Cisco Firepower and Firebox Route-Based BOVPN Integration Guide

This integration guide describes how to configure a route-based Branch Office VPN (BOVPN) between a WatchGuard Firebox and a Cisco Firepower 1010E Threat Defense.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.11.2 or higher

  • Firepower 1010E Threat Defense v7.4.2.2-28 or higher

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Firepower 1010E.

Topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • If you want to use a cloud-managed Firebox, you have a WatchGuard Cloud account and have added the Firebox to WatchGuard Cloud as a cloud-managed device. You also have configured an external network with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • If you want to use a locally-managed Firebox, you have configured an external interface with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • You have configured the internal network objects for the Firebox and Firepower in the Firepower 1010E web UI. In this guide, we use the Network_under_Firebox and Network_Under_Firepower network objects.
  • You have configured an internal and external interface in the Firepower 1010E web UI. In this guide, we use the external ethernet1/1 and internal ethernet1/2 interfaces. For more information about how to configure interfaces, go to the Cisco Firepower official documentation.

Configure the Firebox

You can configure your Firebox for a route-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.

    4. Screenshot of Add BOVPN settings

  4. In the Name text box, type a descriptive name for the BOVPN. In this example, we type route-based vpn.
  5. From the VPN Connection Type drop-down list, select Route-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type Firepower.
  9. Click Next.
    The VPN Gateway settings page opens.

    10. Screenshot of VPN Gateway settings on the Add BOVPN page

  10. For your cloud-managed Firebox:
    1. Select External.
    2. From the IP or Domain Name or User on Domain text box, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  11. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the IP address of your Firepower firewall WAN connection.
  12. To encrypt and decrypt the data that goes through the VPN tunnel, in the Pre-Shared Key text box, type a pre-shared key. This pre-shared key matches the pre-shared key when you configure the Firepower IPSec VPN Phase 1 settings.
  13. Click Next.
    The Traffic settings page opens.

    14. Screenshot of the Traffic settings on the Add BOVPN page

  14. For your cloud-managed Firebox, select the internal network that you want to be accessible through the VPN tunnel.
  15. For the Firepower endpoint, click Add Network Resource.
  16. In the Network Resource text box, type the private network protected by the Firepower firewall. In our example, we type 192.168.13.0/24.
  17. Click Add.
  18. For your cloud-managed Firebox, in the Virtual IP Address text box, type your Firebox virtual tunnel interface IP address and subnet mask. In our example, we type 10.0.11.11/24.
  19. For the Firepower endpoint, in the Virtual IP Address text box, type your Firepower virtual tunnel interface IP address and subnet mask. In our example, we type 10.0.11.10/24.
  20. Click Next.
    The Security settings page opens.

    21. Screenshot of the Security settings on the Add BOVPN page

  21. In the Phase 1 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 24.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  22. In the Phase 2 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  23. Keep the default values for all other settings.
  24. Click Add.
  25. (Optional) Click View Guide To open the VPN Configuration Summary page for the cloud-managed Firebox, click View Guide.
  26. Click Finish.
    WatchGuard Cloud creates and deploys a configuration update for the cloud-managed Firebox.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
    The Add page opens.

    4. Screenshot of the settings to add a BOVPN Virtual Interface

  4. In the Interface Name text box, type a name for this BOVPN virtual interface. In this example, we type route-based BOVPN.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key and in the adjacent text box, type the pre-shared key.
  8. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

    9. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page > Gateway Endpoint Settings dialog box with local gateway settings

  9. For Interface, select Physical and, from the adjacent drop-down list, select the interface that has the external (public) IP address of the Firebox.
  10. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  11. For Specify the Gateway ID for Tunnel Authentication, select By IP Address.
  12. In the adjacent text box, type the primary IP address of the external Firebox interface. In this example, we type 203.0.113.2.
  13. Select the Remote Gateway tab.
    The Remote Gateway page opens.

    14. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page > Gateway Endpoint Settings dialog box with remote gateway settings

  14. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  15. In the adjacent text box, type the IP address of your Firepower WAN connection. In this example, we type 198.51.100.2.
  16. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  17. In the adjacent text box, type the IP address of your Firepower WAN connection. In this example, we type 198.51.100.2.
  18. Click OK.
    The gateway endpoint you added appears in the Gateway Endpoint section.

