Microsoft Azure and Cloud-Managed Firebox with Static Routing BOVPN Integration Guide

This integration guide describes how to configure a BOVPN tunnel with static routing between a WatchGuard cloud-managed Firebox and Microsoft Azure.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard cloud-managed Firebox with Fireware v12.7.1 or higher
  • Microsoft Azure

Topology

This diagram shows a BOVPN connection with static routing between a cloud-managed Firebox and Microsoft Azure.

Topology diagram of a BOVPN connection with static routing between a cloud-managed Firebox and Microsoft Azure

Configure Microsoft Azure

To configure Microsoft Azure:

  1. Create a Virtual Network
  2. Create a Gateway Subnet
  3. Create a VPN Gateway
  4. Create a Local Network Gateway
  5. Create a VPN Connection

Create a Virtual Network

To create a virtual network, from the Microsoft Azure portal:

  1. Log in to the Microsoft Azure portal.
  2. From the top navigation bar, in the Search Resources, Services, and Docs (G+/) text box, type Virtual Network.
  3. From the Marketplace section of the search results, select Virtual Network.
  4. Click Create.
    The Create Virtual Network page opens.

    5. Screenshot of Azure portal, Create Virtual Network page with Basics tab selected

  5. Select the Basics tab.
  6. On the Basics page:
    1. From the Subscription drop-down list, select your subscription.
    2. From the Resource Group drop-down list, select a group or, to create a new group, select Create New. In our example, we create a new group TestGroup.
    3. In the Virtual Network Name text box, type a name for your virtual network. In our example, we type VNet.
    4. From the Region drop-down list, select a region.
  7. Click Next until the IP Addresses page opens.

    8. Screenshot of Azure portal, Create Virtual Network page with IP Addresses tab selected

  8. On the IP Addresses page, to define the address space of your virtual network, type one or more IPv4 and IPv6 address ranges. In our example, we enter 10.1.0.0 as the starting address and /16 as the address space size.
  9. Keep the default values for all other settings.
  10. Click Review + Create.
  11. Click Create.
    The virtual network is created.

Create a Gateway Subnet

To create a gateway subnet, from the Microsoft Azure portal:

  1. On the home page, click Resource Groups, and select the resource group you created in the Create a Virtual Network section.
  2. Click the virtual network you created in the Create a Virtual Network section.
  3. From the navigation menu, select Settings > Subnets.
  4. Click + Gateway Subnet.
    The Add a Subnet page opens.

    5. Screenshot of Azure portal, Add a Subnet page

  5. In the Starting Address text box, type an IP address or keep the default value. In our example, we type 10.1.255.0.
  6. From the Size drop-down list, select a netmask. In our example, we select /27 (32 addresses).
  7. Keep the default values for all other settings.
  8. Click Add.
    The gateway subnet is created.

    9. Screenshot of Azure portal, Subnets page for virtual networks

Create a VPN Gateway

To create a VPN gateway, from the Microsoft Azure portal:

  1. On the home page, in the Search Resources, Services, and Docs (G+/) text box, type Virtual Network Gateway.
  2. From the Marketplace search results, select Virtual Network Gateway.
    The Create Virtual Network Gateway page opens.

    3. Screenshot of Azure portal, Create Virtual Network Gateway page with Basics tab selected

  3. Select the Basics tab.
  4. In the Project Details section, from the Subscription drop-down list, select your subscription.
  5. In the Instance Details section:
    1. In the Name text box, type a name for your VPN gateway.
    2. From the Region drop-down list, select the same region as your virtual network.
    3. For Gateway Type, select VPN.
    4. From the SKU drop-down list, select a gateway SKU. In our example, we select VpnGw1.
    5. From the Generation drop-down list, select the generation. In our example, we select Generation1.
    6. From the Virtual Network drop-down list, select the virtual network you created in the Create a Virtual Network section.
  6. In the Public IP Address section:
    1. For Public IP Address, select Create New.
    2. In the Public IP Address Name text box, type the public IP address name.
    3. For Enable Active-Active Mode, select Disabled.
  7. Keep the default values for all other settings.
  8. Click Review + Create.
  9. Click Create.
    A VPN gateway is created. It might take more than 45 minutes to create and deploy the VPN gateway.

Get the VPN Gateway Public IP Address

To get the public IP address of the VPN gateway, from the Microsoft Azure portal:

  1. On the home page, click Resource Groups, and select the resource group you created in the Create a Virtual Network section.
  2. Click the virtual network gateway Public IP address name you created in the Create a VPN Gateway section.
  3. From the navigation menu, select Overview.
  4. Copy the IP Address of the virtual network gateway.

    5. Screenshot of get the virtual network gateway public ip address.

Create a Local Network Gateway

To create a local network gateway, from the Microsoft Azure portal:

  1. In the Search Resources, Services, and Docs (G+/) text box, type Local Network Gateway.
  2. From the Marketplace search results, select Local Network Gateway.
    The Create Local Network Gateway page opens.

    3. Screenshot of Azure portal, Create Local Network Gateway page with Basics tab selected

  3. Select the Basics tab.
  4. On the Basics page:
    1. From the Subscription drop-down list, select your subscription.
    2. From the Resource Group drop-down list, select a group or, to create a new group, select Create New.
    3. From the Region drop-down list, select the region.
    4. In the Name text box, type a name.
    5. For Endpoint, select IP Address or FQDN. In our example, we select IP Address.
    6. In the IP Address text box, type the IP address of the cloud-managed Firebox external network.
    7. In the Address Space(s) text box, type the addresses of the internal network protected by the cloud-managed Firebox.
  5. Select the Advanced tab.
  6. For Configure BGP Settings, select No.
  7. Click Review + Create.
  8. Click Create.
    The local network gateway is created.

