Barracuda Firewall

To configuring the tunnel in the Barracuda Management Portal:

  1. Log in to the Barracuda Management Portal with the Administrator account.

  2. From the top menu, click Configuration > Virtual Servers > Your virtual server > Assigned Services > VPN (VPN-Service) > Site to Site.

  3. In the IPsec IKEv2 Tunnels tab, create a new tunnel:

    1. In the General section:

      1. In the Tunnel Name field, enter a tunnel name.

      2. Leave the rest of fields to default settings.

    2. In the Authentication section:

      1. From the Authentication Method list, select Pre-shared key.

      2. In the Shared Secret field, enter the same secret key that you specified in step 6 in Configuring the Tunnel in the Harmony SASE Administrator Portal.

      3. Leave the rest of fields to default settings.

    3. In the Phase 1 section:

      Field

      Enter
      Encryption AES256

      Hash

      		 SHA
      Diffie-Hellman Group 2
      Proposal Handling Strict
      Lifetime

      28800

    4. In the Phase 2 section:

      Field

      Enter

      Encryption AES256

      Hash

      		 SHA
      DH-Group 2
      Proposal Handling Strict
      Lifetime

      3600

      Traffic Volume (KB)

      Unlimited

  4. Click Configuration > Site to Site VPN (vpn):

    1. Create a new site-to-site VPN or edit an existing one.

    2. In the IPSec IKEv2 Tunnel selection:

      Field

      Enter
      Endpoint Type IPv4
      One VPN Tunnel per Subnet Pair Clear
      Universal Traffic Selectors Clear
      Force UDP Encapsulation Clear
      IKE Reauthentication Select
      Next Hop Routing 0.0.0.0

      Interface Index

      0

    3. In the Network Local selection:

      Field

      Enter
      Local Gateway Barracuda Firewall Public IP address
      Local ID Barracuda Firewall Public IP address
      Network address Internal network subnets

    4. In the Network Remote selection:

      Field

      Enter
      Remote Gateway Harmony SASE Public IP address
      Remote ID Harmony SASE Public IP address
      Network address Harmony SASE network subnets

    5. In the Dead Peer Detection selection:

      Field

      Enter
      Action Restart
      Delay (seconds) 30

    6. Click OK.

    7. Click Send Changes.

    8. Click Activate.

  5. Click Firewall > Forwarding Rules:

    1. Add Harmony SASE gateway public IP address to the allow-list.

    2. Ensure that the Harmony SASE gateway public IP address is listed under the firewall rules.

    3. Add the static routes from the Harmony SASE subnet (10.XXX.0.0/16) to the local network and from the local network to the Harmony SASE subnet (10.XXX.0.0/16) through the VPN tunnel gateway.

  6. Click Configuration > Site to Site VPN (vpn):

    1. In the Client Networks tab:

      Field

      Enter
      Network Address 172.xxx.0.0/16 (or relevant subnet0
      Gateway Local Barracuda IP address
      Name Tunnel name.

    2. Click OK.

  7. To verify that the tunnel is up, go to VPN > Site-to-Site. If the tunnel is listed in the table, then the tunnel is up.