Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 4 (Final)

In the previous posts of this series on Configuring a VPN connection from WatchGuard TM Firebox to VMC, I have showed you how to setup the Firebox and how to establish a VPN with a native VPC.

In this last post, I will attach the SDDC to the WatchGuard Firebox instance with a IPSEC route-based VPN leveraging BGP to allow for dynamic routes exchange.

With this configuration, any compute and management segments created inside the SDDC will be the advertised into the BGP session established with the Firebox in the transit VPC.

Firebox to SDDC IPSec VPN configuration

Phase 1 – VPN’s VPC configuration

First of all I need to collect the public IP address of my SDDC. This is possible by logging to the VMC Console and going to the Networking and Security tab, and Selecting the Overview window:

The IP of VPN is displayed as VPN Public IP. This Public IP is unique for any other VPN being established.

N.B.: You can also request additional public IP addresses to assign to workload VMs to allow access to these VMs from the internet. VMware Cloud on AWS provisions the IP address from AWS.

Next I’ll collect the BGP local ASN number of the SDDC. Just like IP addresses, ASNs (Autonomous System Numbers) have to be unique on the Internet and the SDDC utilises two numbers: one for the route-based VPN and one for Direct Connect

To do that I Click on Edit Local ASN option in the VPN window:

Clicking EDIT LOCAL ASN displays the Local ASN of the SDDC as shown here:

The local ASN of any brand new SDDC is by default at 65000. You can change it to a value in the range 64521 to 65535 (or 4200000000 to 4294967294).

N.B.: Keep in mind that the remote BGP ASN number need to be different.

Now it’s time to create a new Customer Gateway and map it to the SDDC settings.

Create a New Customer Gateway

For that I need to go back to the AWS console and Go to the VPC Dashboard and Select Customer Gateways under VIRTUAL PRIVATE NETWORK Menu on the left.

I Click Create Customer Gateway and choose Dynamic as a routing option, and add the public Elastic-IP address of the SDDC public IP.

I also need to specify the BGP ASN to the SDDC value (65000 by default). Note that it has to be different from the BGP ASN of the Firebox in the transit VPC.

Phase 2 – FireBox’s VPN Configuration

Now I have to setup the VPN configuration on the Firebox itself. For this, I connect back to the Fireware Web UI:

  1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at: https://<eth0_public_IP>:8080
  2. Log in with the admin user account. Make sure to specify the passphrase you set in the Firebox Cloud Setup Wizard.

Select VPN, BOVPN Virtual Interfaces on the left and click the lock to open the settings window.

Enter a name for the interface (eg. BoSddc) and switch the Remote Endpoint Type to Cloud VPN or Third-Party Gateway.

In the Gateway Settings-> Credential Method, Enter a Use Pre-Shared Key (note the key as you will have to use it in the SDDC setup):

In the Gateway Settings–>Gateway Endpoint–>Click ADD.

Select Local Gateway–>Interface: Select Physical: External

Specify the gateway ID for tunnel authentication: Select By IP address: 34.210.196.xxx (this is the public Elastic-IP of the Watchguard Firebox)

Select Remote Gateway–>Specify the remote gateway IP address for a tunnel: a the Static IP Address has to be set to the Public IP address of the SDDC:

Next Step, Select Advanced tab and Click OK

Configure Phase 1 of IPSEC Proposal

Check ‘Start Phase1 tunnel when it is inactive‘ and Keep the ‘Add this tunnel to the BOVPN-Allow policies‘ checked.

The Phase 1 Settings should be as follow:
1. Version: IKEv1
2. Mode: Main
3. Uncheck NAT Traversal

N.B.: NAT Traversal is enabled by default but if your WatchGuard device is not behind a NAT/PAT device, please deselect NAT Traversal.

Dead Peer Detection:
a. Traffic idle timeout: 10
b. Max retries: 3

Transform Settings–>Click ADD:

1. Authentication: SHA1
2. Encryption: AES(128-bit)
3. SA Life: 8 hours
4. Key Group: Diffie-Hellman Group 2

Click OK.

