Juniper SRX300 and Firebox Branch Office VPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Juniper® SRX300.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55-W with Fireware v12.7
  • Juniper SRX300 v19.4R3-S1.3

Integration Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Juniper SRX300.

Topology diagram

Configure the Firebox

On the Firebox, configure a Branch Office VPN (BOVPN) connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this BOVPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screenshot of Firebox, picture12

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface..

Screenshot of Firebox, picture13

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the public IP address of the ge-0/0/0.0 interface on the Juniper SRX300.
  4. Select By IP Address.
  5. In the adjacent text box, type the public IP address of the ge-0/0/0.0 interface on the Juniper SRX300.

Screenshot of Firebox, picture14

  1. Click OK.
  2. In the Gateway Endpoint section, select Start Phase 1 tunnel when Firebox starts.

Screenshot of Firebox, picture15

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv1.
  3. Keep the default values for all other Phase 1 Settings.

Screenshot of Firebox, picture16

  1. Click Save.
  2. In the Tunnels section, click Add.

Screenshot of Firebox, picture17

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screenshot of Firebox, picture18

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This the local network protected by the Juniper device.

Screenshot of Firebox, picture19

  1. Click OK.
  2. Keep the default values for all other Phase 2 Settings.

Screenshot of Firebox, picture20

  1. Click Save.

Configure the Juniper SRX300

Configure Basic Settings

  1. Log in to the Juniper Web Device Manager at https://<IP address of the Juniper device>.
    The default IP address is https://192.168.1.1.
  2. Configure the Juniper interfaces. For information about how to configure interfaces, see the Juniper documentation.

Screenshot of Juniper, picture25

  1. Configure the zones and bind the zones and interfaces. For information about how to configure zones, see the Juniper documentation.

Screenshot of Juniper, picture26

  1. Configure the global addresses. For information about how to configure global addresses, see the Juniper documentation.

Screenshot of Juniper, picture27

  1. Configure the static route. For information about how to configure static routes, see the Juniper documentation.

Screenshot of Juniper, picture28

Configure IPSec VPN Phase 1 Settings

On your Juniper device:

  1. Select Configure > Security Services > IPsec VPN > IKE (Phase I).
  2. Select the Proposal tab.
  3. Click +.
  4. In Name text box, type a name for the proposal.
  5. From the Authentication algorithm drop-down list, select sha-256.
  6. From the Authentication Method drop-down list, select pre-shared-keys.
  7. From the DH Group drop-down list, select group14.
  8. From the Encryption algorithm drop-down list, select aes-256-cbc.
  9. In the Lifetime seconds text box, type the number of seconds.

Screenshot of Juniper, picture29

  1. Click OK.

Screenshot of Juniper, picture30

  1. Select the IKE Policy tab.
  2. Click +.
  3. In the Name text box, type a name for the policy.
  4. From the Mode drop-down list, select main.
  5. Select User Defined.
  6. From the Proposal List, select the proposal you created.

Screenshot of Juniper, picture31

  1. Select the IKE Policy Options tab.
  2. Select Pre Shared Key.
  3. Select Ascii text.
  4. Type the pre-shared key.

Screenshot of Juniper, picture32

  1. Click OK.

Screenshot of Juniper, picture33

  1. Select the Gateway tab.
  2. Click +.
  3. In the Name text box, type the gateway name.
  4. From the Policy drop-down list, select the policy you created.
  5. From the External Interface drop-down list, select ge-0/0/0.0.
  6. Select Site to Site VPN.
  7. In the Remote Peer IP text box, type the IP address of the external Firebox interface.
  8. Click +.
  9. From the Local Identity Type drop-down list, select IP Address.
  10. In the IP Address text box, type the public IP address of Juniper.
  11. From the Remote Identity Type drop-down list, select IP Address.
  12. In the IP Address text box, type the public IP address of Firebox.
  13. From the IKE Version drop-down list, select v1-only.

Screenshot of Juniper, picture34

  1. Click OK.

Screenshot of Juniper, picture36

  1. To commit the changes, in the upper-right corner, click the button.
  2. Click Commit.

Configure IPsec VPN Phase 2 Settings

On your Juniper device:

  1. Select Configure > Security Services > IPsec VPN > IPsec (Phase II).
  2. Select the Proposal tab.
  3. Click +.
  4. In the Name text box, type the proposal name.
  5. From the Authentication algorithm drop-down list, select hmac-sha-256-128.
  6. From the Encryption algorithm drop-down list, select aes-256-cbc.
  7. From the Protocol drop-down list, select esp.

Screenshot of Juniper, picture37

  1. Click OK.

Screenshot of Juniper, picture38

  1. Select the IPSec Policy tab.
  2. Click +.
  3. In the Name text box, type the policy name.
  4. From the Perfect Forward Secrecy drop-down list, select group14.
  5. Select User Defined.
  6. From the Proposal List, select the proposal you created.

Screenshot of Juniper, picture39

  1. Click OK.

Screenshot of Juniper, picture40

  1. Select the VPN tab.
  2. Click +.
  3. In the VPN Name text box, type the VPN name.
  4. From the Remote Gateway drop-down list, select GW-JUN-WG.
  5. From the IPSec Policy drop-down list, select ipsec-phase2-policy.
  6. From the Bind to tunnel interface drop-down list, select none.
  7. From the Establish tunnels drop-down list, select immediately.

Screenshot of Juniper, picture41

  1. Click OK.

Screemshot of Juniper, picture42

  1. To commit the changes, in the upper-right corner, click the button, and click Commit.

Configure Security Policy rules

  1. Select Configure > Security Services > Security Policy > Rules.
  2. Click +.
  3. In the Rule name text box, type the rule name (for example, vpn-trust-untrust).
  4. Click Next.
  5. From the Zone drop-down list, select trust.
  6. In the Address (es) text box, select Juniper_address.

Screenshot of Juniper, picture43

  1. Click Next.
  2. From the Zone drop-down list, select untrust.
  3. In the Address(es) text box, select WG_address.
  4. In the Dynamic Applicationtext box, select None.
  5. In the Service(s) text box, select any.
  6. In the URL Category text box, select None.

Screenshot of Juniper, picture44

  1. Click Next.
  2. From the Rule Action drop-down list, select Permit.
  3. From the IPSec VPN drop-down list, select VPN-JUN.
  4. In the Pair Policy Name text box, type the pair policy name (for example, vpn-untrust-trust).

Screenshot of Juniper, picture45

  1. Click Next.
  2. Click Finish.
  3. Click OK.

Screenshot of Juniper, picture46

  1. To create another security policy, repeat steps 2 through 19.

Screenshot of Juniper, picture47

  1. To commit the changes, in the upper-right corner, click the button.
  2. Click Commit.

Configure Source NAT

  1. Select Configure > Security Services > NAT > Source.
  2. Select the Source Rule Set tab.
  3. In the Rules in Selected Rule-Set section, select the rule name and click the edit button.
  4. In the Source Address and Ports section, select Juniper_address.
  5. In the Destination Address and Ports section, select WG_address.
  6. For Port, select Any.
  7. In the Action section, select No Source NAT.

Screenshot of Juniper, picture48

  1. Click OK.

Screenshot of Juniper, picture49

  1. To commit the changes, in the upper-right corner, click the button.
  2. Click Commit.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.
  4. Screenshot of Firebox, picture21

  5. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Juniper SRX300) can successfully ping each other.