Google Cloud BOVPN Integration Guide

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and Google Cloud Platform.

This integration guide includes instructions about how to configure a BOVPN tunnel for a Firebox from:

  • Firebox Web UI
  • Policy Manager
  • WatchGuard Cloud

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.11.3
  • WatchGuard System Manager (WSM)
    • 2025.1.0
  • WatchGuard Cloud Platform
  • Google Cloud Platform

Additional charges might apply for the use of Google Cloud Platform.

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and Google Cloud Platform.

The screenshot of Test topology

Use Fireware Web UI to Configure the Firebox

To configure a BOVPN connection on the Firebox:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
  3. From the Gateways section, click Add.
    The Branch Office VPN configuration page opens.

Screen shot of the General Setting tab

  1. In the Gateway Name text box, type a name to identify this BOVPN gateway.
  2. From the Address Family drop-down list, select IPv4 Addresses.
  3. From the Credential Method section, select Use Pre-Shared Key.
  4. In the adjacent text box, type the pre-shared key.
  5. In the adjacent drop-down list, keep the default String-Basedvalue.
  6. From the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

Screenshot of firebox, picture2, gateway endpoint settings, local gateway.

  1. From the External Interface drop-down list, select External.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  3. To specify the gateway ID for tunnel authentication, select By IP Address.
  4. In the adjacent text box, type the primary IP address of the External Firebox interface.
  5. Select the Remote Gateway tab.

Screenshot of firebox, picture3, remmote gateway settings.

  1. To specify the remote gateway IP address for a tunnel, select Static IP Address.
  2. In the adjacent text box, type the External IP address of your Google Cloud connection.
  3. To specify the remote gateway ID for tunnel authentication, select By IP Address.
  4. In the adjacent text box, type the External IP address of your Google Cloud connection.
  5. Keep the default values for all other options.
  6. Click OK.

Screenshot of firebox, picture4, general settings page.

  1. From the Gateway Endpoint section, select the Start Phase 1 Tunnel When Firebox Starts check box.
  2. Select the Phase 1 Settings tab.

Screen shot of the Phase 1 Settings

  1. From the Version drop-down list, select IKEv2.
  2. Keep the default values for all other Phase 1 settings.
  3. Click Save.
    The Branch Office VPN page opens.

Screenshot of firebox, picture6, add tunnels.

  1. From the Tunnels section, click Add.
    The Branch Office VPN tunnel configuration page opens.

Screenshot of firebox, picture7, add a address.

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. From the Addresses section, click Add.
    The Tunnel Route Settings page opens.

Screenshot of firebox, picture8, tunnel route settings.

  1. From the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
  3. From the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network protected by Google Cloud.
  5. Click OK.
  6. Keep the default values for the Phase 2 Settings tab.

Screenshot of firebox, picture9, phase 2 settings.

  1. Click Save.

Use Policy Manager to Configure the Firebox

To configure a BOVPN connection on the Firebox:

  1. From WatchGuard System Manager (WSM), select Tools > Policy Manager.
  2. Select VPN > Branch Office Gateways.
    The Gateways dialog box opens.
  3. To add a gateway, click Add.
    The New Gateway dialog box opens.

Screenshot of Firebox WSM configure 1

  1. In the Gateway Name text box, type a name to identify this BOVPN gateway.
  2. From the Address Family drop-down list, select IPv4 Addresses.
  3. In the Credential Method section, select Use Pre-Shared Key.
  4. In the text box, type or paste the shared key.
  5. From the drop-down list, select String-Based.
  6. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints Settings dialog box opens.

Screenshot of Firebox WSM configure 2

  1. In the Local Gateway area, from the External Interface drop-down list, select External.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  3. To specify the gateway ID for tunnel authentication, select By IP Address.
  4. In the text box, type the primary IP address of the external Firebox interface.
  5. In the Remote Gateway area, to specify the remote gateway IP address for a tunnel, select Static IP Address.
  6. In the text box, type the external IP address of your Google Cloud connection.
  7. In the Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  8. In the text box, type the external IP address of your Google Cloud connection.
  9. Keep the default values for all other options.
  10. Click OK.

Screenshot of Firebox WSM configure 3

  1. From the Gateway Endpoint section, select the Start Phase 1 Tunnel When Firebox Starts check box.
  2. Select the Phase 1 Settings tab.

Screenshot of Firebox WSM configure 4

  1. From the Version drop-down list, select IKEv2.
  2. Keep the default values for all other Phase 1 settings.
  3. Click OK.

Screenshot of Firebox WSM configure 5

  1. Click Close.
  2. Select VPN > Branch Office Tunnels.
  3. Click Add.
    The New Tunnel dialog box opens.

Screenshot of Firebox WSM configure 6

  1. From the Gateway drop-down list, select the gateway that you configured previously.
  2. On the Addresses tab of the New Tunnel dialog box, click Add.
    The Tunnel Route Settings dialog box opens.

