Google Cloud BOVPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and Google Cloud Platform.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55-W
    • Fireware v12.5.2
  • Google Cloud Platform

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and Google Cloud Platform.

Topology

Configure the Firebox

On the Firebox, configure a BOVPN connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this BOVPN gateway.
  5. From the Address Family drop-down list, select IPV4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screen shot of the General Setting tab

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In adjacent text box, type the primary IP address of the External Firebox interface.

Screenshot of firebox, picture2, gateway endpoint settings, local gateway.

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the External IP address of your Google Cloud connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the External IP address of your Google Cloud connection.
  6. Keep the default settings for all other options.

Screenshot of firebox, picture3, remmote gateway settings.

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.

Screenshot of firebox, picture4, general settings page.

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screen shot of the Phase 1 Settings

  1. Click Save.
  2. In the Tunnels section, click Add.

Screenshot of firebox, picture6, add tunnels.

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screenshot of firebox, picture7, add a address.

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This the local network protected by Google Cloud.

Screenshot of firebox, picture8, tunnel route settings.

  1. Click OK.
  2. Keep Phase 2 Settings as the default values.

Screenshot of firebox, picture9, phase 2 settings.

  1. Click Save.

Configure the Google Cloud VPN

To configure the Google Cloud VPN, you must specify several settings.

  1. Log in to the Google Cloud Platform.
  2. Select Navigation menu > Networking > VPC network > VPC networks.

Screenshot of the VPC network settings in Google Cloud

  1. Click Create VPC Network.
  2. In the Name text box, type a name for the VPC network. In our example, we use cloud-vpc-network.
  3. In the Subnets section, for Subnet creation mode, select Custom.
  4. In the Name text box, type a name for the subnet. In our example, we use subnet-asia-east1-192-168-1.
  5. From the Region drop-down menu, select a region, which is a specific geographical location where you can host your resources. In our example, we select asia-east.
  6. In the IP address range text box, specify the IP address range for this subnet. In our example, we use 192.168.1.0/24.
  7. (Optional) For Flow logs, select on.

Screenshot of the Create a VPC Network settings in Google Cloud

  1. In the New subnet section, click Done.
  2. For all other settings, keep the default values.
  3. Click Create.

Screenshot of the completed VPN network settings in Google Cloud

Next, reserve a static address:

  1. Select Navigation menu > Networking > VPC network > External IP addresses.
  2. Click Reserve static address.
    The Reserve a static address page appears.
  3. In the Name text box, type a name for the External IP address. In our example, we use google-cloud-vpn-ip.
  4. From the Region drop-down list, select a region where the address will be created. In our example, we select asia-east1 (Taiwan).
  5. For all other settings, keep the default values.

Screenshot of the static address settings in Google Cloud

  1. Click Reserve.

Next, configure the VPN connection settings:

  1. Select Navigation menu > Networking > Hybrid Connectivity > VPN.
  2. Click Create VPN connection.
  3. From the VPN options section, select Classic VPN.
  4. Click Continue.
  5. In the Google Compute Engine VPN gateway section, in the Name text box, specify a name for the VPN gateway.
  6. From the Network drop-down list, select the network you created. In our example, we select cloud-vpc-network.
  7. From the Region drop-down list, select a region. In our example, we select asia-east1.
  8. From the IP address drop-down list, select the IP address you created. In our example, we select google-cloud-vpn-ip.
  9. In the Tunnels section, in the Name text box, type a name for the tunnel.
  10. In the Remote peer IP address text box, type the External IP address of the remote peer.
  11. From the IKE version drop-down list, select IKEv2.
  12. In the IKE pre-shared key text box, type the IKE pre-shared key for this tunnel.
  13. For Routing options, select Policy-based.
  14. In the Remote network IP ranges text box, type the IP address ranges of the remote networks.
  15. In the Local subnetworks drop-down list, select subnet-asia-east1-192-168-1.
  16. Click OK.

Screen shot of the completed VPN connection settings in Google Cloud

Screen shot of the completed VPN connection settings in Google Cloud

  1. Click Create.

Next, create firewall rules:

  1. Select Navigation menu > Networking > VPC network > Firewall rules.
  2. Click Create Firewall Rule.
  3. In the Name text box, type a name for this rule.
  4. In the Logs section, click On.
  5. From the Network drop-down list, select the network you created. In our example, we select cloud-vpc-network.
  6. For Direction of traffic, select Ingress.
  7. For Action on match, select Allow.
  8. From the Targets drop-down list, select All instances in the network.
  9. From the Source filter drop-down list, select IP ranges.
  10. In the Source IP ranges text box, type the IP address ranges of remote internal networks.
  11. For Protocols and ports, select Allow All or Specified protocols and ports. In our example, we select Allow all.
  12. For all other settings, keep the default values.

Screen shot of the firewall rule settings in Google Cloud

  1. Click Create.

Screen shot of the firewall rules list in Google Cloud

Google Cloud VPN auto-negotiates authentication and encryption settings and the key group with the Firebox. You cannot edit these settings in the Google Cloud VPN configuration.

For more information about Google Cloud VPN configuration and supported IKE ciphers, see the Google Cloud VPN Documentation.

Test the Integration

To test the integration:

  1. From Fireware Web UI, select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab. The data shows the VPN is established.

Screenshot of firebox, picture10, vpn statistics.

  1. In the Google Cloud Platform, select Navigation menu > Networking > Hybrid Connectivity > VPN.
  2. Select Cloud VPN Tunnels. The data shows the VPN is established.

Screenshot of google cloud platform, picture9. vpn, cloud vpn tunnels.