pfSense and Firebox Route-Based BOVPN Integration Guide

This guide describes how to configure a route-based Branch Office VPN (BOVPN) with static routing between a WatchGuard Firebox and a pfSense firewall.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.11.2 (Build 713726)
  • pfSense firewall with v2.8.0-BETA (amd64)

Integration Topology

This diagram outlines the topology used in this integration:

Topology diagram

Configure the Firebox

You can configure your Firebox for a route-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the top navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.
  4. In the Name text box, type a descriptive name.
  5. For VPN Connection Type, select Route-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type pfSense firewall.

    Screenshot of WGC, WGC define VPN endpoints

  9. Click Next.
  10. For your cloud-managed Firebox:
    1. Select External.
    2. In the IP or Domain Name or User on Domain text box, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  11. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the IP address of your pfSense firewall WAN connection.
  12. In the Pre-Shared Key text box, type a pre-shared key. This pre-shared key matches the pre-shared key when you configure the pfSense IPSec VPN Phase 1 settings.

    Screenshot of WGC, WGC VPN Gateway

  13. Click Next.
  14. In the cloud-managed Firebox section, select the internal networks that you want to be accessible through the VPN tunnel.
  15. In the pfSense endpoint section, click Add Network Resource.
  16. In the Network Resource text box, type the private network protected by the pfSense firewall. For our example, we type 192.168.13.0/24.
  17. Click Add.
  18. In the cloud-managed Firebox section, in the Virtual IP Address text box, type an IP address. In this example, we type 10.0.11.11/32.
  19. In the pfSense endpoint section, in the Virtual IP Address text box, type an IP address. In this example, we type 10.0.11.10/32.

    Screenshot of WGC, WGC traffic private network and virtual ip address.

  20. For all other settings, keep the default values.
  21. Click Next.
  22. In the Phase 1 Settings section, from the Authentication drop-down list, select SHA2-256.
  23. From the Encryption drop-down list, select AES-CBC (256-bit).
  24. In the SA Life text box, type 24.
  25. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  26. In the Phase 2 Settings section, from the Authentication drop-down list, select SHA2-256.
  27. From the Encryption drop-down list, select AES-CBC (256-bit).
  28. Select the Use Perfect Forward Secrecy (PFS) check box.
  29. From the PFS Group drop-down list, select Diffie-Hellman Group14.

    Screenshot of WGC, WGC phase 1 and phase 2 settings

  30. Keep the default values for all other settings.
  31. Click Add.
  32. (Optional) To open the VPN Configuration Summary page for the Firebox, click View Guide to open the VPN Configuration Summary page for the Firebox.
  33. Click Finish.
    WatchGuard Cloud creates and deploys a configuration update for the cloud-managed Firebox.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
    The Add page opens.
  4. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key. In the adjacent text box, type a pre-shared key. This pre-shared key matches the pre-shared key when you configure the pfSense IPSec VPN Phase 1 settings.
  8. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

    Screenshot of Firebox, picture new1

  9. For Interface, select Physical, and from the adjacent drop-down list, select the interface that has the external (public) IP address of the Firebox.

  10. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  11. For Specify the Gateway ID for Tunnel Authentication, select By IP Address, select By IP Address.
  12. In the adjacent text box, type the primary IP address of the external Firebox interface.

    Screenshot of Firebox, picture new 2

  13. Select the Remote Gateway tab.
    The Remote Gateway page opens.
  14. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  15. In the adjacent text box, type the IP address of the pfSense WAN connection.
  16. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  17. In the adjacent text box, type the IP address of the pfSense WAN connection.

    Screenshot of Firebox, picture new3

  18. Click OK.
    The gateway endpoint you added appears in the Gateway Endpoint section.
  19. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When It Is Inactive check box.
  20. Select the Add This Tunnel to the BOVPN-Allow Policies check box.

    Screenshot of Firebox, picture new4

  21. Select the VPN Routes tab.
    The VPN Routes page opens.

  22. Screenshot of Firebox, picture new5

    Click Add.
    The VPN Route Settings dialog box opens.
  23. From the Choose Type drop-down list, select Network IPv4.
  24. In the Route To text box, type the network IP address of a route that will use this virtual interface.

    Screenshot of firebox, picture6

  25. Click OK.
    The VPN route settings are added.
  26. Select the Assign Virtual Interface IP Addresses check box.
  27. In the Local IP Address and Peer IP Address or Netmask text boxes, type the virtual interface IP addresses.

    Screenshot of Firebox, picture VPN Routes

  28. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.
  29. From the Version drop-down list, select IKEv2.
  30. Keep the default values for all other Phase 1 Settings.

    Screenshot of Firebox, picture new8

  31. Keep the default values for all Phase 2 settings.

    Screenshot of Firebox, picture new9

  32. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, go to BOVPN Virtual Interfaces in Help Center.

Configure pfSense

This section describes how to configure the pfSense settings.

Configure Basic Settings

  1. Log in to the pfSense Web UI at: https://<IP address of the pfSense device>
    The default IP address of the interface is: https://192.168.1.1.
  2. Configure the pfSense interfaces. For information about how to configure interfaces, go to the pfSense documentation.

