VPN connection between Firebox and Amazon Web Services (AWS)

To configure a VPN connection between Firebox and Amazon Web Services (AWS).

1
AWS Configuration:

For redundancy, an AWS VPN configuration includes one virtual private gateway and two external IP addresses. AWS determines which IP address is the primary IP address automatically
2
Configure The Firebox:

Before you configure the Firebox, download the configuration file from your AWS account:

>> Log in to the AWS Management Console.
>> Click to expand All Services.
>> In the Networking & Content Delivery section, click VPC.
>> From the navigation menu, in the Virtual Private Network section, click Site-to-Site VPN Connections.
>> Click the connection name.
>> Click Download Configuration.
>> From the Vendor drop-down list, select WatchGuard, Inc.
>> From the Software drop-down list, select Fireware OS 11.12.2 +.
>> Click Download. A .txt file gets downloaded to your desktop.
>> Open the .txt file in a text editor.

The .txt configuration file contains the pre-shared keys, gateway IP addresses for AWS Tunnel 1 and Tunnel 2, and routes to the trusted (private) network of your AWS VPC.

You can also find the IP addresses in your AWS configuration:

>> For the gateway IP addresses, select Virtual Private Network > Site-to-Site VPN Connections > [name].

>> For the routes, select Virtual Private Cloud > Subnets or Virtual Private Cloud > Route Tables.
3
Configure The Firebox And Add A BOVPN Virtual Interface:
>> Select VPN > BOVPN Virtual Interfaces.
>> Click Add.
>> In the Interface Name text box, type a name that describes the virtual interface. In our example, we use to AWS.
>> From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
>> From the Gateway Address Family drop-down list, select IPv4 Addresses. AWS does not support IPv6 for VPN tunnels.
>> For the credential method, select Use Pre-Shared Key. Keep the pre-shared key text box clear for now. Later in the configuration, you specify a different pre-shared key for each gateway.
Add the Gateway Endpoints
To add the first gateway endpoint:

>> In the Gateway Endpoint section, click Add. The Gateway Endpoint Settings dialog box appears.
>> From the Physical drop-down list, select External.
>> From the Interface IP Address drop-down list, select Primary IPv4 Interface Address.
>> Select By IP Address.
>> In the adjacent text box, type the IP address for the Firebox external interface.
>>Select the Remote Gateway tab.
>> Select Static IP Address.
>> In the adjacent text box, type the first IP address of the AWS virtual private gateway.
>> Select By IP Address.
>> In the adjacent text box, type the first IP address of the AWS virtual private gateway.
>> On the Advanced tab, select Specify a different pre-shared key for each gateway endpoint.
>> Paste the key from the AWS .txt configuration file. This file includes two pre-shared keys, one for each gateway endpoint.
>> Click OK.
4
Add The Second Gateway Endpoint
>> In the Gateway Endpoint section, click Add. The Gateway Endpoint Settings dialog box appears.
>> From the Physical drop-down list, select External.
>> From the Interface IP Address drop-down list, select Primary IPv4 Interface Address.
>> Select By IP Address.
>> In the adjacent text box, type the IP address for the Firebox external interface.
>> Select By IP Address.
>> In the adjacent text box, type the first IP address of the AWS virtual private gateway.
>> On the Advanced tab, select Specify a different pre-shared key for each gateway endpoint.
>> Paste the other key from the AWS .txt configuration file.
>> Click OK.
5
Configure The VPN Routes:

>> On the VPN Routes tab, click Add. The VPN Route Settings dialog box appears.
>> From the 'Choose Type' drop-down list, select Network IPv4.
>> In the Route To field, type 10.0.100.0/24.
>> Click OK.
6
Finally, Configure The Phase 1 And Phase 2 Settings:

AWS identifies the authentication and encryption algorithm settings from the Firebox during VPN negotiations. If AWS supports the settings, AWS will use them automatically. Specific proposals are supported by AWS. It is not possible to change the AWS configuration to specify different proposals.

Phase 2 Settings:
>> Select Enable Perfect Forward Secrecy.
>> the drop-down list, select Diffie-Helman Group 14. Groups 1, 2, 5, 15, 19, and 20 are also supported.
>> From the IPSec Proposals drop-down list, select ESP-AES256-SHA256. SHA1 and AES128 are also supported.

Site-To-Site VPN Between An Azure Virtual Network And WatchGuard Firewall

Go to the Azure portal > All resources. Find the Gateway Public IP address that we provisioned earlier.

1
Create A New BOVPN Virtual Interface:

From Policy Manager, go to VPN > BOVPN Virtual Interface. Click Add.