Create a VPN Connection

To create a VPN connection, from the Microsoft Azure portal:

  1. On the home page, click Resource Groups, and select the resource group you created in the Create a Virtual Network section.
  2. Click the virtual network gateway you created in the Create a VPN Gateway section.
  3. From the navigation menu, select Settings > Connections.
    The Connections page opens.
  4. Click + Add.
    The Create Connection page opens.

    5. Screenshot of Azure portal, Create Connection page with Basics tab selected

  5. Select the Basics tab.
  6. On the Basics page:
    1. From the Subscription drop-down list, select your subscription.
    2. From the Resource Group drop-down list, select the group.
    3. From the Connection Type drop-down list, select Site-to-Site (IPsec).
    4. In the Name text box, type a connection name.
    5. From the Region drop-down list, select the region for this connection.
  7. Select the Settings tab.

    8. Screenshot of Azure portal, Create Connection page with Settings tab selected

  8. From the Virtual Network Gateway drop-down list, select the virtual network gateway you created in the Create a VPN Gateway section.
  9. From the Local Network Gateway drop-down list, select the local network gateway you created in the Create a Local Network Gateway section.
  10. For the Authentication Method, select Shared Key(PSK).
  11. In the Shared Key(PSK) text box, type a shared key.
  12. For IKE Protocol, select IKEv2.
  13. For IPsec / IKE Policy, select Custom.
  14. In the IKE Phase 1 section:
    1. From the Encryption drop-down list, select AES256.
    2. From the Integrity/PRF drop-down list, select SHA256.
    3. From the DH Group drop-down list, select DHGroup14.
  15. In the IKE Phase 2(IPsec) section:
    1. From the IPsec Encryption drop-down list, select AES256.
    2. From the IPsec Integrity drop-down list, select SHA256.
    3. From the PFS Group drop-down list, select PFS2048.
  16. In the IPsec SA Lifetime in Seconds text box, type 28800.
  17. In the DPD Timeout in Seconds text box, type 20.
  18. Keep the default values for all other settings.
  19. Click Review + Create.
  20. Click Create.
    The VPN connection is created.

Configure the Cloud-Managed Firebox

To configure a BOVPN connection with static routing on the cloud-managed Firebox:

  1. Log in to WatchGuard Cloud.
  2. If you have a Service Provider account, select an account from Account Manager.
  3. From the navigation menu, select Configure > VPNs.
  4. Click Add BOVPN.
    The Add BOVPN page opens.

    5. Screenshot of WatchGuard Cloud, Add BOVPN page

  5. In the Name text box, type a descriptive name.
  6. From the VPN Connection Type drop-down list, select Route-Based IPSec to Locally-Managed Firebox / Third-Party.
  7. From the Address Family drop-down list, select IPv4 Addresses.
  8. In the Endpoint A section, select your cloud-managed Firebox.
  9. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we use Microsoft Azure.
  10. Click Next.
    The VPN Gateways settings open.

    11. Screenshot of WatchGuard Cloud, Add BOVPN page with VPN gateway settings

  11. In the VPN Gateways (IPv4 Addresses) section:
    1. For your cloud-managed Firebox, select the External network.
    2. For your Microsoft Azure connection, in the IP or Domain Name text box, type the IP Address of the virtual network gateway you copied in the Get the VPN Gateway Public IP Address section.
  12. To secure this VPN tunnel, in the Pre-Shared Key text box, type the pre-shared key you created in the Create a VPN Connection section.
  13. Click Next.
    The Traffic settings open.

    14. Screenshot of WatchGuard Cloud, Add BOVPN page Traffic settings

  14. For your cloud-managed Firebox, select the Internal network that you want to be accessible through the VPN tunnel.
  15. For your Microsoft Azure connection, click Add Network Resource.
    The Add Network Resource page opens.

    16. Screenshot of WatchGuard Cloud, Add Network Resource dialog box

  16. In the Network Resource text box, type the IP address of the internal network on Microsoft Azure.
  17. Click Add.
  18. Keep the default values for all other settings.
  19. Click Next.
    The Security settings open.

    20. Screenshot of configure authentication and encryption settings.

  20. In the Phase 1 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 8.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  21. In the Phase 2 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  22. Keep the default values for all other settings.
  23. Click Add.
  24. Click Finish.

    When you add a BOVPN for a cloud-managed Firebox, WatchGuard Cloud immediately creates and deploys a configuration update for the cloud-managed Firebox.

For more information about BOVPN configuration on the cloud-managed Firebox, go to Manage BOVPNs for Cloud-Managed Fireboxes.

Test the Integration

To test the integration of the BOVPN tunnel with static routing between your cloud-managed Firebox and Microsoft Azure:

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Monitor > Devices.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  3. Select your cloud-managed Firebox, then select Live Status > VPN > Branch Office VPN.
  4. Click the BOVPN name, and verify that the VPN is established.

    5. Screenshot of WatchGuard Cloud, VPN page

  5. Verify that the host behind the Firebox and the Microsoft Azure can ping each other successfully.