    Screenshot of pfSense, picture new1

    Screenshot of pfSense, picture new14

Configure pfSense IPSec VPN Phase 1 and 2 Settings

  1. Log in to the pfSense Web UI at: https://<IP address of the pfSense device>
  2. Select VPN > IPsec > Tunnels.
  3. Click + Add P1.
  4. In the IKE Endpoint Configuration section, from the Key Exchange Version drop-down list, select IKEv2.
  5. From the Internet Protocol drop-down list, select IPv4.
  6. From the Interface drop-down list, select WAN.
  7. In the Remote Gateway text box, type the IP address of the Firebox.
  8. In the Phase 1 Proposal (Authentication) section, from the Authentication Method drop-down list, select Mutual PSK.
  9. From the My Identifier drop-down list, select My IP Address.
  10. From the Peer Identifier drop-down list, select Peer IP Address.
  11. In the Pre-Shared Key text box, type the pre-shared key.
  12. In the Phase 1 Proposal (Encryption Algorithm) section, from the Algorithm drop-down list, select AES.
  13. From the Key Length drop-down list, select 256 bits.
  14. From the Hash drop-down list, select SHA256.
  15. From the DH Group drop-down list, select 14 (2048 bit).
  16. In the Life Time text box, type 28800.

    Screenshot of pfSense, picture pfsense-IPsec-Phase-1_One

    Screenshot of pfSense, picture pfsense-IPsec-Phase-1_Two

  17. Keep the default values for all other settings.

    Screenshot of pfSense, picture pfsense-IPsec-Phase_1-Three

  18. Click Save.

    Screenshot of pfSense, picture new6

  1. Click Show Phase 2 Entries.
  2. Click + Add P2.
  3. In the General Information section, from the Mode drop-down list, select Routed (VTI).
  4. For Local Network, from the Type drop-down list, select Address.
  5. In the Address text box, type the local VTI address. In this example, we type 10.0.11.10.
  6. From the Remote Network drop-down list, select Address.
  7. In the Address text box, type the remote VTI address. In this example, we type 10.0.11.11.
  8. In the Phase 2 Proposal (SA/Key Exchange) section, from the Protocol drop-down list, select ESP.
  9. For Encryption Algorithms, select the AES check box. In the adjacent drop-down list, select 256 bits. Do not select the AES128-GCM check box.
  10. For Hash Algorithms, select the SHA256 check box.
  11. From the PFS Key Group drop-down list, select 14 (2048 bit).
  12. In the Life Time text box, type 3600.

    Screenshot of pfSense, picture IPsec Phase 2 One

  13. Click Save.

    Screenshot of pfSense, picture new8

  14. Click Apply Changes.

Add the VTI Interface

  1. Log in to the pfSense Web UI at: https://<IP address of the pfSense device>

  2. Select VPN > IPsec.
  3. Select Interfaces > Assignments.
  4. From the Available Network Ports drop-down list, select ipsec1 (IPsec VTI:).

Screenshot of pfSense, picture of Interface-VTI-Add

  1. Click + Add.
  2. Select the interface you created. In this example, we select OPT1.

Screenshot of pfSense, picture of IPsecVPN interface assignments

  1. Select the Enable Interface check box.
  2. In the Description text box, type the interface name. In this example, we type IPsecVTI.

    Screenshot of pfSense, picture of IPsecVPN interface

  3. Click Save.
  4. Click Apply Changes.

Add the pfSense Static Route

  1. Select System > Routing > Gateways.
    A gateway for the VTI interface is created automatically.

    Screenshot of pfSense, routing gateway

  2. Click Static Routes.
  1. Click + Add.
  2. In the Destination Network text box, type the network you want to route to.
  3. From the Gateway drop-down list, select the gateway for the VTI interface. In this example, we select IPSECVTI_VTIV4 - 10.0.11.11.

Screenshot of pfSense, static routes

  1. Click Save.
  2. Click Apply Changes.

Configure Rule Settings

  1. Log in to the pfSense Web UI at: https://<IP address of the pfSense device>

  2. Select Firewall > Rules > IPsec.
  3. Click Add.
  4. From the Action drop-down list, select Pass.
  5. From the Protocol drop-down list, select Any.
  6. From the Source drop-down list, select Network.
  7. In the Source Address text box, type the remote network IP address.
  8. From the Destination drop-down list, select Network.
  9. In the Destination Address text box, type the local network IP address.
  10. Keep the default values for all other settings.

    Screenshot of pfSense, picture new17

  11. Click Save.
  12. Click Apply Changes.

Test the Integration

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Monitor > Devices.
    If you log in with a Service Provider, you must select a Subscriber account from the Account Manager.
  3. Select the cloud-managed Firebox.
  4. Select Monitor > Live Status > VPN.
    The VPN page opens.
  5. Select the Branch Office VPN tab.
  6. Click the BOVPN you configured.

    Screenshot of Firebox, test VPN live status

  1. To make sure that Host 1 (behind the Firebox) and Host 2 (behind the pfSense firewall) can communicate with each other, use the Ping utility.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select System Status > VPN Statistics.
    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.
    The Branch Office VPN page opens.
  4. Verify that the VPN is established.

    Screenshot of Firebox, pictureof BOVPN-VTI-Statistic

  1. Verify that Host 1 (behind the Firebox) and Host 2 (behind the pfSense firewall) can ping each other.
  1. Log in to the pfSense Web UI.
  2. Select Status > IPSec > Overview.
  3. Verify that the IPSec tunnel is established and the child SA status is connected.

    Screenshot of pfsense, IPSec overview