Amazon Web Services and Cloud-Managed Firebox with Dynamic Routing BOVPN Integration Guide

This integration guide describes how to configure a BOVPN tunnel with dynamic routing between a WatchGuard cloud-managed Firebox and Amazon Virtual Private Cloud (VPC) with Amazon Web Services (AWS).

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.7.1 or higher
  • AWS

Topology

This integration uses a BOVPN connection with dynamic routing between a cloud-managed Firebox and AWS.

Topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • You have an AWS administrator account.
  • You have set up a VPC environment with a subnet and a security group.
  • You have set up an EC2 instance in AWS.
  • You have a WatchGuard Cloud account.
  • You have added your Firebox to WatchGuard Cloud as a cloud-managed device.

For more information about AWS VPC and EC2, go to Amazon Virtual Private Cloud and Amazon Elastic Compute Cloud in the AWS documentation.

Additional charges might apply to use AWS.

Configure AWS

To configure AWS:

  1. Create a Customer Gateway.
  2. Create a Virtual Private Gateway.
  3. Enable Route Propagation for the Virtual Private Gateway.
  4. Create a Site-to-Site VPN Connection.
  5. Edit the Security Group.

Create a Customer Gateway

A customer gateway is a resource that you create in AWS that represents your cloud-managed Firebox.

To create a customer gateway:

  1. Log in to the AWS Management Console.
  2. In the Search text box, type and select VPC.
    The VPC Dashboard page opens.
  3. From the navigation menu, select Virtual Private Network (VPN) > Customer Gateways.
  4. Click Create Customer Gateway.
    The Create Customer Gateway page opens.

    5. Screenshot of AWS, Create Customer Gateway page

  5. (Optional) In the Name Tag - Optional text box, type a descriptive name. In our example, we use Firebox-CGW.
  6. In the BGP ASN text box, type a private ASN from 64,512 through 65,534. In our example, we use the default value of 65000.
  7. In the IP Address text box, type the public IP address of your cloud-managed Firebox.
  8. Keep the default value for all other settings.
  9. Click Create Customer Gateway.
    The customer gateway is created and added to the Customer Gateways list.

Create a Virtual Private Gateway

A virtual private gateway is the VPN endpoint on the AWS side of the BOVPN tunnel that you attach to your VPC.

To create a virtual private gateway, from the AWS Management Console:

  1. On the VPC Dashboard page, from the navigation menu, select Virtual Private Network (VPN) > Virtual Private Gateways.
  2. Click Create Virtual Private Gateway.
    The Create Virtual Private Gateway page opens.

    3. Screenshot of AWS, Create Virtual Private Gateway page

  3. (Optional) In the Name Tag - Optional text box, type a descriptive name. In our example, we use AWS-VGW.
  4. For Autonomous System Number (ASN), select Custom ASN, then type a private ASN from 64,512 through 65,534. In our example, we use 65001.

    The custom ASN must be different from the Customer Gateway ASN you typed in Create a Customer Gateway.

  5. At the bottom of the page, click Create Virtual Private Gateway.
    The Virtual Private Gateways page opens.

    6. Screenshot of AWS, Virtual Private Gateways page

  6. From the Virtual Private Gateways list, select the gateway you created in the previous step.
  7. To attach your virtual private gateway to your VPC, from the Actions drop-down list, select Attach to VPC.
    The Attach to VPC page opens.

    8. Screenshot of AWS, Attach to VPC page

  8. From the Available VPCs drop-down list, select your VPC.
  9. Click Attach to VPC.
    The virtual private gateway is attached to your VPC. It might take a few minutes to complete the process.

Enable Route Propagation for the Virtual Private Gateway

The VPC route table enables traffic destined for your network to go through the virtual private gateway and over a VPN tunnel. When you enable route propagation for the virtual private gateway, your network routes are propagated automatically, so you do not need to add routes manually.

To enable route propagation for the virtual private gateway, from the AWS Management Console:

  1. On the VPC Dashboard page, from the navigation menu, select Virtual Private Cloud > Route Tables.
    The Route Tables page opens.

    2. Screenshot of AWS, Route Tables page

  2. Select the route table used by your VPC.
  3. From the Actions drop-down list, select Edit Route Propagation.
    The Edit Route Propagation page opens.

    4. Screenshot of AWS, Edit Route Propagation page

  4. Enable the Propagation option.
  5. Click Save.
    Propagation is enabled for the virtual private gateway.

Create a Site-to-Site VPN Connection

To enable access to your network from your VPC, set up a site-to-site VPN connection in AWS.