Screenshot of Firebox WSM configure 7

  1. From the Local IP section, click ..., from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network that the Firebox protects.
  3. From the Remote IP section, click ..., from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network that Google Cloud protects.
  5. Click OK.
  6. Click OK.
  7. Keep the default values for the Phase 2 Settings tab.

Screenshot of Firebox WSM configure 8

  1. Click OK.
  2. Click Close.
  3. Click Save to Firebox.

Use WatchGuard Cloud to Configure the Firebox

To enable access from your Firebox network to your VPC, you must configure a BOVPN tunnel in WatchGuard Cloud.

To configure a BOVPN tunnel for a cloud-managed Firebox, from WatchGuard Cloud:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > Device Configuration > VPN.
  3. Click Branch Office VPN.
  4. Click Add BOVPN.
    The Add BOVPN page opens.

Screenshot of Firebox Cloud-Managed 1

  1. In the Name text box, type a name for this BOVPN. In our example, we type To GCloud.
  2. From the VPN Connection Type drop-down list, select Policy-Based IPSec to Locally-Managed Firebox / Third-Party.
  3. From the Address Family drop-down list, select IPv4 Addresses.
  4. In the Endpoint A section, select your cloud-managed Firebox.
  5. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type GCloud.
  6. Click Next.
    The VPN Gateways settings page opens.

Screenshot of Firebox Cloud-Managed 2

  1. In the VPN Gateways (IPv4 Addresses) section:
    1. For your cloud-managed Firebox, select the External network.
    2. For your GCloud connection, in the IP or Domain Name text box, type the external IP address of your Google Cloud.
  2. In the Pre-Shared Key text box, type the value of the Pre-Shared Key
  3. Click Next.
    The Traffic settings page opens.

Screenshot of Firebox Cloud-Managed 3

  1. For your cloud-managed Firebox, select the Internal network that you want to be accessible through the VPN tunnel.
  2. For your GCloud connection, click Add Network Resource.
  3. In the Network Resource text box, type the CIDR of your GCloud. In our example, we type 192.168.1.0/24.
  4. Click Add.
  5. Click Next.
    The Tunnel Routes settings page opens.

Screenshot of Firebox Cloud-Managed 4

  1. In the Tunnel Routes section, keep all the default settings, and click Next.
    The Security settings page opens.

Screenshot of Firebox Cloud-Managed 5

Screenshot of Firebox Cloud-Managed 6

Screenshot of Firebox Cloud-Managed 7

  1. In the Phase 1 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 8.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  2. In the Phase 2 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  3. Keep the default value for all other settings.
  4. Click Add.
  5. Click Finish.

Screenshot of Firebox Cloud-Managed 8

For more information about BOVPN configuration for a cloud-managed Firebox, go to Manage BOVPNs for Cloud-Managed Fireboxes.

Configure the Google Cloud VPN

To configure the Google Cloud VPN, perform these steps:

  1. Create a VPC Network
  2. Reserve a Static Address
  3. Create a VPN Connection
  4. Create the Firewall Rules

Create a VPC Network

Before you create your VPC Network, you should enable the Compute Engine API. Google charges you for the Compute Engine API in your projects. For more information, go to the Google Cloud documentation.

To create a VPC Network:

  1. Log in to the Google Cloud Platform.
  2. Select a project or create a new one. In this example, we use GoogleCloudVPN.
  3. From the navigation menu, select VPC Network > VPC Networks.
  4. Click Continue.
    The Product Details page opens.

Screenshot of the Google Cloud configure 1

Screenshot of the Google Cloud configure 2

  1. Click Enable.
    The VPC Networks page opens.

Screenshot of the Google Cloud configure 3

  1. Click Create VPC Network.
    The Create a VPC Network page opens.
  2. In the Name text box, type a name for the VPC network. In our example, we use cloud-vpc-network.
  3. From Subnet Creation Mode, select Custom.
  4. From Subnets, create a new subnet or edit the existing Subnet 1.
  5. From the New Subnet or Edit Subnet section, in the Name text box, type a name for the subnet. In our example, we use subnet-asia-east1-192-168-1.
  6. From the Region drop-down list, select a specific geographical location where you can host your resources. In our example, we select Asia-East1.
  7. From IP stack type section, select IPv4 (single-stack).
  8. In the IPv4 Range text box, specify the IP address range for this subnet. In our example, we use 192.168.1.0/24.
  9. (Optional) For Flow Logs, select On.
  10. Click Done.