The fields you need to edit are:

>> Name: give the BOVPN interface a descriptive name.
>> Remote endpoint type: pick Cloud VPN or Third-party gateway
>> Use Pre-Shared Key: enter the key that you setup earlier, you can still refer back to it in the Azure portal (on the Connection object)

Now under Gateway Endpoints click Add, which will bring you to the following step.
2
Setup The Local And Remote Gateways:

Enter your own public IP on the first line, and then enter the Azure public IP on the following two. The Interface section should match whichever physical interface is associated to your external IP address. Click OK.
3
Configure The Network Route :

Back on the New BOVPN Virtual Interface screen, go to the VPN Routes tab and click Add.

Choose Network IPv4 from the drop down, then enter the IP address space of the Azure virtual network, which was setup previously. Click OK.
4
Configure Phase 1 Settings For IKEv2 :

Now go to the next tab over, Phase 1 Settings.

The only setting we need to modify here is to choose IKEv2. Click OK. Then Close.
5
Save Configuration To The Firebox:
Now we are ready to save the config. Go to File > Save > To Firebox... and enter your configuration passphrase to save.

After you have saved, you will be able to confirm the connection comes up.

You can also see the status Connected on the Connection object in Azure portal, and you are done.
6
Configure The Network Route:
The network route is what tells your firewall about the address space hiding behind that cloudy gateway in Azure. In other words, itâ€™s where you specify the IP ranges that you provisioned for your virtual machines in the cloud.

Click on VPN Routes, then Add.

First choose the drop-down option for Network IPv4. Under Route To, add the Azure address space, and click OK.

Using the WatchGuard Web UI

1
Add A BOVPN Interface:
Navigate to VPN > BOVPN Virtual Interfaces and click Add.

Fill in some information:

>> Interface Name: Any
>> Remote Endpoint Type: Cloud VPN or Third-Party Gateway
>> Use Pre-shared Key: You would have specified this in the Azure portal on the Connection object. To find it again, all resources > click your Connection > Shared key under Settings.

Now under Gateway Endpoint, click Add, which will bring you to the next step.
2
Setup The Local And Remote Gateways

>> Click on Local Gateway, and put IP address which is External IP assigned to the firewall.
>> Select, Physical Interface-> Fiber.
>> Click on Remote Gateway.

Specify the Azure public IP address that was provisioned during the previous setupâ€“twice, in both fields (static IP address, by IP Address).

Click OK.
3
Configure The Network Route:

The network route is what tells your firewall about the address space hiding behind that cloudy gateway in Azure. In other words, itâ€™s where you specify the IP ranges that you provisioned for your virtual machines in the cloud.

Click on VPN Routes, then Add.

First choose the drop-down option for Network IPv4. Under Route To, add the Azure address space, and click OK.
4
Configure Phase 1 Settings For IKEv2 :

Now go to the Phase 1 Settings tab. Under Version choose IKEv2 from the drop-down. Click Save at the bottom of the screen. This completes the setup.

You will see the BOVPN interface now in the UI.

And, you are done.

Your Vision, Our Expertise

Elevating Your Software Product Engineering Journey with Vast Edge

Configuring BOVPN between a WatchGuard Firebox and GCP

1
>> Configure the Firebox
>> On the Firebox, configure a BOVPN connection.
>> Log in to Fireware Web UI.
>> Select VPN > Branch Office VPN.

The Branch Office VPN configuration page appears.
>> In the Gateways section, click Add.
>> In the Gateway Name text box, type a name to identify this BOVPN gateway.
>> From the Address Family drop-down list, select IPV4 Addresses.
>> In the Credential Method section, select Use Pre-Shared Key.
>> In the adjacent text box, type the pre-shared key.
>> Keep the default String-Based setting.
>> In the Gateway Endpoint section, click Add.

The Gateway Endpoint Settings dialog box opens.
>> From the External Interface drop-down list, select External.
>> From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.

The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
>> Select By IP Address.
>> In adjacent text box, type the primary IP address of the External Firebox interface.
>> Select the Remote Gateway tab.
>> Select Static IP Address.
>> In the adjacent text box, type the External IP address of your Google Cloud connection.
>> Select By IP Address.
>> In the adjacent text box, type the External IP address of your Google Cloud connection.
>> Keep the default settings for all other options.
>> Click OK.
>> In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.
>> Select the Phase 1 Settings tab.
>> From the Version drop-down list, select IKEv2.
>> Keep all other Phase 1 settings as the default values.
>> Click Save.
>> In the Tunnels section, click Add.
>> From the Gateway drop-down list, select the gateway that you configured.
>> In the Addresses section, click Add.
>> In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
>> In the Network IP text box, type the local IP segment. This the local network protected by the Firebox.
>> In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
>> In the Network IP text box, type the remote IP segment. This the local network protected by Google Cloud.
>> Click OK.
>>Keep Phase 2 Settings as the default values.
Click Save.

Configure the Google Cloud VPN

To configure the Google Cloud VPN, you must specify several settings.