Remove any pre-existing Phase 1 Transform Settings eg. SHA1-3DES.

Configure Phase 2 of IPSEC Proposal

Go to VPN–>Phase2 Proposals–>Click ADD

Name: AWS-ESP-AES128-SHA1
Description: AWS Phase 2 Proposal
Type: ESP
Authentication: SHA1
Encryption: AES(128-bit)
Force Key Expiration: Select ‘Time’ -> 1 hours

Click SAVE.

Go to VPN–>BOVPN Virtual Interfaces–>Select BoSddc–>Click EDIT

Phase 2 Settings–>Perfect Forward Secrecy:

Check ‘Enable Perfect Forward Secrecy’: Diffie-Hellman Group 2
IPSec Proposals–>Click on existing proposal–>Click REMOVE
Select ‘AWS-ESP-AES128-SHA1’ from the drop-down menu–>Click ADD

Click SAVE.

Configure BGP dynamic routing.

Go to VPN–>BOVPN Virtual Interfaces–>Select BoSddc–>Click EDIT

For the VPN Routes settings, I keep ‘Assign virtual interface IP addresses‘ option checked for the Interface option.

Then I setup the Local IP address to: 169.254.85.186 and Peer IP address or netmask to: 255.255.255.252

then Click SAVE.

Go to Network–>Dynamic Routing and Check ‘Enable Dynamic Routing’.

Click on ‘BGP’: Check ‘Enable’

I have to Add the below BGP dynamic routing configuration commands in the box:

router bgp 65001    N.B.: Use this command only once at the beginning of the BGP config as this the local ASN number that the Firebox will use for any VPNs.

NOw it’s time to add the configuration for the second BGP neighbor that we need to configure for the SDDC:

neighbor 169.254.85.185 remote-as 65000
neighbor 169.254.85.185 activate
neighbor 169.254.85.185 timers 10 30

Click SAVE.

Phase 3 – VMC on AWS SDDC’s VPN Configuration

VMC on AWS allows to create up to 4 IPSEC route-based VPN tunnels to be established between Firebox/VPC and your SDDC. To create the VPN on the SDDC side, you first have to Connect to the SDDC console.

Then you need to Go to the Networking & Security tab.

Select Network -> VPN and Click on the Route Based tab.

Click ADD VPN.

Next, you have to enter the following configuration settings:

  • First give a name to the IPSec VPN (eg. TOFirebox).

Select Local Public IP1 of the SDDC: this is the public IP address of the SDDC. As the Remote Public IP, Select the Elastic IP that was assigned to the public interface of the Watchguard Firebox FW. The Remote private IP is automatically entered.

For the BGP Local IP/Prefix Length, choose the following: 169.254.85.185/30.

The BGP Remote IP is the Local IP configured previously in the VPN Routes of the BOVPN Virtual interfaces: 169.254.85.186.

BGP Neighbor ASN has to be he remote ASN of the WatchGuard Firebox: 65001.

  • Tunnel Encryption: AES128
  • Digest Algorithm: SHA-1
  • PFS: Enabled
  • Diffie-Hellman: Group 2
  • IKE Encryption: AES128
  • IKE Digest:  SHA-1
  • IKE Type: V1

After a few seconds, we can see that the VPN is up!

Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 3

In this Part, I will show you how to configure an IPsec VPN from the “spoke” native VPC to the Firebox instance deployed in the transit VPC. This permits to leverage the Watchguard Firewall instance in the transit VPC as a filtering device from any trafic coming outside (SDDC, spoke VPC, on-prem).

Phase 1 – VPC’s VPN Configuration

In order to configure the VPN in the VPC, I need to do some preparation in the native VPC which consists in creating a Customer Gateway, a Virtual Private Gateway and attach them together.

To do so, let’s first Connect to the AWS console again!

Select IAM User and enter ID of your AWS account

Log in with the user account that have the administrative privileges on this account.

Create a Customer Gateway

NI have to go to the VPC Dashboard and Select Customer Gateways under VIRTUAL PRIVATE NETWORK Menu on the left.