    19. Screenshot of Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with new gateway endpoint

  19. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When It Is Inactive check box.
  20. Select the Add This Tunnel to the BOVPN-Allow Policies check box.
  21. Select the VPN Routes tab.
    The VPN Routes page opens.

    22. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with VPN routes

  22. Click Add.
    The VPN Route Settings dialog box opens.

    23. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with VPN Route Settings dialog box

  23. From the Choose Type drop-down list, select Network IPv4.
  24. In the Route To text box, type the network IP address of a route that will use this virtual interface. In this example, we type 192.168.13.0.
  25. Click OK.
    The VPN route settings are added.
  26. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.

    27. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with Phase 1 settings

  27. From the Version drop-down list, select IKEv2.
  28. Keep the default values for all other Phase 1 settings.
  29. Keep the default values for all Phase 2 settings.

    30. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with Phase 2 settings

  30. Click Save.
    The BOVPN virtual interface you added appears on the BOVPN Virtual Interfaces page.

For more information about how to configure virtual interfaces on a locally-managed Firebox, go to BOVPN Virtual Interfaces.

Configure Firepower

To configure the Firepower 1010E, complete these steps:

  1. Configure an IPSec VPN Tunnel for the Firepower 1010E
  2. Configure a BOVPN Route for the Firepower 1010E
  3. Configure Policies for the Firepower 1010E
  4. Deploy the Configuration for the Firepower 1010E

Configure an IPSec VPN Tunnel for the Firepower 1010E

To configure an IPSec VPN tunnel for the Firepower 1010E:

  1. Log in to the Firepower Web UI at: https://<Management IP address of the Firepower>
  2. Select Device: [Firepower device name].
  3. In the Site-to-Site VPN section, click View Configuration.
    The Site-to-Site VPN page opens.
  4. Click Create Site-to-Site Connection.
    The Define Endpoints configuration page opens.

    5. Screenshot of the Define Endpoints configurations page

  5. In the Connection Profile Name text box, type a descriptive name for the VPN. In our example, we type Route_Based_IPSec.
  6. For Type, select Route Based (VTI).
  7. From the Local VPN Access Interfaces drop-down list, select Create New Virtual Tunnel Interface.
    The Virtual Tunnel Interface configuration page opens.

    8. Screenshot of the Virtual Tunnel Interface configuration page

  8. In the Name text box, type a descriptive name for the virtual tunnel interface. In our example, we type local_virtual_interface.
  9. To enable the virtual tunnel interface, enable Status.
  10. In the Tunnel ID text box, type a tunnel ID from 0 to 10413. In our example, we type 10.
  11. From the Tunnel Source drop-down list, select the external interface you configured for the Firepower. In our example, we select external (Ethernet1/1).
  12. In the IP Address and Subnet Mask text boxes, type the IP address and subnet mask of the virtual interface for the Firepower. In our example, we type 10.0.11.10/24.
  13. Click OK.
    The virtual tunnel interface you configured is added and appears in the Local VPN Access Interfaces drop-down list on the Define Endpoints configuration page.
  14. From the Local VPN Access Interface drop-down list, select the virtual tunnel interface you created.
  15. In the Remote IP Address text box, type the public IP of Firebox. In our example, we type 203.0.113.2.
  16. Click Next.
    The Privacy Configuration page opens.
  17. Enable IKE Version 2.
  18. In the IKE Policy section, click Edit > Create New IKE Policy.
    The IKE v2 Policy configuration dialog box opens.

    19. Screenshot of the IKE v2 Policy configuration dialog box

  19. In the Priority text box, type the priority number for the IKE v2 policy. In our example, we type 1.
  20. In the Name text box, type a descriptive name for the IKE v2 policy. In our example, we type IKE_to_Firebox.
  21. Enable State.
  22. From the Encryption drop-down list, select AES 256.
  23. From the Diffie-Hellman Group drop-down list, select 14.
  24. From the Integrity Hash drop-down list, select SHA256.
  25. From the Pseudo Random Function (PRF) Hash drop-down list, select SHA256.
  26. In the Lifetime (seconds) text box, type 86400.
  27. Click OK.
    The IKE v2 policy you created appears in the list of policies.

