Juniper SRX320 and Firebox BOVPN Virtual Interface Integration Guide

This guide describes how to configure a BOVPN virtual interface between a WatchGuard Firebox and a Juniper® SRX320.

Platform and Software

The hardware and software used to complete the steps outlined in this guide include:

  • WatchGuard Firebox T55-W with Fireware v12.5.2
  • Juniper SRX320 v18.2R3-S2.9

Integration Topology

This diagram outlines the topology used in this integration:

topology diagram

Configure Firebox Cloud

To configure a BOVPN virtual interface on your Firebox:

  1. Log in to Fireware Web UI.
  2. From the navigation menu, select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
  4. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key. Type the pre-shared key.

Screenshot of firebox, picture1

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the Physical drop-down list, select External.

Screenshot of firebox, picture2

  1. Select By IP Address.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  3. In the By IP Address text box, type the primary IP address of the external Firebox interface.
  4. Select the Remote Gateway tab.

Screenshot of firebox, picture3

  1. Select Static IP Address. Type the public IP address of the ge-0/0/0.0 interface on the Juniper SRX320.
  2. Select By IP Address. Type the public IP address of the ge-0/0/0.0 interface on the Juniper SRX320.
  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when it is inactive check box.
  3. Select the Add this tunnel to the BOVPN-Allow policies check box.

Screenshot of firebox, picture4

  1. Select the VPN Routes tab.

Screenshot of firebox, picture5

  1. Click Add.
    The VPN Route Settings dialog box opens.

Screenshot of firebox, picture6

  1. From the Choose Type drop-down list, select Network IPv4.
  2. In the Route To text box, type the network IP address of the route that uses this virtual interface.
  3. Click OK.
  4. Select the Assign virtual interface IP addresses check box.
  5. In the Local IP address and Peer IP address or netmask text boxes, type the virtual interface IP addresses.

Screenshot of firebox, picture7

  1. Select the Phase 1 Settings tab.

Screenshot of firebox, picture8

  1. From the Version drop-down list, select IKEv2.
  2. Keep the default values for all other Phase 1 Settings.
  3. Keep the default values for all Phase 2 Settings.

Screenshot of firebox, picture9

  1. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, see BOVPN Virtual Interfaces.

Configure the Juniper SRX320

Follow these steps to configure the settings for your Juniper device.

Configure Basic Settings

  1. Log in to the Juniper Web Device Manager at https://<IP address of the Juniper device>.
    The default IP address is https://192.168.1.1.
  2. Configure the Juniper interfaces.
    For information on how to configure interfaces, zones, and routes, see the Juniper documentation.
  3. Configure the zones.
  4. Bind the zones and interfaces. In our example, we used these zones, interfaces, and IP addresses:

Screenshot of Juniper, picture1

Screenshot of Juniper, picture2

Screenshot of Juniper, picture3

Screenshot of Juniper, picture4

  1. Configure static routes.

Screenshot of Juniper, picture5

Configure IPSec VPN Phase 1 Settings

  1. Select Configure > Security > IPSec VPN > IKE (Phase I).
  2. Select the Proposal tab.
  1. Click +.
  1. In Name text box, type a name for the proposal.

Screenshot of Juniper, picture6

  1. From the Authentication algorithm drop-down list, select sha-256.
  2. From the Authentication Method drop-down list, select pre-shared-keys.
  3. From the DH Group drop-down list, select group14.
  4. From the Encryption algorithm drop-down list, select aes-256-cbc.
  5. In the Lifetime seconds text box, type the number of seconds.
  1. Click OK.
    The proposal shows in the list.

Screenshot of Juniper, picture7

  1. Select the IKE Policy tab.
  2. Click +.
  1. In the Name text box, type a name for the policy.

Screenshot of Juniper, picture8

  1. From the Mode drop-down list, select main.
  2. Select User Defined.
  3. From the Proposal List, select the proposal you created.
  4. Select the IKE Policy Options tab.
  5. Select Pre Shared Key.