I click Create Customer Gateway and choose Dynamic as a routing option, add the public Elastic-IP address of the FW. Specify the BGP ASN to a value different from the potential peer.

Create a Virtual Private Gateway

I’ll now create a brand new Virtual Private Gateway and attach it to the spoke VPC created earlier.

The VGW appears as detached:

I’ll select it and in the Actions drop-down menu, I select Attach to VPC option:

It now shows as attached:

Create a VPN Connection

Now I will create the VPN Connection by associating the VGW to the Customer Gateway that I have created:

Once the VPN connection available, I select Download Configuration. This will open the following window:

I select Watchguard, inc. as a Vendor and click Download button. A file containing all the configuration is created. I am going to use it to configure the Firebox now.

Phase 2 – FireBox’s VPN Configuration

First I need to Connect to Fireware Web UI by opening a web browser to the public IP address of the Firebox Cloud instance
https://<eth0_public_IP>:8080

I log in with the admin user account and I make sure to specify the passphrase I have set in the Firebox Cloud Setup Wizard.

Then I Select VPN, BOVPN Virtual Interfaces on the left and click the lock icon.

First I started by following the instruction in the VPN configuration file downloaded earlier.

So I enter the interface name and switch the Remote Endpoint Type to Cloud VPN or Third Party Gateway.

In the Gateway Settings-> Credential Method, I have entered the Use Pre-Shared Key stated in the file:

In the Gateway Settings–>Gateway Endpoint–>Click ADD:. Select Local Gateway–>Interface:

I need now to Specify the gateway ID for tunnel authentication. I select By IP address: here I enter the following 34.210.196.xxx (this is the public Elastic-IP of the firebox).

Now I have to Select Remote Gateway–>Specify the remote gateway IP address for a tunnel to Static IP and enter the public IP of my SDDC.

Select Advanced–>Click OK

I have checked ‘Start Phase1 tunnel when it is inactive‘ and kept the ‘Add this tunnel to the BOVPN-Allow policies‘ checked.

We need to select the following for Phase 1 Settings:

1. Version: IKEv2
2. Mode: Main
3. Uncheck NAT Traversal

NAT Traversal is enabled by default but if your WatchGuard device is not behind a NAT/PAT device, please deselect NAT Traversal.

For the Dead Peer Detection, choose the following values:

a. Traffic idle timeout: 10
b. Max retries: 3

Next we have to change the Transform Settings by clicking ADD et setup the following values:

1. Authentication: SHA1
2. Encryption: AES(128-bit)
3. SA Life: 8 hours
4. Key Group: Diffie-Hellman Group 2

Click OK and Remove any pre-existing Phase 1 Transform Settings (eg. SHA1-3DES).

Now we need to configure Phase 2 of IPSEC Proposal.

I need to Go to VPN–>Phase2 Proposals–>Click ADD:

  • Name: AWS-ESP-AES128-SHA1
  • Description: AWS Phase 2 Proposal
  • Type: ESP
  • Authentication: SHA1
  • Encryption: AES(128-bit)
  • Force Key Expiration: Select ‘Time’ -> 1 hours

Click SAVE.

  1. Go to VPN–>BOVPN Virtual Interfaces–>Select vpn-054bfd003f8ac9d2d-1–>Click EDIT

Phase 2 Settings–>Perfect Forward Secrecy:

Check ‘Enable Perfect Forward Secrecy’: Diffie-Hellman Group 2
IPSec Proposals–>Click on existing proposal–>Click REMOVE
Select ‘AWS-ESP-AES128-SHA1’ from the drop-down menu–>Click ADD

Click SAVE.

Phase 3 – Configure BGP Routing

It’s now time to configure BGP dynamic routing.

  1. Go to VPN–>BOVPN Virtual Interfaces–>Select vpn-054bfd003f8ac9d2d-1–>Click EDIT
  2. VPN Routes:

In the Interface window, keep ‘Assign virtual interface IP addresses‘ option checked:

Click SAVE.

