How to Configure a Client-to-Site VPN Group Policy

To let mobile workers securely connect to corporate information resources, create a client-to-site VPN group policy. This allows you to use one client-to-site configuration that enables CudaLaunch, Barracuda VPN clients, and native IKEv1 and IKEv2 IPsec clients to connect. Use CudaLaunch on iOS and Android to fully manage the VPN configuration remotely through the SSL VPN templates. To manually configure the native IPsec clients on iOS and Android, verify that you are using encryption settings compatible with the version of your mobile operating system. VPN clients can be authenticated either through external authentication schemes, client certificates, or a combination thereof.

Open

Although any standard-compliant IPsec client should be able to connect via IPsec, Barracuda Networks recommends using the following clients:

• CudaLaunch via VPN templates in SSL VPN. For more information, see How to Configure VPN Group Policies in the SSL VPN.

• VPN Client & Network Access Client

• Native iOS IPsec VPN Client

• Native Android IPsec VPN Client

• Windows 8/10 native IKEv2 IPsec VPN client

• Set up the VPN certificates for External CA or Barracuda VPN CA. For more information, see How to Set Up External CA VPN Certificates, or How to Set Up Barracuda VPN CA VPN Certificates.

• Configure an external authentication scheme. For more information, see Authentication.

• Identify the subnet (static route) or a range in a local network (proxy ARP) to be used for the VPN clients.

Configure the IPv4 and IPv6 listener addresses for the VPN service.

1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Service Properties.

2. Click Lock.

3. From the Service Availability list, select the source for the IPv4 listeners.

4. When selecting Explicit, click + for each IP address and enter the IPv4 addresses in the Explicit IPs list.
   
   

   Open

   

5. (Optional) Add IPv6 addresses.

6. Click Send Changes and Activate.

1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > VPN Settings.

2. Click Lock.

3. In the left menu, select Client Networks.

4. Right-click the table, and select New Client Network.

5. In the Client Network window, configure the following settings:

   • Name – Enter a descriptive name for the network, e.g.: Client-2-Site-Net

   • Network Address – Enter the default network address, e.g.: 192.168.6.0/24. All VPN clients will receive an IP address in this network.

   • Gateway – Enter the gateway network address, e.g.: 192.168.6.254

   • Type – Select the type of network that is used for VPN clients:

     • routed (Static Route) –  A separate subnet. A static route on the firewall routes traffic between the VPN client subnet and the local network.

     • local (proxy ARP) – A subnet of a local network. For example, Local network: 10.0.0.0/24 , Local segment 10.0.0.128/28 . You must also specify the IP range for the network:

       • IP Range Base – Enter the IP address range of the VPN client subnet, e.g.: 10.0.0.128/28.
         

         
         
         

6. Click OK.

7. Click Send Changes and Activate.

Configure the default Group Policy settings.

1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Client-to-Site.  

2. Click Lock.       

3. Click the External CA tab and then the Group Policy tab.

4. Click the Click here for options link. The Group VPN Settings window opens. 

5. Select the Authentication Scheme:
   
   

   • Primary Authentication Scheme – The default authentication scheme used for all VPN group policies.

   • Extract from username – The authentication scheme is appended to the username, e.g., @msad. The authentication scheme (e.g., @msad) with the prepended username (e.g., user1@domain.com) is used with the default authentication scheme acting as a fallback if the authentication scheme name is not present on the firewall. E.g., user1@msad1 or user2@domain.com@msad.

6. Select the Default Authentication Scheme from the drop-down list. This authentication scheme must be configured on the box level of the firewall.
   
   

   Open

   

7. When using multi-factor authentication, select the Secondary Authentication Scheme.

8. (optional) Enable SAML support – If you want to let your VPN clients use SAMP authentication, activate the  SAML authentication checkbox.

9. (optional) Ras Login permission required – If only users with RAS permission are allowed to be authenticated, activate the checkbox.

10. Configure which certificates are used. By selecting a specific certificate, all VPN group policies must use this certificate:   

    • (optional) Service Certificate / Server Protocol Key – Select a service certificate and key, or use the default certificate configured in the VPN settings.

    • (optional) Used CA Certificates –  Select a root certificate, or use the default certificate configured in the VPN settings.

    • (optional) X509 Login Extraction Field – Select the X.509 field containing the user name.

11. (optional) If needed, select the Preauthentication Scheme. A Preauthentication Scheme can be configured that allows users to determine the default authentication scheme based on attribute values from MSAD/LDAP/TACACS+. More details regarding pre-authentication and a full overview of all available group policy settings can be found here: Client-to-Site Group Policy Settings.

12. Click OK.

Create a group policy and configure the network settings for the client-to-site connections. If you want the client to send all traffic through the VPN tunnel, enter 0.0.0.0/0 as the network.

1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Client-to-Site.

2. Click the External CA tab and then click the Group Policy tab.

3. Click Lock.

4. Right-click the table and select New Group Policy.

5. In the Edit Group Policy window, edit the following settings: 

   • Name – Enter a name for this policy.

   • Common Settings – Select the check box.

   • Statistics Name – To better allocate statistics entries, enter a name.

   • Network – Select the required client network.

   • DNS – Enter a DNS server for the clients.

   • Network Routes – Add the IP address(es) and/or hostname(s) of all networks that should be reachable by the VPN clients.
     You can enter the network route also as an FQDN (domain name). If a public network address that is associated with a domain name changes, the administrator does not need to change the network address manually. Instead, the domain name will be resolved to the newest associated network address at runtime.
     Enter 0.0.0.0/0 for all traffic to be sent through the client-to-site VPN.

6. Right-click the Group Policy Condition field and select New Rule. The Group Policy Condition window opens.
   When using X.509 certificate authentication, set filters for the certificate in the X.509 Certificate Conditions section.

   • To let everyone with a valid certificate log on, click Edit/Show and add the following condition to the Subject field: CN=*.

   • To limit the condition to a specific group, add the following condition: *CN=groupname*. Certificate condition entries are case insensitive and can contain the quantification patterns ? (zero or one) and * (zero or more).

     Open

     

   When using IPsec XAUTH authentication, set filters for the policy in the Group Pattern field:

   • To let everyone with a valid certificate log on, add the following condition: CN=*

   • To limit the condition to a specific group, add the following condition: *CN=groupname*. You can also hit Lookup to search for a group. Inside the AD lookup, put in your object filter or hit Search. From the list, select the desired group. You must be logged on to Firewall Admin from the domain controller to use this search query feature.

   For local authentication, add the following condition in the Group Pattern field to allow all users or groups: *. To limit, add the group name of your local users.
   
   

   Open

   

7. Click OK.

8. Click OK.

9. Click Send Changes and Activate.