{"id":437,"date":"2021-01-28T15:08:26","date_gmt":"2021-01-28T14:08:26","guid":{"rendered":"https:\/\/vminded.com\/?p=437"},"modified":"2021-01-28T18:12:59","modified_gmt":"2021-01-28T17:12:59","slug":"configure-vpn-from-vmc-to-watchguardtm-firebox-cloud-part-4-final","status":"publish","type":"post","link":"https:\/\/vminded.com\/index.php\/2021\/01\/28\/configure-vpn-from-vmc-to-watchguardtm-firebox-cloud-part-4-final\/","title":{"rendered":"Configure VPN from VMC to WatchGuardTM Firebox Cloud – Part 4 (Final)"},"content":{"rendered":"\n

In the previous posts of this series on Configuring a VPN connection from WatchGuard TM Firebox to VMC, I have showed you how to setup the Firebox and how to establish a VPN with a native VPC.<\/p>\n\n\n\n

In this last post, I will attach the SDDC to the WatchGuard Firebox instance with a IPSEC route-based VPN leveraging BGP to allow for dynamic routes exchange.<\/p>\n\n\n\n

With this configuration, any compute and management segments created inside the SDDC will be the advertised into the BGP session established with the Firebox in the transit VPC.<\/p>\n\n\n\n

Firebox to SDDC IPSec VPN configuration<\/h2>\n\n\n\n

Phase 1 – VPN’s VPC configuration<\/h3>\n\n\n\n

First of all I need to collect the public IP <\/strong>address of my SDDC. This is possible by logging to the VMC Console and going to the Networking and Security tab, and Selecting the Overview window:<\/p>\n\n\n\n

\"\"
The IP of VPN is displayed as VPN Public IP. This Public IP is unique for any other VPN being established.<\/figcaption><\/figure><\/div>\n\n\n\n

N.B.: You can also request additional public IP addresses to assign to workload VMs to allow access to these VMs from the internet. VMware Cloud on AWS provisions the IP address from AWS.<\/em><\/p>\n\n\n\n

Next I’ll collect the BGP<\/strong> local ASN <\/em>number of the SDDC. Just like IP addresses, ASNs (Autonomous System Numbers) have to be unique on the Internet and the SDDC utilises two numbers: one for the route-based VPN and one for Direct Connect<\/a><\/strong>. <\/p>\n\n\n\n

To do that I Click on Edit Local ASN<\/strong> option in the VPN<\/strong> window:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Clicking EDIT LOCAL ASN<\/strong> displays the Local ASN of the SDDC as shown here:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The local ASN of any brand new SDDC is by default at 65000<\/em><\/strong>. You can change it to a value in the range 64521 to 65535 (or 4200000000 to 4294967294). <\/p>\n\n\n\n

N.B.: Keep in mind that the remote BGP ASN number need to be different.<\/em><\/p>\n\n\n\n

Now it’s time to create a new Customer Gateway and map it to the SDDC settings.<\/p>\n\n\n\n

Create a New Customer Gateway<\/h4>\n\n\n\n

For that I need to go back to the AWS console and Go to the VPC Dashboard<\/em> and Select Customer Gateways<\/strong> under VIRTUAL PRIVATE NETWORK<\/strong> Menu on the left.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

I Click Create Customer Gateway <\/strong>and choose Dynamic <\/strong>as a routing option, and add the public Elastic-IP<\/strong> address of the SDDC public IP. <\/p>\n\n\n\n

I also need to specify the BGP ASN<\/strong> to the SDDC value (65000<\/strong><\/em> by default). Note that it has to be different from the BGP ASN of the Firebox in the transit VPC.<\/p>\n\n\n\n

Phase 2 \u2013 FireBox\u2019s VPN Configuration<\/h3>\n\n\n\n

Now I have to setup the VPN configuration on the Firebox itself. For this, I connect back to the Fireware Web UI<\/strong>:<\/p>\n\n\n\n

\n
\n
\n
\n
\"\"<\/figure><\/div>\n<\/div>\n\n\n\n
\n
  1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at: https:\/\/<eth0_public_IP>:8080<\/em><\/strong><\/li>
  2. Log in with the admin<\/em> user account. Make sure to specify the passphrase you set in the Firebox Cloud Setup Wizard.<\/li><\/ol>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n

    Select VPN<\/strong>, BOVPN Virtual Interfaces<\/strong> on the left and click the lock to open the settings window.<\/p>\n\n\n\n

    Enter a name for the interface (eg. BoSddc<\/strong><\/em>) and switch the Remote Endpoint Type<\/strong> to Cloud VPN or Third-Party Gateway<\/strong><\/em>.<\/p>\n\n\n\n

    In the Gateway Settings<\/strong>-> Credential Method<\/strong>, Enter a Use Pre-Shared Key<\/strong> (note the key as you will have to use it in the SDDC setup):<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    In the Gateway Settings–>Gateway Endpoint–>Click ADD.<\/strong> <\/p>\n\n\n\n

    Select Local Gateway–>Interface: Select Physical: External<\/strong><\/p>\n\n\n\n

    Specify the gateway ID <\/strong>for tunnel authentication: Select By IP address:<\/strong> 34.210.196.xxx<\/em><\/strong> (this is the public Elastic-IP <\/strong>of the Watchguard Firebox)<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    Select Remote Gateway<\/strong>–>Specify the remote gateway IP address for a tunnel<\/em>: a the Static IP Address has to be set to the Public IP <\/strong>address of the SDDC<\/strong>:<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    Next Step, Select Advanced tab and Click OK<\/strong><\/p>\n\n\n\n