Go to Network–>Dynamic Routing

Check ‘Enable Dynamic Routing’

Click on ‘BGP’ tab:

Check ‘Enable

Add the BGP dynamic routing configuration commands in the box as seen above.

We have to add the line: router bgp 65001  but only once at the beginning of the BGP config.

Click SAVE.

Phase 4 – Check tunnel is established

Go back to AWS Console to check VPN are established:

AWS allows the creation of a second tunnel to be established between the spoke VPC and the Firebox instance. To create the second VPN session, create a second tunnel by following the same instruction as above with the parameters described in the configuration file downloaded earlier.

That concludes the Part 3 of this post. In the next final Part, I will show you how to establish a VPN from SDDC to the Firebox instance in the transit VPC.

Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 2

Phase 2 – Deploy the WatchGuard Firebox instance

In Part 1 of this blog post, we have deployed a new transit VPC with two subnets and a route table configured accordingly.

Now it’s time to deploy a WatchGuard FW cloud EC2 instance in the transit VPC. This is possible from the EC2 dashboard:

  • After logging on the AWS Console with my personal AWS account, I have selected Services > EC2.
  • In the EC2 Dashboard, I can easily launch a new instance by Clicking on Launch instance (easy :=)),
  • I have selected AWS Marketplace and type ‘firebox’ in the search window and have decided to pick the Watchguard Firebox Cloud (Hourly) AMI.
  • You will get the pricing details and Click Continue
  • Select the smallest available instance with free tier t2.micro instance type and click Next: Configure Instance details
  • The configure Instance Details step opens.
  • From the Network drop-down list, select your transit VPC :
  • From the Subnet drop-down list, select the public subnet to use for eth0.
    The subnet you select appears in the Network Interfaces section for eth0.
  • To add a second interface, in the Network interfaces section, click Add Device.
    Eth1 is added to the list of network interfaces.
  • Click Next: Add Storage
  • Use the default storage size (5 GB). 
  • Click Next: Add Tags
  1. Click Next: Configure Security Group. By default, the instance uses a security group that functions as a basic firewall. This security group restricts following ports: HTTPS (TCP 8080), SSH, TCP 4118 (WatchGuard Firewalls may allow remote management using WSM (WatchGuard System Manager) over ports 4117, 4118 TCP).
  1. Click Review and Launch.
    The configured information for your instance appears.
  2. Click Launch.
    The key pair settings dialog box opens.

Phase 3 – Finish configuring the instance of the Firebox

In this phase we will finish configuring the EC2 instance of our Firebox.

Once the firewall is deployed, from the EC2 Dashboard, Click on the instance option, the new instance should appear as here:

Disable Source/Destination Checks

By default, each EC2 instance completes source/destination checks. For the networks on your VPC to successfully use your instance of Firebox Cloud for NAT, you must disable the source/destination check for the network interfaces assigned to the Firebox Cloud instance.

Disabling source/destination checks for the public interface is quite simple:

  • From the EC2 Management Console, select Instances > Instances.
  • Select the instance of Firebox Cloud.
  • Select Actions > Networking > Change Source/Dest. Check. The confirmation message includes the public interface for this instance.
  • Click Yes, Disable.
    The source and destination checks are disabled for the public & private interface.

Assign an Elastic IP Address to the External Interface

You must assign an Elastic IP (EIP) address to the eth0 interface for the instance of Firebox Cloud. You can use any available EIP address. To make sure you assign it to the correct interface, find and copy the eth0 interface ID of your instance of Firebox Cloud.

To find the eth0 interface ID for your instance of Firebox Cloud:

  1. From the EC2 Management Console, select Instances.
  2. Select the instance of Firebox Cloud.
    The instance details appear.
  3. Click the eth0 network interface.
    More information about the network interface appears.
  4. Copy the Interface ID value.

To associate the Elastic IP address with the eth0 interface:

  1. From the EC2 Management Console, select Network & Security > Elastic IPs.
  2. Select an available Elastic IP address.
  1. Select Actions > Associate Elastic IP Address.
    The Associate Elastic IP Address page opens.