Screenshot of Juniper, picture9

  1. Select Ascii text. Type the pre-shared key.
  1. Click OK.
    The policy shows in the list.

Screenshot of Juniper, picture10

  1. Select the Gateway tab.
  2. Click +.
    The Add Gateway dialog box opens.
  3. In the Name text box, type the Gateway name.

Screenshot of Juniper, picture11

  1. From the Policy drop-down list, select the policy you created.
  2. From the External Interface drop-down list, select ge-0/0/0.0.
  3. Select Site to Site VPN.
  4. In the Remote Peer IP text box, type the IP address of the external Firebox interface. Click +.
  5. From the Local Identity Type drop-down list, select IP Address.
  6. In the IP Address text box, type the Juniper public IP address.
  7. From the Remote Identity Type drop-down list, select IP Address.
  8. In the IP Address text box, type the public IP address of Firebox.
  9. From the Ike Version drop-down list, select v2-only.
  10. Keep the default values for all other values.
  1. Click OK.
    The gateway shows in the list.

Screenshot of Juniper, picture12

  1. To commit the changes, in the upper-right corner, click .

Configure IPSec VPN Phase 2 Settings

  1. Select Configure > Security > IPSec VPN > IKE (Phase II).
  2. Select the Proposal tab.
  3. Click +.
    The Add proposal dialog box opens.
  4. In the Name text box, type the proposal name.

Screenshot of Juniper, picture13

  1. From the Authentication algorithm drop-down list, select hmac-sha-256-128.
  2. From the Encryption algorithm drop-down list, select aes-256-cbc.
  3. From the Protocol drop-down list, select esp.
  1. Click OK.
    The proposal shows in the list.

Screenshot of Juniper, picture14

  1. Select the IPSec Policy tab.
  2. Click +.
    The Add policy dialog box opens.
  3. In the Name text box, type the policy name.

Screenshot of Juniper, picture15

  1. From the Perfect Forward Secrecy drop-down list, select group14.
  2. Select User Defined.
  3. For Proposal List, select the proposal you created.
  1. Click OK.

Screenshot of Juniper, picture16

  1. Select the VPN tab.
  2. Click +.
    The Add VPN dialog box opens.
  1. In the VPN Name text box, type the VPN name.

Screenshot of Juniper, picture17

  1. From the Remote Gateway drop-down list, select GW-JUN-WG.
  2. From the IPSec Policy drop-down list, select ipsec-phase2-policy.
  3. From the Bind to tunnel interface drop-down list, select st0.0.
  4. From the Establish tunnels drop-down list, select immediately.
  1. Click OK.
    The VPN shows in the list.

Screenshot of Juniper, picture18

  1. To commit the changes, in the upper-right corner, click .

Configure Security Policy Settings

  1. Select Configure > Security > Security Policy > Rules.
  2. Click +.
    The Create Rule wizard opens.
  3. In the Rule name text box, type the rule name, (for example, policy-trust-vpn).
  4. Click Next.
  5. From the Zone drop-down list, select trust.

Screenshot of Juniper, picture19

  1. In the Address (es) text box, select Juniper_address.
  2. Click Next.
  3. From the Zone drop-down list, select VPN.

Screenshot of Juniper, picture20

  1. In the Address (es) text box, select VPN_address.
  2. In the Dynamic Application text box, select None.
  3. In the Service(s) text box, select Any.
  4. Click Next.

Screenshot of Juniper, picture21

  1. From the Rule Action drop-down list, select Permit.
  2. Click Next.
  3. Click Finish.
  4. Click OK.
    The rule shows in the list.

Screenshot of Juniper, picture22

  1. To create another security policy, repeat steps 2 to 16.

Screenshot of Juniper, picture23

  1. To commit the changes, in the upper-right corner, click .

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screenshot of Firebox, picture10

  1. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Juniper SRX320) can successfully ping each other.