To create a site-to-site VPN connection, from the AWS Management Console:

  1. On the VPC Dashboard page, from the navigation menu, select Virtual Private Network (VPN) > Site-to-Site VPN Connections.
  2. Click Create VPN Connection.
    The Create VPN Connection page opens.

    3. Screenshot of AWS, Create VPN Connection page

  3. (Optional) In the Name Tag - Optional text box, type a descriptive name. In our example, we use toFirebox-BOVPN-dynamic.
  4. For Target Gateway Type, select Virtual Private Gateway.
  5. From the Virtual Private Gateway drop-down list, select the virtual private gateway you created in the Create a Virtual Private Gateway section.
  6. For Customer Gateway, select Existing.
  7. From the Customer Gateway ID drop-down list, select the customer gateway you created in the Create a Customer Gateway section.
  8. For Routing Options, select Dynamic (Requires BGP).
  9. Keep the default value for all other settings.
  10. Click Create VPN Connection.
    The VPN connection is created. It might take a few minutes to complete the process.

    11. Screenshot of AWS, VPN Connections page

  11. From the list of VPN connections, select the VPN connection you created in the previous steps.
  12. From the Actions drop-down list, select Modify VPN Tunnel Options.
    The Modify VPN Tunnel Options page opens.

    13. Screenshot of AWS, Modify VPN Tunnel Options page

  13. From the VPN Tunnel Outside IP Address drop-down list, select a VPN tunnel.
  14. From the Details section, copy these tunnel details:
    • VPN Tunnel Outside IP Address
    • Inside IPv4 CIDR
    • Pre-Shared Key

    15. You need these details to Configure a BOVPN Connection.

    Screenshot of AWS, Modify VPN Tunnel Options page

  15. Specify these settings:
    • Phase 1 Encryption AlgorithmsAES256
    • Phase 2 Encryption AlgorithmsAES256
    • Phase 1 Integrity AlgorithmsSHA2-256
    • Phase 2 Integrity AlgorithmsSHA2-256
    • Phase 1 DH Group Numbers14
    • Phase 2 DH Group Numbers14
    • IKE Versionikev2

    16. Screenshot of AWS, Additional settings on the Modify VPN Tunnel Options page

  16. Keep the default value for all other settings.
  17. Click Save Changes.
    The VPN changes are saved. It might take a few minutes to complete the process.
  18. (Optional) Repeat Steps 11–17 to configure another VPN tunnel if you need to use two VPN tunnels for redundancy.

Edit the Security Group

To allow traffic from your network to your VPC, you must edit the inbound traffic rules for the security group used by your VPC.

To edit the security group, from the AWS Management Console:

  1. On the VPC Dashboard page, from the navigation menu, select Security > Security Groups.
    The Security Groups page opens.

    2. Screenshot of AWS, Security Groups page

  2. Select the security group used by your VPC.
  3. From the Actions drop-down list, select Edit Inbound Rules.
    The Edit Inbound Rules page opens.

    4. Screenshot of AWS, Edit Inbound Rules page

  4. To create a new inbound rule, click Add Rule.
    A new row appears in the list.
  5. In the new row:
    1. From the Type drop-down list, select All Traffic.
    2. From the Source drop-down list, select Custom.
    3. In the source text box, type the IPv4 CIDR range of your Internal network on the Firebox side. In our example, we type 10.0.77.0/24.
  6. Click Save Rules.
    The inbound rules for the security group are updated.

Configure the Cloud-Managed Firebox

To configure the cloud-managed Firebox:

  1. Configure a BOVPN Connection.
  2. Configure Dynamic Routing.

Configure a BOVPN Connection

To enable access from your network to your VPC, configure a BOVPN connection WatchGuard Cloud.

To configure a BOVPN connection on the cloud-managed Firebox:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.

    4. Screenshot of WatchGuard Cloud, Add BOVPN page

  4. In the Name text box, type a descriptive name.
  5. From the VPN Connection Type drop-down list, select Route-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. From the Endpoint A section, select your cloud-managed Firebox.
  8. From the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we use AWS VPC.
  9. Click Next.
    The VPN Gateways settings open.

    10. Screenshot of WatchGuard Cloud, Add BOVPN page with VPN gateway settings

  10. From the VPN Gateways (IPv4 Addresses) section:
    1. For your cloud-managed Firebox, select the External network.
    2. For your AWS-VPC connection, in the IP or Domain Name text box, type the VPN Tunnel Outside IP Address you copied from AWS in the Create a Site-to-Site Connection section.
  11. In the Pre-Shared Key text box, type the Pre-Shared Key you copied from AWS in the Create a Site-to-Site Connection section.
  12. Click Next.
    The Traffic settings open.

