CenturyLink Cloud BOVPN Integration Guide

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a CenturyLink Cloud site.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard T55-W
    • Fireware v12.5.1
  • CenturyLink Cloud

Topology

This diagram shows the topology used to test this integration.

Topology diagram

Configure the Firebox

To configure a BOVPN on your Firebox, you must:

  • Add a BOVPN gateway
  • Add a new Phase 2 proposal
  • Add a BOVPN tunnel

CenturyLink Cloud does not support all default Firebox BOVPN settings. The procedures in this guide indicate when you must change a default Firebox setting.

To add a gateway, from Fireware Web UI:

  1. Log in as a user with administrator credentials.
  2. Select VPN > Branch Office VPN.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this BOVPN Gateway. In our example, we use gateway.1.
  5. From the Address Family drop-down list, select IPV4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screen shot of the gateway settings

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. On the Local Gateway tab, from the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
  4. Select By IP Address.
  5. In the adjacent text box, type the public (external) IP address of your Firebox.

Screenshot of the local gateway settings

  1. On the Remote Gateway tab, select Static IP Address.
  2. In the adjacent text box, type the outgoing public IP address of the CenturyLink Cloud site.
  3. Select By IP Address.
  4. In the adjacent text box, again type the outgoing public IP address of the CenturyLink Cloud site.

Screenshot of the remote gateway settings

  1. Click OK.
  2. In the Gateway Endpoint section, select Start Phase 1 tunnel when Firebox starts.

Screenshot of the Branch Office VPN settings

  1. Click the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv1.
  3. From the Mode drop-down list, select Main.
  4. Click Add.
    The Transform Settings dialog box appears.
  5. From the Authentication drop-down list, select SHA1.
  6. From the Encryption drop-down list, select AES(256-bit).
  7. Keep the default SA Life value, which is 24 hours.
  8. From the Key Group drop-down list, select Diffie-Hellman Group 5.

Screenshot of the Transform Settings

  1. Click OK.

Screenshot of the Phase 1 settings

  1. Click Save.

Screenshot of the Gateways settings

Next, add a Phase 2 proposal:

  1. Select VPN > Phase 2 Proposals.
  2. Click Add.
  3. In the Name text box, type name of this proposal. In our example, we specify ESP-SHA1-AES256.
  4. In the Description text box, type a description for this Phase 2 proposal.
  5. From the Type drop-down list, select ESP (Encapsulating Security Payload).
  6. From the Authentication drop-down list, select SHA1.
  7. From the Encryption drop-down list, select AES(256-bit).
  8. Set Force Key Expiration to 1 hour.
  9. Keep the default values for all other settings.

Screenshot of the Phase 2 Proposal settings

  1. Click Save.

Next, add a tunnel:

  1. Select VPN > Branch Office VPN.
  2. In the Tunnels section, click Add.
  3. In the Name text box, type a name to identify this Branch Office VPN Tunnel. In our example, we use tunnel.1.
  4. From the Gateway drop-down list, select gateway.1.
  5. In the Addresses section, click Add.
    The Tunnel Route Settings dialog box appears.
  6. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  7. In the Network IP text box, type the network IP address of the local network behind the Firebox.
  8. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  9. In the Network IP text box, type the network IP address of the local network for the CenturyLink Cloud site.
  10. Keep the default values for all other settings.

Screenshot of the Tunnel Route settings

  1. Click OK.

Screenshot of the Tunnel settings

  1. Click Phase 2 Settings.
  2. Enable Enable Perfect Forward Secrecy.
  3. From the drop-down list, select Diffie-Hellman Group 5.
  4. Select the default Phase 2 proposal and click Remove.
  5. From the drop-down list, select ESP-SHA1-AES256.
  6. Click Add.

Screenshot of the Phase 2 settings

  1. Click Save.

Screenshot of the Branch Office VPN settings

Configure CenturyLink Cloud

When you enable PFS in Phase 2, the Diffie-Hellman group is inherited from the Phase 1 settings.

To configure the CenturyLink network settings:

  1. Log in to your CenturyLink Control Portal.
  2. Select Network > Networks.

Screen shot of the Century Link networks

  1. To add a new network, click +network.

Screen shot of the Century Link networks

Next, configure the CenturyLink Site-to-Site VPN settings:

  1. Select Network > Site-to-Site VPN.
  2. Click +site-to-site VPN.
  3. In the Sites and Networks section, from the Control Portal Site drop-down list, select your Portal Site.
  4. To add the CenturyLink internal protected networks, in the Tunnel Encrypted Subnets section, click add network block.
  5. In the Site Name text box, type your site name.
  6. In the Device Type text box, type your device type.
  7. In the VPN Peer IPv4 Address text box, type your public IP address.
  8. To add the CenturyLink internal protected networks, in the Tunnel Encrypted Subnets section, click add network block.

Screen shot of the Century Link Sites and Networks settings

  1. Click next: phase 1.
  2. From the Encryption Algorithm drop-down list, select AES-256.
  3. From the Hashing Algorithm drop-down list, select SHA1 (96).
  4. In the Pre-Shared Key text boxes, type the pre-shared key.
  5. From the Diffie-Hellman Group drop-down list, select Group 5.

Screen shot of the Century Link  Phase 1 (IKE) page settings

  1. Click next: phase 2.
  2. Set PFS Enabled to ON.

Screen shot of the Century Link Phase 2 (IPSec) Settings

  1. Click finish.

Screenshot of the Century Link Site-to-Site VPN settings

Test the Integration

  1. Log in to the Firebox Web UI.
  2. Select System Status > VPN Statistics.
  3. Verify the BOVPN tunnel is active.
  4. Verify the hosts behind the Firebox and behind CenturyLink Cloud can successfully ping each other.