pfSense and Firebox Branch Office VPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a pfSense device.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55-W with Fireware v12.6.4
  • pfSense device with v2.4.5-RELEASE-p1(amd64)

Integration Topology

This diagram outlines the topology used in this integration.

Topology diagram

Configure the Firebox

On the Firebox, configure a Branch Office VPN (BOVPN) connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this BOVPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key. Type the pre-shared key.

Screen shot of the general BOVPN settings

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address. Type the primary IP address of the external Firebox interface.

Screen shot of the gateway endpoint settings

  1. Select the Remote Gateway tab.
  2. Select Static IP Address. Type the IP address of your pfSense WAN connection.
  3. Select By IP Address. Type the IP address of your pfSense WAN connection.
  4. Keep the default values for all other settings.

Screen shot of the complete gateway endpoint configuration

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.

Screen shot of the completed general settings configuration

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep the default values for all of the Phase 1 Settings.

Screen shot of the Phase 1 settings

  1. Click Save.
  2. In the Tunnels section, click Add.

Screen shot of the Gateways and Tunnels lists

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screen shot of the Addresses settings

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network protected by pfSense.

Screen shot of the tunnel route settings

  1. Click OK.
  2. Keep the default values for all of the Phase 2 Settings.

Screen shot of the Phase 2 settings

  1. Click Save.

Configure pfSense

Configure Basic Settings

  1. Log in to the pfSense Web UI at https://<IP address of the pfSense>.
  2. Configure the pfSense interfaces.
    For information about how to configure interfaces, see the pfSense documentation.

Screenshot of pfSense, picture new1

Screenshot of pfSense, picture new10

Configure the pfSense IPSec VPN Phase 1 Settings

  1. Select VPN > IPsec > Tunnels.
  2. Click + Add P1.
  3. In the General Information section, from the Key Exchange version drop-down list, select IKEv2.
  4. From the Internet Protocol drop-down list, select IPv4.
  5. From the Interface drop-down list, select WAN.
  6. In the Remote Gateway text box, type the IP address of the remote gateway.
  7. In the Phase 1 Proposal (Authentication) section, from the Authentication Method drop-down list, select Mutual PSK.
  8. From the My identifier drop-down list, select My IP address.
  9. From the Peer identifier drop-down list, select Peer IP address.
  10. In the Pre-Shared Key text box, type the pre-shared key.
  11. In the Phase 1 Proposal (Encryption Algorithm) section, from the Algorithm drop-down list, select AES.
  12. From the Key length drop-down list, select 256 bits.
  13. From the Hash drop-down list, select SHA256.
  14. From the DH Group drop-down list, select 14 (2048 bit).
  15. In the Lifetime (Seconds) text box, type 28800.

Screenshot of pfSense, picture new4

  1. Keep the default values for all other settings.

Screenshot of pfSense, picture new5

  1. Click Save.

Screenshot of pfSense, picture new6

Configure the pfSense IPSec VPN Phase 2 Settings

  1. Click Show Phase 2 Entries (0).
  2. Click + Add P2.
  3. In the General Information section, from the Mode drop-down list, select Tunnel IPv4.
  4. For Local Network, from the Type drop-down list, select Network.
  5. In the Address text box, type the local network IP address.
  6. For Remote Network, from the Type drop-down list, select Network.
  7. In the Address text box, type the remote network IP address.
  8. In the Phase 2 Proposal (SA/Key Exchange) section, from the Protocol drop-down list, select ESP.
  9. For Encryption Algorithms, select AES. In the adjacent drop-down list, select 256 bits.
  10. For Hash Algorithms, select the SHA256 check box.
  11. From the PFS key group drop-down list, select 14 (2048 bit).
  12. In the Lifetime text box, type 3600.

Screenshot of pfSense, picture new7

  1. Click Save.

Screenshot of pfSense, picture new8

  1. Click Apply Changes.

Configure Rule Settings

  1. Select Firewall > Rules > IPsec.
  2. Click Add.
  3. From the Action drop-down list, select Pass.
  4. From the Protocol drop-down list, select Any.
  5. From the Source drop-down list, select Network.
  6. In the Source Address text box, type the remote network IP address.
  7. From the Destination drop-down list, select Network.
  8. In the Destination Address text box, type the local network IP address.
  9. Keep the default values for all other settings.

Screenshot of pfSense, picture new11

  1. Click Save.
  2. (Optional) Repeat steps 2-10 to create another rule.

Screenshot of pfSense, picture new12

  1. Click Apply Changes.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.
  4. VPN statistics

  5. Verify that Host 1 (behind the Firebox) and Host 2 (behind the pfSense) can successfully ping each other.