    13. SScreenshot of WGC, Add BOVPN page with Traffic settings

  13. For your cloud-managed Firebox, in the Virtual IP Address text box, type another available IP address within the Inside IPv4 CIDR range you copied in the Create a Site-to-Site Connection section. In our example, our Inside IPv4 CIDR is 169.254.224.128/30, so we type 169.254.224.130/32.
  14. For your AWS VPC connection, in the Virtual IP Address text box, type the first available IP address within the Inside IPv4 CIDR range you copied in the  Create a Site-to-Site Connection section. In our example, our Inside IPv4 CIDR is 169.254.224.128/30, so we type 169.254.224.129/32.
  15. (Optional) Select the Enable Don't Fragment (DF) Bit Settings check box.
  16. (Optional) Select the Configure Tunnel MTU check box.
  17. Keep the default value for all other settings.
  18. Click Next.
    The Security settings open.

    19. Screenshot of WatchGuard Cloud, Add BOVPN page Security settings

  19. In the Phase 1 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 8.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  20. In the Phase 2 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  21. Keep the default value for all other settings.
  22. Click Add.
  23. Click Finish.

    24. When you add a BOVPN for a cloud-managed Firebox, WatchGuard Cloud immediately creates and deploys a configuration update for the cloud-managed Firebox.

  24. (Optional) Repeat Steps 3–23 to create another VPN tunnel if you need to use two VPN tunnels for redundancy.

For more information about BOVPN configuration on the cloud-managed Firebox, go to Manage BOVPNs for Cloud-Managed Fireboxes.

Configure Dynamic Routing

When you configure dynamic routing, your routing table updates automatically, so you do not need to add routes manually.

To configure dynamic routing, from WatchGuard Cloud:

  1. From the navigation menu, select Configure > Devices.
  2. Select your cloud-managed Firebox, then select Device Configuration.
    The configuration settings for your Firebox opens.

    3. Screenshot of WatchGuard Cloud, Firebox configuration settings

  3. From the Networking section, select the Routes tile.
    The Routes page opens.

    4. Screenshot of WatchGuard Cloud, Routes page

  4. Select the Dynamic Routing tab.
  5. Enable BGP.
  6. In the Routing Commands window, type these commands:

    7. ! The local BGP ASN is 65000
    router bgp 65000
    ! The Firebox cannot learn or announce routes unless you add an inbound or outbound BGP policy for the eBGP session.
    ! To remove the policy requirement, enter the command 'no bgp ebgp-requires-policy'.
    no bgp ebgp-requires-policy
    ! When import-check is enabled, if the route for the network does not exist in IGP, the network is marked as invalid and is not advertised.
    no bgp network import-check
    ! To advertise the local networks
    network 10.0.77.0/24
    ! to AWS VPC (remote) 1st ext-if
    neighbor 169.254.224.129 remote-as 65001
    neighbor 169.254.224.129 activate
    neighbor 169.254.224.129 timers 10 30

  7. (Optional) If you need to use two VPN tunnels, in the Routing Commands window, add the BGP neighbor information of the second VPN tunnel.
    The neighbor IP address must be same as the Virtual IP address you configured in the Create a Site-to-Site Connection section for the second VPN tunnel.

    8. ! to AWS VPC (remote) 2st ext-if
    neighbor 169.254.9.161 remote-as 65001
    neighbor 169.254.9.161 activate
    neighbor 169.254.9.161 timers 10 30

  8. (Optional) To verify that the dynamic routing command is valid, click Validate.
  9. Click Save.
  10. In the message banner, click Schedule Deployment.
    The Schedule Deployment dialog box opens.

    11. SScreenshot of WatchGuard Cloud, Schedule Deployment dialog box

  11. Select Deploy Changes Now.
  12. In the Description text box, type a description.
  13. Click Deploy.
  14. Click Close.

Test the Integration

To test the integration of the BOVPN tunnel with dynamic routing between your cloud-managed Firebox and your Amazon VPC:

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Monitor > Devices.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  3. Select your cloud-managed Firebox, then select Live Status > VPN > Branch Office VPN.
  4. Click the BOVPN name, and verify that the VPN is established.

    5. Screenshot of WatchGuard Cloud VPN page

  5. Verify that the host behind the Firebox and the EC2 instance in AWS can ping each other successfully.