    Configure Phase 1 of IPSEC Proposal<\/h4>\n\n\n\n

    Check ‘Start Phase1 tunnel when it is inactive<\/strong><\/em>‘ and Keep the ‘Add this tunnel to the BOVPN-Allow policies<\/em><\/strong>‘ checked.<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    The Phase 1 Settings should be as follow:
    1. Version: IKEv1<\/strong>
    2. Mode: Main
    3. Uncheck NAT Traversal<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    <\/p>\n\n\n\n

    N.B.: NAT Traversal is enabled by default but if your WatchGuard device is not behind a NAT\/PAT device, please deselect NAT Traversal.<\/em><\/p>\n\n\n\n

    Dead Peer Detection:
    a. Traffic idle timeout: 10
    b. Max retries: 3<\/p>\n\n\n\n

    Transform Settings–>Click ADD<\/strong>:<\/p>\n\n\n\n

    1. Authentication: SHA1
    2. Encryption: AES(128-bit)
    3. SA Life: 8 hours
    4. Key Group: Diffie-Hellman Group 2<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    <\/p>\n\n\n\n

    Click OK<\/strong>.<\/p>\n\n\n\n

    Remove any pre-existing Phase 1 Transform Settings eg. SHA1-3DES<\/em>.<\/p>\n\n\n\n

    Configure Phase 2 of IPSEC Proposal<\/h4>\n\n\n\n

    Go to VPN<\/strong>–>Phase2 Proposals<\/strong>–>Click ADD<\/strong><\/p>\n\n\n\n

    Name:<\/strong> AWS-ESP-AES128-SHA1
    Description:<\/strong> AWS Phase 2 Proposal
    Type: <\/strong>ESP
    Authentication:<\/strong> SHA1
    Encryption: <\/strong>AES(128-bit)
    Force Key Expiration: Select ‘Time’ -> 1 hours<\/strong><\/em><\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    <\/p>\n\n\n\n

    Click SAVE<\/strong>.<\/p>\n\n\n\n

    Go to VPN–>BOVPN Virtual Interfaces–>Select BoSddc<\/strong><\/em>–>Click EDIT<\/strong><\/p>\n\n\n\n

    Phase 2 Settings–>Perfect Forward Secrecy:<\/p>\n\n\n\n

    Check ‘Enable Perfect Forward Secrecy’<\/strong>: Diffie-Hellman Group 2
    IPSec Proposals–>Click on existing proposal–>Click REMOVE
    <\/strong>Select ‘AWS-ESP-AES128-SHA1’<\/strong> from the drop-down menu–>Click ADD<\/strong><\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    Click SAVE<\/strong>.<\/p>\n\n\n\n

    Configure BGP dynamic routing.<\/h4>\n\n\n\n

    Go to VPN–>BOVPN Virtual Interfaces–>Select BoSddc<\/em><\/strong>–>Click EDIT<\/strong><\/p>\n\n\n\n

    For the VPN Routes<\/em><\/strong> settings, I keep ‘Assign virtual interface IP addresses<\/strong><\/em>‘ option checked for the Interface<\/strong> option.<\/p>\n\n\n\n

    \n
    \n
    \"\"<\/figure><\/div>\n<\/div>\n<\/div>\n\n\n\n

    Then I setup the Local IP address to: 169.254.85.186<\/strong><\/em> and Peer IP address or netmask to: 255.255.255.252<\/strong><\/em><\/p>\n\n\n\n

    then Click SAVE<\/strong>.<\/p>\n\n\n\n

    Go to Network–>Dynamic Routing and Check ‘Enable Dynamic Routing’.<\/p>\n\n\n\n

    Click on ‘BGP’: Check ‘Enable’<\/p>\n\n\n\n

    I have to Add the below BGP dynamic routing <\/strong>configuration commands in the box: <\/p>\n\n\n\n

    router bgp 65001\u00a0\u00a0\u00a0 <\/em>— N.B.: <\/strong>Use this command only once at the beginning of the BGP config as this the local ASN number that the Firebox will use for any VPNs.<\/p>\n\n\n\n

    NOw it’s time to add the configuration for the second BGP neighbor that we need to configure for the SDDC:<\/p>\n\n\n\n

    neighbor 169.254.85.185 remote-as 65000
    neighbor 169.254.85.185 activate
    neighbor 169.254.85.185 timers 10 30<\/em><\/p>\n\n\n\n

    Click SAVE<\/strong>.<\/p>\n\n\n\n

    Phase 3 \u2013 VMC on AWS SDDC\u2019s VPN Configuration<\/h2>\n\n\n\n

    VMC on AWS allows to create up to 4 IPSEC route-based VPN tunnels <\/strong>to be established between Firebox\/VPC and your SDDC. To create the VPN on the SDDC side, you first have to Connect to the SDDC console<\/a><\/strong>.<\/p>\n\n\n\n

    Then you need to Go to the Networking & Security<\/strong> tab.<\/p>\n\n\n\n

    Select Network<\/strong> -> VPN<\/strong> and Click on the Route Based<\/strong> tab.<\/p>\n\n\n\n

    Click ADD VPN<\/strong>.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    <\/p>\n\n\n\n

    Next, you have to enter the following configuration settings:<\/p>\n\n\n\n