1
>> Log in to the Google Cloud Platform.
>> Select Navigation menu > Networking > VPC network > VPC networks.
>> Click Enable.
>> Click Create VPC Network.
>> In the Name text box, type a name for the VPC network. In the Subnets section, for Subnet creation mode, select Custom.
>> In the Name text box, type a name for the subnet. From the Region drop-down menu, select a region, which is a specific geographical location where you can host your resources. In the IP address range text box, specify the IP address range for this subnet. (Optional) For Flow logs, select On.
>> In the New subnet section, click Done.
>> For all other settings, keep the default values.
>> Click Create.

Next, reserve a static address:

1
>> From the navigation menu, select Networking > VPC network > External IP addresses.
>> Click Reserve static address.

The Reserve a static address page opens.

>> In the Name text box, type a name for the External IP address. In our example, we use google-cloud-vpn-ip.
>> From the Region drop-down list, select a region where the address will be created.
>> For all other settings, keep the default values.
>> Click Reserve.

Next, configure the VPN connection settings:

1
>> From the navigation menu, select Networking > Hybrid Connectivity > VPN.
>> Click Create VPN connection.
>> From the VPN options section, select Classic VPN.
>> Click Continue.
>> In the Google Compute Engine VPN gateway section, in the Name text box, specify a name for the VPN gateway.
>> From the Network drop-down list, select the network you created.
>> From the Region drop-down list, select a region.
>> From the IP address drop-down list, select the IP address you created.
>> In the Tunnels section, in the Name text box, type a name for the tunnel.
>> In the Remote peer IP address text box, type the External IP address of the remote peer.
>> From the IKE version drop-down list, select IKEv2.
>> In the IKE pre-shared key text box, type the IKE pre-shared key for this tunnel.
>> For Routing options, select Policy-based.
>> In the Remote network IP ranges text box, type the IP address ranges of the remote networks.
>> In the Local subnetworks drop-down list, select subnet-asia-east1-192-168-1.
>> Click Done.
>> Click Create.

Next, create firewall rules:

1
>> Select Navigation menu > Networking > VPC network > Firewall rules.
>> Click Create Firewall Rule.
>> In the Name text box, type a name for this rule.
>> In the Logs section, click ON.
>> From the Network drop-down list, select the network you created.
>> For Direction of traffic, select Ingress.
>> For Action on match, select Allow.
>> From the Targets drop-down list, select All instances in the network.
>> From the Source filter drop-down list, select IP ranges.
>> In the Source IP ranges text box, type the IP address ranges of remote internal networks.
>> For Protocols and ports, select Allow All or Specified protocols and ports.
>> For all other settings, keep the default values.
>> Click Create.
>> Create egress rules using the same way.
>> Click Create.

Google Cloud VPN auto-negotiates authentication and encryption settings and the key group with the Firebox. You cannot edit these settings in the Google Cloud VPN configuration.

Test the Integration

1
>> From Fireware Web UI, select System Status > VPN Statistics.
>> Select the Branch Office VPN tab. The data shows the VPN is established.
>> From the Google Cloud Platform navigation menu, select Networking > Hybrid Connectivity > VPN.
>> Select Cloud VPN Tunnels. The data shows the VPN is established.

BOVPN Virtual Interface Connection Between OCI And The Firebox

Configure the Oracle Bare Metal VPN

Configure the Oracle Bare Metal VPNOracle documentation lists the basic structure to set up a Branch Office VPN. These steps provide a high-level overview of the process.

Create Virtual Cloud Network

1
>> Select your Compartment in the Oracle Cloud infrastructure.
>> Select Networking > Virtual Cloud Networks. The Create Virtual Cloud Network window appears. The compartments available depend on your permissions.
>> Leave the default values and click Create Virtual Cloud Network.

Create Dynamic Routing Gateways:

1
>> Select Networking > Dynamic Routing Gateways.
The Create Dynamic Routing Gateway window appears.
>> Click Create Dynamic Routing Gateway.
>> The Create in Compartment text box contains the current compartment name by default. To create the DRG in a different compartment, type the name of that compartment.
>> In the Name text box, type a friendly name. The name cannot be changed in the console later.
>> Click Create Dynamic Routing Gateway. The created DRG appears in the console.

Attach Dynamic Routing Gateway to a Cloud Network.

After you create the DRG, you must attach the DRG to the Cloud Network.

1
>> Select Networking > Dynamic Routing Gateways.
>> From the list of available DRGs in the compartment, select the DRG you want to attach.
>> Select Virtual Cloud Networks.
>> Click Attach to Virtual Cloud Network.

Update the Routing Table

1
>> Select Networking > Virtual Cloud Networks.
>> From the list of available cloud networks, select the VCN you want.
>> Click Route Tables. A list of all the route tables appears.
>> For each subnet that communicates with your on-premises network, update the subnet's route table with a new route for the DRG.
>> Select the Route Table you want and click Create Route Rule.
>> In the CIDR text box, type the CIDR for your on-premise network.
>>For the Target, select the DRG you created.
>> Click Create.