If you have created 2 sub-interfaces, You can associate two different publics IPs to the interface:

Run the Firebox Cloud Setup Wizard

After you deploy the Firebox Cloud instance, you can connect to Fireware Web UI through the public IP address to run the Firebox Cloud Setup Wizard. You use the wizard to set the administrative passphrases for Firebox Cloud.

  1. Connect to Fireware Web UI for your Firebox Cloud with the public IP address:
    https://<eth0_public_IP>:8080
  2. Log in with the default Administrator account user name and passphrase:
    • User name — admin
    • Passphrase — The Firebox Cloud Instance ID

The Firebox Cloud Setup Wizard welcome page opens.

  • Click Next.
    The setup wizard starts.
  • Review and accept the End-User License Agreement. Click Next.
  1. Specify new passphrases for the built-in status and admin user accounts.
  2. Click Next.
    The configuration is saved to Firebox Cloud and the wizard is complete.

This is the end of Part 2, in Part 3 we are going to configure the IPSEC route based VPN between the Firebox instance and both a native VPC and a VMC on AWS SDDC.

Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 1

When I look back I realise I have been working at VMware for about 9 months and I have spent a tremendous amount of time dealing with a high number of requests, questions and issues with my customers.

One that particularly stands out is around integrating VMC on AWS with a Firewall hosted in a transit VPC for security purpose.

One of my customer recently was asking me if it was possible to create a VPN from VMC to a WatchguardTM Firebox Cloud Firewall. So I decided I would give it a try.

In this guide, I will first show you how to set up a route-based VPN from the WatchguardTM firewall to an AWS VGW in a native VPC.

In the last part, I will show how to configure an IPSEC route-based VPN from VMC on AWS to the same instance of WatchguardTM firewall hosted in a transit VPC.

Network Architecture diagram

Transit VPC with VPNs attachment to VMC and a native VPC
Transit VPC with VPNs attachment to VMC and a native VPC

AWS Deployment phase

Phase 1 -Configure an AWS transit VPC

Let me give first some definition: A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

First, I need to configure an AWS VPC with at least two subnets. It’s possible to use the VPC Wizard to create a VPC with public and private subnets or create it manually.

If you choose the wizard, you will have to terminate the NAT instance that was automatically created for the VPC by the VPC Wizard because the instance of Firebox Cloud will provide NAT functions for subnets in this VPC.

I will be using the manual method:

Create a new VPC

When I create a VPC, I must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block. I decided to choose a CIDR block for my VPC of 172.30.0.0/16.

Now I will have to Create a public subnet with a CIDR block equivalent to a subset of the VPC CIDR range:

Choose a CIDR block for your public subnet like 172.30.11.0/24.

CREATE A PRIvate Subnet

Next step is to Create a private subnet from the VPC CIDR range in the same zone as the public subnet (CIDR block of private subnet cannot overlap with public subnet):

Choose a CIDR block for your private subnet like 172.30.20.0/24.

Create an Internet Gateway

We will now deploy an AWS Internet Gateway (IGW) from the VPC Dashboard. From the VPC Dashboard, Click Internet Gateways menu on the left:

Attach the new IGW to the transit VPC by clicking on the attach to VPC button and from the Actions drop-down menu, select the transit VPC and Click Attach.

The IGW is seen as attached to the VPC that was created:

Create a Route Table

Next, we will create a route table for the Transit VPC: from the VPC Dashboard, select Route Tables menu and Create Route table as shown:

The route table must be associated with the transit VPC as highlighted above. Once you provide a name for the route table and select the Transit VPC from drop-down menu, Click Create.

Next step is to create a default route for the new transit VPC route table. Select the Routes tab and Click Edit.

Add a 0.0.0.0/0 destination that point to the IGW previously created.

Next, from the same window, select the subnet associations tab and select the Edit Button and Select the public subnet created earlier. Once done, click Save.

Next you are going to Create a native “spoke” VPC (this is a VPC attach to the firebox through a VPN where we will run some EC2 instances to test access to the SDDC):

This is the end of this Part 1.

In Part 2 we are going to deploy the Watchguard VM in the transit VPC.