Amazon Web Services and Cloud-Managed Firebox with Policy-Based BOVPN Integration Guide

This integration guide describes how to configure a policy-based BOVPN tunnel between a WatchGuard cloud-managed Firebox and Virtual Private Cloud (VPC) in Amazon Web Services (AWS).

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.7.1 or higher
  • Amazon Web Services

Topology

This diagram illustrates a policy-based BOVPN connection between a cloud-managed Firebox and an AWS VPC.

Topology diagram

Before You Begin

Before you begin these procedures, make sure that you have:

  • An AWS administrator account.
  • Created a VPC environment with a subnet and a security group.
  • Created an EC2 instance in your VPC.
  • A WatchGuard Cloud account.
  • Set a public IP address for your Firebox external interface.
  • Added your Firebox to WatchGuard Cloud as a cloud-managed device.

For more information about AWS VPC and EC2, go to Amazon Virtual Private Cloud and Amazon Elastic Compute Cloud in the AWS documentation.

Additional charges might apply for the use of AWS.

Configure Amazon Web Services

To configure AWS:

  1. Create a Customer Gateway
  2. Create a Virtual Private Gateway
  3. Enable Route Propagation for the Virtual Private Gateway
  4. Create a Site-to-Site VPN Connection
  5. Edit the Security Group

Create a Customer Gateway

A customer gateway is a resource created in AWS that represents your cloud-managed Firebox.

To create a customer gateway:

  1. Log in to the AWS Management Console.
  2. From the upper navigation bar, in the Search text box, type and select VPC.
    The VPC Dashboard page opens.
  3. From the navigation menu, select Virtual Private Network (VPN) > Customer Gateways.
  4. Click Create Customer Gateway.
    The Create Customer Gateway page opens.

    5. Screenshot of AWS, Create Customer Gateway

  5. In the Name Tag - Optional text box, type a descriptive name. In our example, we use Firebox-CGW.
  6. In the IP address text box, type the public IP address of your cloud-managed Firebox.
  7. Keep the default values for all other settings.
  8. Click Create Customer Gateway.
    The customer gateway is created and added to the Customer Gateways list.

Create a Virtual Private Gateway

A virtual private gateway is the VPN endpoint on the AWS side of the BOVPN tunnel that you connect to your VPC.

  1. On the VPC Dashboard page, from the navigation menu, select Virtual Private Network (VPN) > Virtual Private Gateways.
  2. Click Create Virtual Private Gateway.
    The Create Virtual Private Gateway page opens.

    3. Screenshot of AWS, Create Virtual Private Gateway

  3. In the Name Tag - Optional text box, type a descriptive name. In our example, we use AWS-VGW.
  4. Click Create Virtual Private Gateway.
    The virtual private gateway is created and added to the Virtual Private Gateways list.

    5. Screenshot of AWS, Virtual Private Gateways page

  5. From the Virtual Private Gateways list, select the gateway you created in the previous steps.
  6. To attach your virtual private gateway to your VPC, from the Actions drop-down list, select Attach to VPC.
    The Attach to VPC page opens.

    7. Screenshot of AWS, Attach VGW to VPC

  7. From the Available VPCs drop-down list, select your VPC.
  8. Click Attach to VPC.
    The virtual private gateway is attached to your VPC. It might take a few minutes to complete the process.

Enable Route Propagation for the Virtual Private Gateway

The VPC route table enables traffic destined for your network to pass through the virtual private gateway and over a VPN tunnel. When you enable route propagation for the virtual private gateway, your network routes are automatically propagated, so you do not have to add routes manually.

To enable route propagation for the virtual private gateway, from the AWS Management Console:

  1. On the VPC Dashboard page, from the navigation menu, select Virtual Private Cloud > Route Tables.
    The Route Tables page opens.

    2. Screenshot of AWS, Route Tables

  2. Select the route table used by your VPC.
  3. From the Actions drop-down list, select Edit Route Propagation.
    The Edit Route Propagation page opens.

    4. Screenshot of AWS, AWS Route 2

  4. Enable the Propagation option.
  5. Click Save.
    Propagation is enabled for the virtual private gateway.

Create a Site-to-Site VPN Connection

Create a site-to-site VPN connection in AWS to enable access to your Firebox network from your VPC.

To create a site-to-site VPN connection, from the AWS Management Console:

  1. On the VPC Dashboard page, from the navigation menu, select Virtual Private Network (VPN) > Site-to-Site VPN Connections.
  2. Click Create VPN Connection.
    The Create VPN Connection page opens.

    3. Screenshot of AWS, AWS VPN 1

  3. In the Name Tag - Optional text box, type a descriptive name. In our example, we use toFirebox.
  4. For Target Gateway Type, select Virtual Private Gateway.
  5. From the Virtual Private Gateway drop-down list, select the virtual private gateway you created in the Create a Virtual Private Gateway section.
  6. For Customer Gateway, select Existing.
  7. From the Customer Gateway ID drop-down list, select the customer gateway you created in the Create a Customer Gateway section.
  8. For Routing Options, select Static.
  9. In the Static IP Prefixes text box, type the prefix of your internal network on the Firebox side and the VPC CIDR on the AWS side. In our example, we type 10.0.88.0/24 and 192.168.0.0/16.
  10. In the Local IPv4 Network CIDR - Optional text box, type the IPv4 CIDR range of your internal network on the Firebox side. In our example, we type 10.0.88.0/24.
  11. In the Remote IPv4 Network CIDR - Optional text box, type the IPv4 CIDR range of your VPC on the AWS side. In our example, we type 192.168.0.0/16.
  12. Keep the default value for all other settings.
  13. Click Create VPN Connection.
    The VPN connection is created, and the State is Pending. It might take a few minutes for the State to change to Available.

