync. If
needed, record the settings on the other endpoint and compare them to the local endpoint. Not
matching the settings between the tunnel endpoints is a common cause of failing to establish a tunnel
successfully.
Many of the tunnel security parameters are advanced settings and have been given reasonable
defaults. If both endpoints are Barracuda Link Balancers use the defaults provided unless you have a
specific reason for changing these settings.
For testing purposes, you may choose to start with a shared secret on both endpoints, but using SSL
certificates is recommended in a production environment. Upload the local and remote certificates
using the
Advanced > Certificates page.
Creating a VPN in a NAT’d Environment
If either the Barracuda Link Balancer or the remote endpoint is behind a device such as a firewall
which is NAT'ing traffic, you must enable the NAT-Traversal (NAT-T) option when creating the
VPN tunnel. NAT-T is required to make IPsec and NAT work together. If the option is not enabled,
packets will be dropped by the receiving end.
If the remote endpoint for the VPN is behind a NAT’ing device, enter the IP address for the remote
endpoint in the
Remote NAT-T IP field. In this case, the Primary Remote Gateway IP address is the
NAT’ing device.
If only the local Barracuda Link Balancer is behind a NAT’ing device, the
Primary Remote Gateway
IP address is the remote endpoint and the
Remote NAT-T IP field should be left blank.
In order for NAT-T to work, open UDP port 4500 on the firewall.The VPN log (on the
Logs > VPN
Log
page) will display which VPN endpoint is NAT’d.