Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 3

In this Part, I will show you how to configure an IPsec VPN from the “spoke” native VPC to the Firebox instance deployed in the transit VPC. This permits to leverage the Watchguard Firewall instance in the transit VPC as a filtering device from any trafic coming outside (SDDC, spoke VPC, on-prem).

Phase 1 – VPC’s VPN Configuration

In order to configure the VPN in the VPC, I need to do some preparation in the native VPC which consists in creating a Customer Gateway, a Virtual Private Gateway and attach them together.

To do so, let’s first Connect to the AWS console again!

Select IAM User and enter ID of your AWS account

Log in with the user account that have the administrative privileges on this account.

Create a Customer Gateway

NI have to go to the VPC Dashboard and Select Customer Gateways under VIRTUAL PRIVATE NETWORK Menu on the left.

I click Create Customer Gateway and choose Dynamic as a routing option, add the public Elastic-IP address of the FW. Specify the BGP ASN to a value different from the potential peer.

Create a Virtual Private Gateway

I’ll now create a brand new Virtual Private Gateway and attach it to the spoke VPC created earlier.

The VGW appears as detached:

I’ll select it and in the Actions drop-down menu, I select Attach to VPC option:

It now shows as attached:

Create a VPN Connection

Now I will create the VPN Connection by associating the VGW to the Customer Gateway that I have created:

Once the VPN connection available, I select Download Configuration. This will open the following window:

I select Watchguard, inc. as a Vendor and click Download button. A file containing all the configuration is created. I am going to use it to configure the Firebox now.

Phase 2 – FireBox’s VPN Configuration

First I need to Connect to Fireware Web UI by opening a web browser to the public IP address of the Firebox Cloud instance

I log in with the admin user account and I make sure to specify the passphrase I have set in the Firebox Cloud Setup Wizard.

Then I Select VPN, BOVPN Virtual Interfaces on the left and click the lock icon.

First I started by following the instruction in the VPN configuration file downloaded earlier.

So I enter the interface name and switch the Remote Endpoint Type to Cloud VPN or Third Party Gateway.

In the Gateway Settings-> Credential Method, I have entered the Use Pre-Shared Key stated in the file:

In the Gateway Settings–>Gateway Endpoint–>Click ADD:. Select Local Gateway–>Interface:

I need now to Specify the gateway ID for tunnel authentication. I select By IP address: here I enter the following (this is the public Elastic-IP of the firebox).

Now I have to Select Remote Gateway–>Specify the remote gateway IP address for a tunnel to Static IP and enter the public IP of my SDDC.

Select Advanced–>Click OK

I have checked ‘Start Phase1 tunnel when it is inactive‘ and kept the ‘Add this tunnel to the BOVPN-Allow policies‘ checked.

We need to select the following for Phase 1 Settings:

1. Version: IKEv2
2. Mode: Main
3. Uncheck NAT Traversal

NAT Traversal is enabled by default but if your WatchGuard device is not behind a NAT/PAT device, please deselect NAT Traversal.

For the Dead Peer Detection, choose the following values:

a. Traffic idle timeout: 10
b. Max retries: 3

Next we have to change the Transform Settings by clicking ADD et setup the following values:

1. Authentication: SHA1
2. Encryption: AES(128-bit)
3. SA Life: 8 hours
4. Key Group: Diffie-Hellman Group 2

Click OK and Remove any pre-existing Phase 1 Transform Settings (eg. SHA1-3DES).

Now we need to configure Phase 2 of IPSEC Proposal.

I need to Go to VPN–>Phase2 Proposals–>Click ADD:

  • Name: AWS-ESP-AES128-SHA1
  • Description: AWS Phase 2 Proposal
  • Type: ESP
  • Authentication: SHA1
  • Encryption: AES(128-bit)
  • Force Key Expiration: Select ‘Time’ -> 1 hours

Click SAVE.

  1. Go to VPN–>BOVPN Virtual Interfaces–>Select vpn-054bfd003f8ac9d2d-1–>Click EDIT

Phase 2 Settings–>Perfect Forward Secrecy:

Check ‘Enable Perfect Forward Secrecy’: Diffie-Hellman Group 2
IPSec Proposals–>Click on existing proposal–>Click REMOVE
Select ‘AWS-ESP-AES128-SHA1’ from the drop-down menu–>Click ADD

Click SAVE.

Phase 3 – Configure BGP Routing

It’s now time to configure BGP dynamic routing.

  1. Go to VPN–>BOVPN Virtual Interfaces–>Select vpn-054bfd003f8ac9d2d-1–>Click EDIT
  2. VPN Routes:

In the Interface window, keep ‘Assign virtual interface IP addresses‘ option checked:

Click SAVE.

Go to Network–>Dynamic Routing

Check ‘Enable Dynamic Routing’

Click on ‘BGP’ tab:

Check ‘Enable

Add the BGP dynamic routing configuration commands in the box as seen above.

We have to add the line: router bgp 65001  but only once at the beginning of the BGP config.

Click SAVE.

Phase 4 – Check tunnel is established

Go back to AWS Console to check VPN are established:

AWS allows the creation of a second tunnel to be established between the spoke VPC and the Firebox instance. To create the second VPN session, create a second tunnel by following the same instruction as above with the parameters described in the configuration file downloaded earlier.

That concludes the Part 3 of this post. In the next final Part, I will show you how to establish a VPN from SDDC to the Firebox instance in the transit VPC.

One thought on “Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 3”

Leave a Reply

Your email address will not be published. Required fields are marked *