MikroTik BOVPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a MikroTik device.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard T70
    • Fireware v12.7
  • MikroTik RB2011iL-RM
    • Version RouterOS v6.47.8

Test Topology

This diagram shows the topology used to connect your WatchGuard Firebox and a MikroTik device through a VPN.

Mikrotik and Firebox Topology

Configure the Firebox

To configure a BOVPN connection, from Fireware Web UI:

  1. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  2. To add a gateway, in the Gateways section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  3. In the Gateway Name text box, type the Gateway name.
  4. In the Address Family drop-down list, select IPv4 Address.
  5. In the Credential Method section, select Use Pre-Shared Key and String-Based.
  6. In the adjacent text box, type the pre-shared key.

Screen shot of the General Settings tab

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IP Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In adjacent text box, type the primary IP address of the External Firebox interface.

Screen shot of the Local Gateway tab

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the public IP address of your MikroTik connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the public IP address of your MikroTik connection.
  6. Keep the default settings for all other options.

Screen shot of the Remote Gateway settings on the Firebox

  1. Click OK.

Screen shot of the General Settings tab

Next, configure the Phase 1 settings.

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. For all other settings, keep the default values.

Screen shot of the Phase 1 settings

  1. Click Save.

Screen shot of the BOVPN settings

Next, configure the Tunnels:

  1. On the Branch Office VPN page, in the Tunnels section, click Add.
    The Branch Office VPN Tunnel configuration interface opens.
  2. From the Gateway drop-down list, select the gateway that you added.

Screen shot of the Addresses tab

  1. In the Addresses section, click Add to configure tunnel routes for the tunnel.
    The Tunnel Route Settings dialog box opens.
  2. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  3. In the Network IP text box, type the Network IP address, which is the internal network IP address of the WatchGuard Firebox.
  4. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  5. In the Network IP text box, type the Network IP address, which is the internal network IP address of the MikroTik device.
  6. For all other settings, keep the default values.

Tunnels in WatchGuard Firebox

  1. Click OK.

Tunnels in WatchGuard Firebox

  1. Click Save.

Tunnels in WatchGuard Firebox

For more information about Branch Office VPN configuration on the Firebox, see Configure Manual BOVPN Gateways and Configure Manual BOVPN Tunnels

Configure the MikroTik Device

To configure the MikroTik device:

  1. Log on to the MikroTik Web UI. The default IP address and port are http://192.168.88.1 and ether2.
  2. Configure all required MikroTik interfaces.
  3. Verify that MikroTik can connect to the Internet and to host2.

interface

  1. Select IP > Firewall > NAT.
  2. Click Add New.
  3. From the Chain drop-down list, select srcnat.
  4. In the Src. Address text box, type the Network IP address, which is the internal network IP address of the MikroTik device.
  5. In the Dst. Address text box, type the Network IP address, which is the internal network IP address of the Firebox.
  6. From the Out. Interface drop-down list, select ether1.
  7. From the Action drop-down list, select Accept.
  8. Keep the default settings for all other options.

NAT SET

NAT SET

  1. Click Apply and OK.

NAT SET

Next, configure IPSec settings on the MikroTik device:

  1. Select IP> IPsec > Proposals.
  2. Modify the default proposal.
  3. In the Name text box, type the proposal name or keep the default name.
  4. In the Auth. Algorithms section, select sha256.
  5. In the Encr. Algorithms section, selet aes-256 cbc.
  6. From the PFS Group drop-down list, select modp2048.
  7. Keep the default settings for all other options.

Proposals

  1. Click Apply and OK.

Proposals

  1. Select the Peers tab.
  2. To add new peer, click Add New .
  3. In the Name text box, type the peer name.
  4. In the Address text box, type the IP address of the External interface of the Firebox.
  5. In the Local Address text box, type the IP address of the ether1 interface of the MikroTik.
  6. From the Exchange Mode drop-down list, select IKE2.
  7. Keep the default settings for all other options.

peer

  1. Click Apply and OK.

peer

  1. Select the Identities tab.
  2. To add a new Identity, click Add New .
  3. From the Peer drop-down list, select peer1.
  4. From the Auth. Method drop-down list, select pre shared key.
  5. In the Secret text box, type the secret. The secret must match the pre-shared key specified in the Firebox settings.
  6. Keep the default settings for all other options.

Identities

  1. Click Apply and OK.

Identities

  1. Select the Profiles tab.
  2. Modify the default profile.
  3. From the Hash Algorithms drop-down list, select sha256.
  4. In the Encryption Algorithm section, select aes-256.
  5. In the DH Group section, select modp2048.
  6. Keep the default settings for all other options.

Profiles

  1. Click Applyand OK.

Profiles

  1. Select the Policies tab.
  2. To add a new policy, click Add New.
  3. From the Peer drop-down list, select peer1.
  4. Select Tunnel.
  5. In the Src. Address text box, type the Network IP address, which is the internal network IP address of the MikroTik device.
  6. In the Dst. Address text box, type the Network IP address, which is the internal network IP address of the WatchGuard Firebox.
  7. Keep the default settings for all other options.

Policies

  1. Click Applyand OK.

Policies

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screen shot of the VPN statistics

To test the integration, from the MikroTik Web UI:

  1. Select IP > IPsec > Policies.
  2. Verify that the PH2 State is established.

VPN Statistics

Finally, verify that Host1 and Host2 can ping each other successfully. In our example, Host1 is a computer behind the Firebox. Host2 is a computer behind the MikroTik device.