{"id":282,"date":"2021-01-21T17:02:25","date_gmt":"2021-01-21T16:02:25","guid":{"rendered":"http:\/\/vminded.com\/?p=282"},"modified":"2021-01-28T15:09:23","modified_gmt":"2021-01-28T14:09:23","slug":"configure-vpn-from-vmc-to-watchguardtm-firebox-cloud-part-3","status":"publish","type":"post","link":"https:\/\/vminded.com\/index.php\/2021\/01\/21\/configure-vpn-from-vmc-to-watchguardtm-firebox-cloud-part-3\/","title":{"rendered":"Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 3"},"content":{"rendered":"\n

In this Part, I will show you how to configure an IPsec VPN<\/strong> from the “spoke” native VPC to the Firebox instance deployed in the transit VPC. This permits to leverage the Watchguard Firewall instance in the transit VPC as a filtering device from any trafic coming outside (SDDC, spoke VPC, on-prem).<\/p>\n\n\n\n

Phase 1 \u2013 VPC’s VPN Configuration<\/h2>\n\n\n\n

In order to configure the VPN in the VPC, I need to do some preparation in the native VPC which consists in creating a Customer Gateway, a Virtual Private Gateway and attach them together.<\/p>\n\n\n\n

To do so, let’s first Connect to the AWS console<\/a><\/strong> again!<\/p>\n\n\n\n

Select IAM User<\/strong> and enter ID<\/strong> of your AWS account<\/a><\/strong><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Log in with the user account that have the administrative privileges on this account.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Create a Customer Gateway<\/h3>\n\n\n\n

NI have to go to the VPC Dashboard<\/strong> and Select Customer Gateways<\/strong> under VIRTUAL PRIVATE NETWORK<\/strong> Menu on the left.<\/p>\n\n\n\n

I click Create Customer Gateway <\/strong>and choose Dynamic <\/strong>as a routing option, add the public Elastic-IP<\/strong> address of the FW. Specify the BGP ASN<\/strong> to a value different from the potential peer.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Create a Virtual Private Gateway<\/h3>\n\n\n\n

I’ll now create a brand new Virtual Private Gateway<\/strong> and attach it to the spoke VPC<\/strong> created earlier.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The VGW<\/strong> appears as detached:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I’ll select it and in the Actions<\/strong> drop-down menu, I select Attach to VPC<\/strong> option:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It now shows as attached:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Create a VPN Connection<\/h3>\n\n\n\n

Now I will create the VPN Connection <\/strong>by associating the VGW<\/strong> to the Customer Gateway <\/strong>that I have created:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Once the VPN connection available, I select Download Configuration<\/strong>. This will open the following window:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

I select Watchguard, inc.<\/strong> as a Vendor and click Download<\/strong> button. A file containing all the configuration is created. I am going to use it to configure the Firebox now.<\/p>\n\n\n\n

Phase 2 \u2013 FireBox\u2019s VPN Configuration<\/h2>\n\n\n\n

First I need to Connect to Fireware Web UI<\/strong> by opening a web browser to the public IP address of the Firebox Cloud instance
https:\/\/<eth0_public_IP>:8080<\/em><\/strong><\/p>\n\n\n\n

I log in with the admin<\/em> user account and I make sure to specify the passphrase I have set in the Firebox Cloud Setup Wizard.<\/p>\n\n\n\n

Then I Select VPN<\/strong>, BOVPN Virtual Interfaces<\/strong> on the left and click the lock icon<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

First I started by following the instruction in the VPN configuration file downloaded earlier. <\/p>\n\n\n\n

So I enter the interface name and switch the Remote Endpoint Type<\/strong> to Cloud VPN or Third Party Gateway<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

In the Gateway Settings<\/strong>-> Credential Method<\/strong>, I have entered the Use Pre-Shared Key<\/strong> stated in the file:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

In the Gateway Settings–>Gateway Endpoint–>Click ADD:. Select Local Gateway–>Interface:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

I need now to Specify the gateway ID for tunnel authentication. I select By IP address<\/strong>: here I enter the following 34.210.196.xxx (this is the public Elastic-IP of the firebox).<\/p>\n\n\n\n

Now I have to Select Remote Gateway–>Specify the remote gateway IP address for a tunnel to Static IP<\/strong> and enter the public IP of my SDDC.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Select Advanced–>Click OK<\/strong><\/p>\n\n\n\n

I have checked ‘Start Phase1 tunnel when it is inactive<\/strong>‘ and kept the ‘Add this tunnel to the BOVPN-Allow policies<\/strong>‘ checked.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

We need to select the following for Phase 1 Settings<\/strong>:<\/p>\n\n\n\n

1. Version:<\/strong> IKEv2
2. Mode: <\/strong>Main
3. Uncheck NAT Traversal<\/strong><\/p>\n\n\n\n

NAT Traversal is enabled by default but if your WatchGuard device is not behind a NAT\/PAT device, please deselect NAT Traversal.<\/em><\/p>\n\n\n\n

For the Dead Peer Detection<\/strong>, choose the following values:<\/p>\n\n\n\n

a. Traffic idle timeout<\/strong>: 10
b. Max retries: <\/strong>3<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Next we have to change the Transform Settings<\/strong> by clicking ADD<\/strong> et setup the following values:<\/p>\n\n\n\n

1. Authentication:<\/strong> SHA1
2. Encryption: <\/strong>AES(128-bit)
3. SA Life:<\/strong> 8 hours
4. Key Group: <\/strong>Diffie-Hellman Group 2<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Click OK <\/strong>and Remove any pre-existing Phase 1 Transform Settings<\/strong> (eg. SHA1-3DES).<\/p>\n\n\n\n

Now we need to configure Phase 2<\/strong> of IPSEC Proposal<\/em>.<\/p>\n\n\n\n

I need to Go to VPN–>Phase2 Proposals–>Click ADD:<\/p>\n\n\n\n