/
How to Create a VPN TINA Tunnel for Forwarding Traffic from a Local Default Router Instance to a Remote Virtual Router Instance

How to Create a VPN TINA Tunnel for Forwarding Traffic from a Local Default Router Instance to a Remote Virtual Router Instance

Jan 09, 2026

If you are running multiple virtual routers on your CloudGen Firewall, each virtual router instance can be configured independently of any other one. Because the VPN service is available only to the default router, the traffic managed by an additional virtual router instance must be handed over to the VPN service running in the default router so that it can be encapsulated into the VPN TINA tunnel. This is achieved by a VPN interface index that binds the tunnel configuration and the traffic from the additional virtual router instance to the VPN interface running on the default router.

In the following example, a VPN TINA tunnel is used for forwarding traffic between two private networks that are located behind a local and a remote firewall. The local firewall actively initiates a TINA tunnel while the remote firewall passively listens for tunnel connection requests.
The first private network (192.168.0.0/24) is attached to an interface on the local firewall. This interface is managed by an additional virtual router instance (VR01). The second private network (192.168.1.0/24) is attached to an interface on the remote firewall. This interface is also managed by an additional virtual router instance (VR01). On the local firewall, the public IP of the VPN TINA tunnel is managed by the default router, on the remote firewall, the public IP of the VPN TINA tunnel is managed by the virtual router VR01. A client PC sends ping messages to the router address of the private network on the remote firewall (192.168.1.254).

Because the VPN service is only available on the default router, traffic which is coming in through a VPN TINA tunnel on the virtual router on the remote firewall has to be redirected to the VPN service. For this, an access rule has to be configured.

Although not required, it is recommended for a better overview to use the same number for the VPN interface index as the number of your additional virtual router. For example, VR01 should correspond to a VPN interface index equal to 1.

Before You Begin

Create a VPN Interface on the Local and Remote Firewall

Execute the following steps for both the local and remote firewall. Start with the local firewall.

  1. Go to CONFIGURATION > Configuration Tree > Box > your local firewall > Assigned Services > VPN > VPN Settings.

  2. Click Lock.

  3. In the left menu, select Routed VPN.

  4. Next to the Interface Configuration table, click Add. The VPN Interface Properties window opens.

  5. For VPN Interface Index, enter a number. For a better overview, always use the same number as the number of your additional virtual router. For example, in case your router instance name is VR01, enter 1.

  6. From the VR Instance list, select your virtual router instance, e.g., VR01.

  7. Click OK.

  8. Click Send Changes and Activate.

If not yet done, repeat the previous steps on the remote firewall.

Create a VPN TINA Tunnel on the Local Firewall

  1. Go to CONFIGURATION > Configuration Tree > Box > your local firewall > Assigned Services > VPN > Site to Site.

  2. Click Lock.

  3. Select TINA Tunnels.

  4. Right-click and select New TINA tunnel from the list.

  5. In the TINA Tunnel window, enter a name for the TINA tunnel.

  6. In the Name field, enter the name for the new VPN tunnel.

  7. (IPv6 only) Select the IPv6 check box.

  8. Configure the Basics TINA tunnel settings to match the settings configured for the local firewall.

  9. In the Local Networks tab, select the Call Direction to Active.

  10. For the Network Address, enter the network address of the private network behind the local firewall, e.g., 192.168.0.0/24.

  11. Click Add.

  12. Click the Local tab and select Explicit List (ordered) from the list.

  13. Enter the IP address or Interface used for Tunnel Address.

  14. Click Add.

  15. In the Remote Networks tab, enter 1 for the VPN Interface Index.

  16. For the Remote Network, enter the network address for the private network behind the remote firewall, e.g., 192.168.1.0/24.

  17. Click Add.

  18. Click the Remote tab and enter the Remote Peer IP Address, e.g., 212.86.0.11.

  19. Click Add.

  20. Click OK to leave the TINA Tunnel window.

  21. When you are informed that the identification information between the two sites has not been set, click OK to proceed. This information will be configured in a following step.

Create a VPN TINA Tunnel on the Remote Firewall

  1. Go to CONFIGURATION > Configuration Tree > Box > your remote firewall > Assigned Services > VPN > Site to Site.

  2. Click Lock.

  3. Select TINA Tunnels.

  4. Right-click and select New TINA tunnel from the list.

  5. In the TINA Tunnel window, enter a name for the TINA tunnel.

  6. In the Name field, enter the name for the new VPN tunnel.

  7. (IPv6 only) Select the IPv6 check box.

  8. Configure the Basics TINA tunnel settings to match the settings configured for the remote firewall.

  9. In the Local Networks tab, select the Call Direction to Passive.

  10. For the Network Address, enter the network address of the private network behind the local firewall, e.g., 192.168.1.0/24.

  11. Click Add.

  12. Click the Local tab and select Explicit List (ordered) from the list.

  13. Enter the IP address or Interface used for Tunnel Address, e.g. 212.86.0.11.

  14. Click Add.

  15. In the Remote Networks tab, enter 1 for the VPN Interface Index.

  16. For the Remote Network, enter the network address for the private network behind the remote firewall, e.g., 192.168.0.0/24.

  17. Click Add.

  18. Click the Remote tab and enter the Remote Peer IP Address, e.g., 62.99.0.36.

  19. Click Add.

  20. Directly proceed with the next step without leaving the displayed window.

Exchange the Public Keys Between the Local and Remote Firewall

Start with exporting the public key in the displayed window on the remote firewall.

  1. Click the Identify tab.

  2. Click Ex/Import.

  3. In the menu, click Export Public Key to Clipboard.

  4. Click OK to close the TINA Tunnel window.

  5. Go to CONFIGURATION > Configuration Tree > Box > your local firewall > Assigned Services > VPN > Site to Site.

  6. Click Lock.

  7. Select TINA Tunnels.

  8. Double-click the entry for the VPN tunnel.

  9. The TINA Tunnel window is displayed.

  10. Click the Peer Identification tab.

  11. Click Ex/Import.

  12. In the menu, click Import Private Key from Clipboard.

  13. Click the Identify tab.

  14. Click Ex/Import.

  15. In the menu, click Export Public Key to Clipboard.

  16. Click OK to close the TINA Tunnel window.

  17. Go to CONFIGURATION > Configuration Tree > Box > your remote firewall > Assigned Services > VPN > Site to Site.

Contact Us
Barracuda Campus
Barracuda Support