    14. Screenshot of AWS, VPN Connection page

  14. From the list of VPN connections, select the VPN connection you created.
  15. From the Actions drop-down list, select Modify VPN Tunnel Options.
    The Modify VPN Tunnel Options page opens.

    16. Screenshot of AWS, Modify VPN Tunnel Options page

  16. From the VPN Tunnel Outside IP Address drop-down list, select a VPN tunnel you want to use.
  17. From the Details section, copy these tunnel details:
    • VPN Tunnel Outside IP Address
    • Pre-Shared Key

    18. You need this information to Configure a BOVPN in WatchGuard Cloud.

    Screenshot of AWS, Modify VPN Tunnel Options page

  18. Specify these settings:
    • Phase 1 Encryption AlgorithmsAES256
    • Phase 2 Encryption AlgorithmsAES256
    • Phase 1 Integrity AlgorithmsSHA2-256
    • Phase 2 Integrity AlgorithmsSHA2-256
    • Phase 1 DH Group Numbers14
    • Phase 2 DH Group Numbers14
    • IKE Versionikev2

    19. Screenshot of AWS, Additional settings on the Modify VPN Tunnel Options page

  19. Keep the default value for all other settings.
  20. Click Save Changes.
    The VPN changes are saved. It might take a few minutes for State to change from Modifying to Available.
  21. (Optional) Repeat Steps 14–20 to configure another VPN tunnel if you must use two VPN tunnels for redundancy.

Edit the Security Group

To allow traffic from your Firebox to your AWS VPC, you must edit the inbound traffic rules for the security group used by your VPC.

To edit the security group, from the AWS Management Console:

  1. On the VPC Dashboard page, from the navigation menu, select Security > Security Groups.
    The Security Groups page opens.

    2. Screenshot of AWS, Security Groups page

  2. Select the security group used by your VPC.
  3. From the Actions drop-down list, select Edit Inbound Rules.
    The Edit Inbound Rules page opens.

    4. Screenshot of AWS, Edit Inbound Rules

  4. To create a new inbound rule, click Add Rule.
    A new rule appears in the list.
  5. In the new row:
    1. From the Type drop-down list, select All Traffic.
    2. From the Source drop-down list, select Custom.
    3. In the Source text box, type the IPv4 CIDR range of your internal network on the Firebox side. In our example, we type 10.0.88.0/24.
  6. In the Description - optional text box, type a description for this rule. In our example, we type From Firebox Internal.
  7. Click Save Rules.
    The inbound rules for the security group are updated.

Configure the Cloud-Managed Firebox

To enable access from your Firebox network to your VPC, you must configure a BOVPN connection in WatchGuard Cloud.

To configure a policy-based BOVPN connection on the cloud-managed Firebox:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.

    4. Screenshot of WatchGuard Cloud, Add BOVPN

  4. In the Name text box, type a descriptive name. In our example, we type toAWS.
  5. From the VPN Connection Type drop-down list, select Policy-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type AWS VPC.
  9. Click Next.
    The VPN Gateways settings page opens.

    10. Screenshot of WatchGuard Cloud, Add BOVPN with VPN gateway settings

  10. From the VPN Gateways (IPv4 Addresses) section:
    1. For your cloud-managed Firebox, select the External network.
    2. For your AWS VPC connection, in the IP or Domain Name text box, type the VPN Tunnel Outside IP Address you copied from AWS in the Create a Site-to-Site VPN Connection section.
  11. In the Pre-Shared Key text box, type the value of the Pre-Shared Key you copied from AWS in the Create a Site-to-Site VPN Connection section.
  12. Click Next.
    The Traffic settings page opens.

    13. Screenshot of WatchGuard Cloud, Add BOVPN with Traffic settings

  13. For your cloud-managed Firebox, select the Internal network that you want to be accessible through the VPN tunnel.
  14. For your AWS VPC connection, click Add Network Resource.
  15. In the Network Resource text box, type the CIDR of your AWS VPC. In our example, we type 192.168.0.0/16.
  16. In the Distance text box, enter a number from 1 through 254.
    Routes with lower metrics have higher priority. The default value is 1. If this is your second redundant VPN tunnel, you can enter a higher number than the first VPN tunnel distance.
  17. Click Next.
    The Tunnel Routes settings page opens.

    18. Screenshot of WatchGuard Cloud, Add BOVPN with Security settings

  18. In the Tunnel Routes section, keep all the default settings and click Next.
    The Security settings page opens.

    19. Screenshot of WatchGuard Cloud, Add BOVPN with Security settings

  19. In the Phase 1 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 8.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  20. In the Phase 2 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  21. Keep the default value for all other settings.
  22. Click Add.
  23. Click Finish.

    24. Screenshot of WatchGuard Cloud, Add BOVPN with Security settings

    When you add a BOVPN for a cloud-managed Firebox, WatchGuard Cloud immediately creates and deploys a configuration update for the cloud-managed Firebox.

  24. (Optional) Repeat Steps 3–23 to create another VPN tunnel if you must use two VPN tunnels for redundancy.

For more information about BOVPN configuration for a cloud-managed Firebox, go to Manage BOVPNs for Cloud-Managed Fireboxes.

Test the Integration

To test the integration of the BOVPN tunnel with static routing between your cloud-managed Firebox and Amazon VPC:

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Monitor > Devices.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  3. Select your cloud-managed Firebox, then select Live Status > VPN > Branch Office VPN.
  4. Click the BOVPN name, and verify that the VPN is established.

    5. Screenshot of WatchGuard Cloud BOVPN

  5. Verify that the hosts behind the Firebox and the EC2 instance in AWS can successfully ping each other.