pfSense and Firebox Policy-Based BOVPN Integration Guide

This integration guide describes how to configure a policy-based Branch Office VPN (BOVPN) between a WatchGuard Firebox and a pfSense firewall.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.11.2 (B713726)
  • pfSense device with v2.8.0-BETA (amd64)

Integration Topology

This diagram outlines the topology used in this integration.

Topology diagram

Configure the Firebox

You can configure your Firebox for a policy-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the top navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.
  4. In the Name text box, type a descriptive name.
  5. For VPN Connection Type, select Policy-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type pfSense firewall.

    9. Screenshot of WGC, WGC define VPN endpoints

  9. Click Next.
  10. For your cloud-managed Firebox:
    1. Select External.
    2. In the IP or Domain Name or User on Domain text box, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  11. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the IP address of your pfSense firewall WAN connection.
  12. In the Pre-Shared Key text box, type a pre-shared key. This pre-shared key matches the pre-shared key when you configure the pfSense IPSec VPN Phase 1 settings.

    13. Screenshot of WGC, WGC VPN Gateway

  13. Click Next.
  14. In the cloud-managed Firebox section, select the internal networks that you want to be accessible through the VPN tunnel.
  15. In the pfSense endpoint section, click Add Network Resource.
  16. In the Network Resource text box, type the private network protected by the pfSense firewall. For our example, we type 192.168.13.0/24.
  17. Click Add.

    Screenshot of WGC, WGC traffic private network

  18. For all other settings, keep the default values.
  19. Click Next.
    The Tunnel Routes page opens.

    Screenshot of WGC, WGC Tunnel Routes

  20. Click Next.
  21. In the Phase 1 Settings section, from the Authentication drop-down list, select SHA2-256.
  22. From the Encryption drop-down list, select AES-CBC (256-bit).
  23. In the SA Life text box, type 24.
  24. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  25. In the Phase 2 Settings section, from the Authentication drop-down list, select SHA2-256.
  26. From the Encryption drop-down list, select AES-CBC (256-bit).
  27. Select the Use Perfect Forward Secrecy (PFS) check box.
  28. From the PFS Group drop-down list, select Diffie-Hellman Group14.

    Screenshot of WGC, WGC phase 1 and phase 2 settings

  29. Keep the default values for all other settings.
  30. Click Add.
  31. (Optional) To open the VPN Configuration Summary page for the cloud-managed Firebox, click View Guide.
  32. Click Finish.
    WatchGuard Cloud creates and deploys a configuration update for the cloud-managed Firebox.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
    The Add Branch Office VPN page opens.
  4. In the Gateway Name text box, type a name to identify this BOVPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section:
    1. Select Use Pre-Shared Key.

    2. In the Use Pre-Shared Key text box, type the pre-shared key.
    3. From the drop-down list, select String-Based.

    Screen shot of the general BOVPN settings

  7. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  8. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Firebox.
  9. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  10. For Specify the Gateway ID for Tunnel Authentication, select By IP Address.
  11. In the adjacent text box, type the primary IP address of the Firebox external interface.

    Screen shot of the gateway endpoint settings

  12. Select the Remote Gateway tab.
    The Remote Gateway page opens.
  13. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  14. In the adjacent text box, type the IP address of your pfSense WAN connection.
  15. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  16. In the adjacent text box, type the IP address of your pfSense WAN connection.
  17. Keep the default values for all other settings.

    Screen shot of the complete gateway endpoint configuration

  18. Click OK.
    The gateway you added appears in the Gateway Endpoint section.
  19. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When Firebox Starts check box.

    Screen shot of the completed general settings configuration

  20. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.
  21. From the Version drop-down list, select IKEv2.
  22. Keep the default values for all of the Phase 1 settings.

    Screen shot of the Phase 1 settings

  23. Click Save.
    The gateway you added appears on the Branch Office VPN page.
  24. In the Tunnels section, click Add.
    The tunnel settings page opens.

    Screen shot of the Gateways and Tunnels lists

  25. In the Name text box, type a name to identify this tunnel.
  26. From the Gateway drop-down list, select the gateway you just created.
  27. In the Addresses section, click Add.
    The Tunnel Route Settings dialog box opens.
  28. In the Local IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the local IP address. This IP address is the internal network that the Firebox protects.
  1. In the Remote IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the remote IP address. This IP address is the internal network that the pfSense firewall protects.

    Screen shot of the tunnel route settings

  2. Click OK.
  3. Keep the default values for all Phase 2 settings.

    Screen shot of the Phase 2 settings

  4. Click Save.

Configure pfSense

This section describes how to configure the pfSense settings.