    28. Screenshot of IKE v2 policy in the list

  28. Disable any other IKE v2 policies in the list.
  29. Click OK.
    The Select IPSec Proposals dialog box opens.

    30. Screenshot of the Select IPSec Proposals dialog box

  30. To create a new IPSec proposal, select Edit > Add IPSec Proposals > Create New IPSec Proposal.
    The IKE v2 IPSec Proposal configuration dialog box opens.
  1. In the Name text box, type a descriptive name for the proposal. In our example, we type IKE_to_Firebox_Proposal.
  2. From the Encryption drop-down list, select AES 256.
  3. From the Integrity Hash drop-down list, select SHA256.
  4. Click OK.
  5. Select the IKE v2 proposal you created in the previous steps.
  6. Click OK.

    7. Screenshot of the IKE v2 proposal

  7. Click OK.
    The Privacy Configuration page opens.

    8. Screenshot of the Privacy Configuration page

  8. For Authentication Type, enable Pre-Shared Manual Key.
  9. In the Local Pre-Shared Key text box, type the same pre-shared key you configured for the Firebox.
  10. In the Remote Peer Pre-Shared Key text box, type the same pre-shared key you configured for the Firebox.
  11. In the Lifetime Duration text box, type 86400.
  12. In the Additional Options section, from the Diffie-Hellman Group for Perfect Forward Secrecy drop-down list, select 14.
  13. Click Next.
    The Summary page opens.
  14. Verify the configurations on this page, then click Finish.
    The VPN is created successfully.

Configure a BOVPN Route for the Firepower 1010E

To configure a BOVPN route for the Firepower 1010E:

  1. Log in to the Firepower Web UI at: https://<Management IP address of the Firepower>
  2. Select Device: [Firepower device name].
  3. In the Routing section, click View Configuration.
    The Static Route configuration page opens.
  4. Click Add Static Route.
    The Add Static Route dialog box opens.

    5. Screenshot of the Add Static Route page

  5. In the Name text box, type a descriptive name for the static route. For our example, we type to_Firebox.
  6. From the Interface drop-down list, select the virtual tunnel interface you created in the Configure an IPSec VPN Tunnel for the Firepower 1010E section. In our example, we select local_virtual_interface (Tunnel 10).
  7. For Protocol, select IPv4.
  8. In the Networks section, select the subnet you configured for the Firebox. In our example, we select Network_Under_Firebox.
  9. From the Gateway drop-down list, select the public IP network of the Firebox. For our example, we select firebox_IP.
  10. In the Metric text box, we type 1.
  11. Click OK.
    The BOVPN route you configured in added successfully.

Configure Policies for the Firepower 1010E

To configure policies for the Firepower 1010E:

  1. Log in to the Firepower Web UI at: https://<Management IP address of the Firepower>
  2. Select Policies.
    The policy configuration page opens.

    Make sure that no NAT rule is applied to the VPN-protected networks. Traffic between the local and remote subnets must use their original IP addresses. If NAT modifies these addresses, the VPN tunnel will fail.

  3. Click Create Access Rule.
    The Add Access Rule dialog box opens.

    4. Screenshot of the Add Access Rule dialog box

  4. In the Title text box, type a descriptive name for this policy. For our example, we type IPSec_Allow.
  5. From the Action drop-down list, select Allow.
  6. In the Source section, from the Networks drop-down list, select the internal network you configured for the Firepower. In our example, we select Network_Under_Firepower.
  7. In the Destination section, from the Networks drop-down list, select the internal network you configured for the Firebox. In our example, we select Network_Under_Firebox.
  8. Click OK.

Deploy the Configuration for the Firepower 1010E

To deploy the Firepower 1010E configuration:

  1. Log in to the Firepower Web UI at: https://<Management IP address of the Firepower>.
  2. Select Deployment.
  3. Click Deploy Now.
  4. Click OK.
    Itmight take several minutes to complete the deployment.

Test the Integration

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select the cloud-managed Firebox.
  3. Select Monitor > Live Status > VPN > Branch Office VPN.

    4. Screenshot of WGC test VPN live status

  4. Verify that the VPN tunnels are active.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select System Status > VPN Statistics.
    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.
    The Branch Office VPN page opens.

    4. Screenshot of BOVPN statistics

  4. In the Tunnels section, verify that the VPN tunnels are active.