Create Customer-Premises Equipment (CPE)

1
>> Select Networking > Customer-Premises Equipment.
>> Click Create Customer-Premises Equipment.
>> The Create Customer-Premises Equipment dialog box appears. Complete all the fields.
>> In the Create in Compartment text box, type the name of the compartment to use.
>> In the Name text box, type a friendly name.
>> In the IP Address text box, type the public IP address of your router.
>> Click Create.

Link DRG to IPSec Connection:

1
>> Select Networking > Dynamic Routing Gateways.
>> Select the DRG link you created.
>>Make sure that the value in the Static Route CIDR text box matches the subnet that is the target on the WatchGuard firewall.
>> Click Create IPSec Connection.
>> Next to the newly created IPSec connection, open the menu and select Tunnel Information.
>> Copy the shared key and public IP values.

CONFIGURE THE FIREBOX BOVPN VIRTUAL INTERFACE

WatchGuard Phase One Settings:

1
>> Version - IKE v1
>> Mode -Main
>> No NAT Traversal
>> No IKE Keep-alive
>> DPD:

Traffic idle timeout - 10 seconds
Max retries - 3
>> Transform Settings:

Authentication - SHA2-384
Encryption - AES (256-bit)
SA life - 8 hours
Key Group - Diffie-Hellman Group 5

WatchGuard Phase Two Settings:

1
>> Perfect Forward Secrecy - Enabled, Diffie-Hellman Group 5
>> IPSec Proposals:
>> Type - ESP (Encapsulating Security Payload)
>> Authentication - SHA1
>> Encryption - AES (256-bit)
>> Force Key Expiration Time - 1 hour

These are the steps to enter the above values, add the public IP address gateway, and tunnel routes to build the BOVPN.

Configure the Phase 2 IPSec Proposal:

1
>> Log in to Fireware Web UI.
>> Select VPN > Phase 2 Proposals.
>> Click Add to create a new proposal.
>> In the Name text box, type a name for the proposal.
(Optional) Type a Description.
>> From the Type drop-down list, select ESP (Encapsulating Security Payload).
>> From the Authentication drop-down list, select SHA1.
>> From the Encryption drop-down list, select AES (256-bit).
>> For Force Key Expiration, select the Time check box and type 1 hour.
>> Click Save.

Configure the Gateway Settings:

1
>> Select VPN > BOVPN Virtual Interface.
>> Click Add.
>>In the Credential Method section, select Use Pre-Shared Key and paste the pre-shared key from the Oracle IPSec connection settings.
In the Gateway Endpoint section, click Add.

The New Gateway Endpoints Settings dialog box appears

>> From the Local Gateway tab, for Specify the gateway ID for tunnel authentication select By IP Address and type the IP address. By default, this is the primary public address assigned to the firewall.
>> Select the Remote Gateway tab.
>> For Specify the remote gateway IP address for a tunnel, select Static IP Address and type the public IP address you got from the Oracle Bare Metal IPSec connection settings.
>> Click OK.

Configure the VPN Routes:

1
On the Add BOVPN Virtual Interface page, select the VPN Routes tab.
Click Add.
From the Choose Type drop-down list, select an option:
Host IPv4 - Select this option if only one IPv4 host is the VPN destination.
Network IPv4 - Select this option if you have a full IPv4 network as the VPN destination.
In the Route To text box, enter the network address or host address.
In the Metric text box, type or select a metric value for the route.
Click OK.

Assign the Phase 2 Proposal:

1
>> On the Add BOVPN Virtual Interface page, select the Phase 2 Settings tab.
>> Select the Enable Perfect Forward Secrecy check box. From the drop-down list, select Diffie-Hellman Group 5.
>> If there are any IPSec Proposals in the Phase 2 Proposals list, remove them.
>> From the drop-down list below the Phase 2 Proposals list, select the Phase 2 Proposal you created.
>> Click Save.

To check the status of the VPN, select System Status > VPN Statistics > Branch Office VPN.

Test the BOVPN:

To run diagnostic tasks for your Firebox:

1
>> Select System Status > Diagnostics.

The Diagnostics page appears with the Diagnostics File tab selected.

>> Select the Network tab.

The Network page appears.
>> From the Task drop-down list, select Ping.
>> In the Address text box, type an IP address or host name.
>> Select Advanced Options to ping from a local firewall interface.

The dash capital I (-I) is used to specify the IP address of the local interface you wish to ping from.
The IP that follows the argument should be an interface IP assigned to the firewall.
The last IP is the final target for the ping command

WatchGuard Cloud Managed Services, Azure, AWS, GCP, OCI Tunnel