Contents

Google Cloud VPN with Firebox Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure the Firebox and Google Cloud VPN.

Integration Summary

The hardware and software used to complete the steps outlined in this document include:

  • Google Cloud Platform
  • WatchGuard Firebox
    • Firebox with Fireware v12.3 or higher

Test Topology

This diagram shows the topology used to connect your Firebox to Google Cloud with a VPN.

Google Cloud and Firebox Topology

Configure the Firebox

On the Firebox, you configure a BOVPN virtual interface connection.

To configure a BOVPN virtual interface, from Fireware Web UI:

  1. Select VPN > BOVPN Virtual Interfaces.
  2. Click Add.
    The BOVPN virtual interface configuration appears.
  3. In the Interface Name text box, type the interface name.
  4. From Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  5. On the Gateway Settings tab, in the Credential Method section, select Use Pre-Shared Key.
  6. In the adjacent text box, type the pre-shared key.

Screen shot of the credential settings on the Firebox

  1. In the Gateway Endpoint section, click Add.
  2. From the Physical drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IP Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In adjacent text box, type the primary IP address of the External Firebox interface.

Gateway in WatchGuard Firebox

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the public IP address of your Google Cloud connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the public IP address of your Google Cloud connection.
  6. Keep the default settings for all other options.

Screen shot of the Remote Gateway settings on the Firebox

  1. Click OK.

Gateway Endpoint

Next, add VPN Routes.

  1. Select the VPN Routes tab.
  2. In the VPN Routes section, click Add.
    The VPN Route Settings dialog box appears.
  3. From the Choose Type drop-down list, select an address type. In our example, we specify Network IPv4.
  4. In the Route To text box, type IP address of a route that will use this virtual interface.
  5. Click OK.

Add VPN Route in WatchGuard Firebox

Next, configure the Phase 1 settings.

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Click OK.
  4. For all other settings, keep the default values.

Phase 1 Settings

Next, configure the Phase 2 settings:

  1. Select the Phase 2 Settings tab.
  2. Keep the default Phase 2 settings.

Screen shot of the Phase 2 Settings

  1. Click Save.

BOVPN Virtual Interfaces Configre Done

For more information about BOVPN virtual interface configuration on the Firebox, see Configure a BOVPN Virtual Interface.

Configure Google Cloud VPN

To configure the Google Cloud VPN, you must specify several settings.

  1. Log in to the Google Cloud Platform.
  2. In the Networking section, select VPC network > VPC networks.

Screen shot of the Networking menu in Google Cloud

  1. Click Create VPN Network.
  2. In the Name text box, type a name for the VPC network. In our example, we use cloud-vpn-network.
  3. In the Subnets section, for Subnet creation mode, select Custom.
  4. In the Name text box, type a name for the subnet. In our example, we use subnet-asia-east1-192-168-1.
  5. From the Region drop-down menu, select a region where your resources will be hosted. In our example, we select asia-east1.
  6. In the IP address range text box, specify the IP address range for this subnet. In our example, we use 192.168.1.0/24.
  7. (Optional) For Flow logs select, on.
  8. In the New subnet section, click Done.
  9. For all other settings, keep the default values.
  10. Click Create.

VPC network details In Google Cloud

Next, reserve a static address:

  1. Select Networking > VPC network > External IP addresses.
  2. Click Reserve Static Address.
    The Reserve a static address page appears.
  3. In the Name text box, type a name for the External IP address, In our example, we use google-cloud-vpn-ip.
  4. From the Region drop-down list, select a region where the address will be created. In our example, we select asia-east1.
  5. For all other settings, keep the default values.

Reserve a static address in Google Cloud

  1. Click Reserve.

Next, configure the VPN connection settings:

  1. Select Networking > Hybrid Connectivity > VPN.
  2. Click Create VPN connection.
  3. In the Google Compute Engine VPN gateway section, in the Name text box, specify a name for the VPN gateway.
  4. From the Network drop-down list, select the network you created. In our example, we select cloud-vpn-network.
  5. From the Region drop-down list, select a region. In our example, we select asia-east1.
  6. From the IP address drop-down list, select the IP address you created. In our example, we select google-cloud-vpn-ip.
  7. In the Tunnels section, in the Name text box, type a name for the tunnel.
  8. In the Remote peer IP address text box, type the public IP address of the remote peer.
  9. From the IKE version drop-down list, select IKEv2.
  10. In the Shared secret text box, type the IKE pre-shared key for this tunnel.
  11. For Routing options, select Route-based.
  12. In the Remote network IP ranges text box, type the IP address ranges of the remote networks.

Create a VPN connection in Google Cloud

  1. Click Create.

Next, create firewall rules:

  1. Select Networking > VPC network > Firewall rules.
  2. Click Create Firewall Rule.
  3. In the Name text box, type a name for this rule.
  4. In the Logs section, click On.
  5. From the Network drop-down list, select the network you created. In our example, we select cloud-vpn-network.
  6. For Direction of traffic, select Ingress.
  7. For Action on match, select Allow.
  8. From the Targets drop-down list, select All instances in the network.
  9. From the Source filter drop-down list, select IP ranges.
  10. In the Source IP ranges text box, type the IP address ranges of remote internal networks.
  11. For Protocols and ports, select Allow All or Specified protocols and ports. In our example, we select Allow all.
  12. For all other settings, keep the default values.

Create a firewall rule in Google Cloud

  1. Click Create.

Firewall rules In Google Cloud

Google Cloud VPN auto-negotiates the authentication, encryption, and key group with the Firebox. You cannot edit these settings in the Google Cloud VPN configuration.

For more information about Google Cloud VPN configuration and supported IKE ciphers, see the Google Cloud VPN Documentation.

Test the Integration

To test the integration:

  1. From Fireware Web UI, select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab. The data shows the VPN is established.

VPN Statistics on the WatchGuard Firebox

  1. In the Google Cloud Platform, select Networking > Hybrid Connectivity > VPN.
  2. Select Google VPN Tunnels. The data shows the VPN is established.

Google VPN Statistics

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search