Configure Basic Settings

  1. Log in to the pfSense Web UI at: https://<IP address of the pfSense>
    The default IP address of the interface is: https://192.168.1.1
  2. Configure the pfSense interfaces. For information about how to configure interfaces, go to the pfSense documentation.

Screenshot of pfSense, picture new1

Screenshot of pfSense, picture new10

Configure the pfSense IPSec VPN Phase 1 and 2 Settings

  1. Log in to the pfSense Web UI at: https://<IP address of the pfSense device>
  2. Select VPN > IPsec > Tunnels.
  3. Click + Add P1.
  4. In the IKE Endpoint Configuration section, from the Key Exchange Version drop-down list, select IKEv2.
  5. From the Internet Protocol drop-down list, select IPv4.
  6. From the Interface drop-down list, select WAN.
  7. In the Remote Gateway text box, type the external IP address of the Firebox.
  8. In the Phase 1 Proposal (Authentication) section, from the Authentication Method drop-down list, select Mutual PSK.
  9. From the My Identifier drop-down list, select My IP Address.
  10. From the Peer Identifier drop-down list, select Peer IP address.
  11. In the Pre-Shared Key text box, type the pre-shared key.
  12. In the Phase 1 Proposal (Encryption Algorithm) section, from the Algorithm drop-down list, select AES.
  13. From the Key Length drop-down list, select 256 bits.
  14. From the Hash drop-down list, select SHA256.
  15. From the DH Group drop-down list, select 14 (2048 bit).
  16. In the Life Time text box, type 28800.

    Screenshot of pfSense, picture Pfsense-IPsec-Phase-1_001

    Screenshot of pfSense, picture Pfsense-IPsec-Phase-1_002

  17. Keep the default values for all other settings.

    Screenshot of pfSense, picture Pfsense-IPsec-Phase_1-003

  18. Click Save.

    Screenshot of pfSense, picture new6

  19. Click Show Phase 2 Entries.
  20. Click + Add P2.
  21. In the General Information section, from the Mode drop-down list, select Tunnel IPv4.
  22. For Local Network, from the Type drop-down list, select Network.
  23. In the Address text box, type the local network IP address.
  24. For Remote Network, from the Type drop-down list, select Network.
  25. In the Address text box, type the remote network IP address.
  26. In the Phase 2 Proposal (SA/Key Exchange) section, from the Protocol drop-down list, select ESP.
  27. For Encryption Algorithms, select AES. In the adjacent drop-down list, select 256 bits. Do not select the AES128-GCM check box.
  28. For Hash Algorithms, select the SHA256 check box.
  29. From the PFS Key Group drop-down list, select 14 (2048 bit).
  30. In the Life Time text box, type 3600.

    Screenshot of pfSense, picture IPsec Phase 2 one

  31. Click Save.

    Screenshot of pfSense, picture new8

  32. Click Apply Changes.

Configure Rule Settings

  1. Log in to the pfSense Web UI at: https://<IP address of the pfSense device>

  2. Select Firewall > Rules > IPsec.
  3. Click Add.
  4. From the Action drop-down list, select Pass.
  5. From the Protocol drop-down list, select Any.
  6. From the Source drop-down list, select Network.
  7. In the Source Address text box, type the remote network IP address.
  8. From the Destination drop-down list, select Network.
  9. In the Destination Address text box, type the local network IP address.
  10. Keep the default values for all other settings.

    Screenshot of pfSense, picture new11

  11. Click Save.
  12. (Optional) Repeat Steps 2-10 to create another rule.

    Screenshot of pfSense, picture new12

  13. Click Apply Changes.

Test the Integration

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Monitor > Devices.
    If you log in as a Service Provider, you must select a Subscriber account from the Account Manager.
  3. Select the cloud-managed Firebox.
  4. Select Monitor > Live Status > VPN.
    The VPN page opens.
  5. Select the Branch Office VPN tab.
  6. Click the BOVPN you configured.

    Screenshot of WGC, test VPN live status

  1. To make sure that Host 1 (behind the Firebox) and Host 2 (behind the pfSense firewall) can communicate with each other, use the Ping utility.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select System Status > VPN Statistics.

    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.

    The Branch Office VPN page opens.
  4. Verify that the VPN is established.

    Screenshot of BOVPN statistics

  1. Verify that Host 1 (behind the Firebox) and Host 2 (behind the pfSense firewall) can successfully ping each other.
  1. Log in to the pfSense Web UI.
  2. Select Status > IPSec > Overview.
  3. Verify that the IPSec tunnel is established and the child SA status is connected.

    Screenshot of pfsense, IPSec overview