Screenshot of the Google Cloud configure 6

  1. Keep the default values for all other settings.
  2. Click Create.

Screenshot of the Google Cloud configure 7

Reserve a Static Address

To reserve a static address:

  1. From the navigation menu, select VPC Network > IP Addresses.
    The IP Addresses page opens.

Screenshot of the Google Cloud configure 8

  1. Click Reserve External.
    The Reserve external static IP address page opens.

Screenshot of the Google Cloud configure 9

  1. In the Name text box, type a name for the External IP address. In our example, we use google-cloud-vpn-ip.
  2. From the Region drop-down list, select a region where you want to create the static address. In our example, we select asia-east1 (Taiwan).
  3. Keep the default values for all other settings.
  4. Click Reserve.

Create a VPN Connection

To create a VPN connection:

  1. Search for and select VPN.

Screenshot of the Google Cloud configure 10

Screenshot of the Google Cloud configure 11

  1. Click Create VPN Connection.
  2. From the VPN Options section, select Classic VPN.
  3. Click Continue.
    The Create a VPN Connection page opens.

Screenshot of the Google Cloud configure 12

Screenshot of the Google Cloud configure 13

  1. From the Google Compute Engine VPN Gateway section, in the Name text box, specify a name for the VPN gateway.
  2. From the Network drop-down list, select the network you created. In our example, we select cloud-vpc-network.
  3. From the Region drop-down list, select a region. In our example, we select asia-east1 (Taiwan).
  4. From the IP Address drop-down list, select the IP address you created. In our example, we select google-cloud-vpn-ip.
  5. From the Tunnels section, in the Name text box, type a name for the tunnel.
  6. In the Remote Peer IP Address text box, type the External IP address of the remote peer.
  7. From the IKE Version drop-down list, select IKEv2.
  8. In the IKE Pre-shared Key text box, type the IKE pre-shared key for this tunnel.
  9. For Routing Options, select Policy-based.
  10. In the Remote Network IP Ranges text box, type the IP address ranges of the remote networks.
  11. From the Local Subnetworks drop-down list, select subnet-asia-east1-192-168-1.
  12. Click Done.
  13. Click Create.

Create the Firewall Rules

To create the firewall rules:

  1. From the navigation menu, select VPC Network > Firewall.
  2. Click Create Firewall Rule.
    The Create a Firewall Rule page opens.

Screenshot of the Google Cloud configure 14

Screenshot of the Google Cloud configure 15

  1. In the Name text box, type a name for this rule.
  2. For Logs, select On.
  3. From the Network drop-down list, select the network you created. In our example, we select cloud-vpc-network.
  4. For Direction of Traffic, select Ingress.
  5. For Action on Match, select Allow.
  6. From the Targets drop-down list, select All Instances In the Network.
  7. From the Source Filter drop-down list, select IPv4 Ranges.
  8. In the Source IPv4 Ranges text box, type the IP address ranges of remote internal networks.
  9. For Protocols and Ports, select Allow All or Specified Protocols and Ports. In our example, we select Allow All.
  10. Keep the default values for all other settings.
  11. Click Create.
  12. To create an egress rule, repeat steps 2-13.

Screenshot of the Google Cloud configure 16

Screenshot of the Google Cloud configure 17

  1. Click Create.

Google Cloud VPN auto-negotiates authentication and encryption settings and the key group with the Firebox. You cannot edit these settings in the Google Cloud VPN configuration.

For more information about Google Cloud VPN configuration and supported IKE ciphers, go to Google Cloud VPN Documentation.

Test the Integration

To test the integration, you can use these methods.

Verify VPN status in Google Cloud

To verify the integration, from Google Cloud:

  1. From the Google Cloud Platform navigation menu, select Networking > Network Connectivity > VPN.
  2. Select the Cloud VPN Tunnels tab.
    The data shows the VPN is established.

Screenshot of VPN status verify

Verify VPN Status in Fireware WebUI

To verify the integration, from Web UI:

  1. Select System Status > VPN Statistics.
    The VPN Statistics page opens.
  2. Select the Branch Office VPN tab.
    The traffic statistics for Branch Office VPN tunnels open. The data shows the VPN is established.

Screenshot of VPN status verify

Verify VPN Status in WatchGuard System Manager (WSM)

To verify the integration, from WSM:

  1. Connect to a Firebox with WSM.
  2. Select the Device Status tab.
    The data shows the VPN is established.

Screenshot of VPN status verify

Verify VPN Status in WatchGuard Cloud

To verify the integration, from WatchGuard Cloud:

  1. Select Monitor > Devices.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select your cloud-managed Firebox.
  3. Select Live Status > VPN > Branch Office VPN.
  4. Click the BOVPN name, and verify that the VPN is established.

Screenshot of VPN status verify