pfSense and Firebox BOVPN Virtual Interface Integration Guide

Contents

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This guide describes how to configure a BOVPN virtual interface between a WatchGuard Firebox and a pfSense device.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.10 (Build 682931)
  • pfSense device with v2.7.0-RELEASE (amd64)

Integration Topology

This diagram outlines the topology used in this integration:

Topology diagram

Configure the Firebox

To configure a BOVPN virtual interface on your Firebox:

  1. Log in to Fireware Web UI.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
  4. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key. Type the pre-shared key.
  8. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

Screenshot of Firebox, picture new1

  1. From the Physical drop-down list, select External.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  3. Select By IP Address.
  4. In the By IP Address text box, type the primary IP address of the external Firebox interface.

Screenshot of Firebox, picture new 2

  1. Select the Remote Gateway tab.
  2. Select Static IP Address. Type the IP address of your pfSense WAN connection.
  3. Select By IP Address. Type the IP address of your pfSense WAN connection.

Screenshot of Firebox, picture new3

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when it is inactive check box.
  3. Select the Add this tunnel to the BOVPN-Allow policies check box.

Screenshot of Firebox, picture new4

  1. Select the VPN Routes tab.
  2. Click Add.

Screenshot of Firebox, picture new5

  1. From the Choose Type drop-down list, select Network IPv4.
  2. In the Route To text box, type the network IP address of a route that uses this virtual interface.

Screenshot of firebox, picture6

  1. Click OK.
  2. Select the Assign virtual interface IP addresses check box.
  3. In the Local IP address and Peer IP address or netmask text boxes, type the virtual interface IP addresses.

Screenshot of Firebox, picture VPN Routes

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other values as default Phase 1 Settings.

Screenshot of Firebox, picture new8

  1. Keep all Phase 2 Settings as the default values.

Screenshot of Firebox, picture new9

  1. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, go to BOVPN Virtual Interfaces.

Configure pfSense

Configure Basic Settings

  1. Log in to the pfSense Web UI at: https://<IP address of the pfSense device>
    The default IP address of the interface is: https://192.168.1.1
  2. Configure the pfSense interfaces.
    For information about how to configure interfaces, go to the pfSense documentation.

Screenshot of pfSense, picture new1

Screenshot of pfSense, picture new14

Configure pfSense IPSec VPN Phase 1 Settings

  1. Select VPN > IPsec.
  2. Click + Add P1.
  3. In the IKE Endpoint Configuration section, from the Key Exchange version drop-down list, select IKEv2.
  4. From the Internet Protocol drop-down list, select IPv4.
  5. From the Interface drop-down list, select WAN.
  6. In the Remote Gateway text box, type the IP address of the remote gateway.
  7. In the Phase 1 Proposal (Authentication) section, from the Authentication Method drop-down list, select Mutual PSK.
  8. From the My identifier drop-down list, select My IP address.
  9. From the Peer identifier drop-down list, select Peer IP address.
  10. In the Pre-Shared Key text box, type the pre-shared key.
  11. In the Phase 1 Proposal (Encryption Algorithm) section, from the Algorithmdrop-down list, select AES.
  12. From the Key length drop-down list, select 256 bits.
  13. From the Hash drop-down list, select SHA256.
  14. From the DH Group drop-down list, select 14 (2048 bit).
  15. In the Life Time text box, type 28800.

Screenshot of pfSense, picture pfsense-IPsec-Phase-1_One

Screenshot of pfSense, picture pfsense-IPsec-Phase-1_Two

  1. Keep the default values for all other settings.

Screenshot of pfSense, picture pfsense-IPsec-Phase_1-Three

  1. Click Save.

Screenshot of pfSense, picture new6

Configure pfSense IPSec VPN Phase 2 Settings

  1. Click Show Phase 2 Entries (0).
  2. Click + Add P2.
  3. In the General Information section, from the Mode drop-down list, select Routed (VTI).
  4. For Local Network, from the Type drop-down list, select Address.
  5. In the Address text box, type the local VTI address.
  6. From the Remote Network drop-down list, select Address.
  7. In the Address text box, type the remote VTI address.
  8. In the Phase 2 Proposal (SA/Key Exchange) section, from the Protocol drop-down list, select ESP.
  9. For Encryption Algorithms, select the AES check box and from the adjacent drop-down list, select 256 bits.
  10. For Hash Algorithms, select the SHA256 check box.
  11. From the PFS key group drop-down list, select 14 (2048 bit).
  12. In the Life Time text box, type 3600.

Screenshot of pfSense, picture IPsec Phase 2 One

  1. Click Save.

Screenshot of pfSense, picture new8

  1. Click Apply Changes.

Add the VTI Interface

  1. Select Interfaces > Assignments.
  2. From the Available network ports drop-down list, select ipsec1 (IPsec VTI:).

Screenshot of pfSense, picture of Interface-VTI-Add

  1. Click + Add.
  2. Select the interface you created.
  3. Select the Enable interface check box.
  4. In the Description text box, type the interface name (for example, IPsecVTI).

Screenshot of pfSense, picture of IPsecVPN interface

  1. Click Save.
  2. Click Apply Changes.

Add the pfSense Static Route

  1. Select System > Routing > Gateways.
  2. Verify that a gateway for the IPsecVTI interface was created automatically.

Screenshot of pfSense, picture new11

  1. Click Static Routes.
  2. Click + Add.
  3. In the Destination network text box, type the network you want to route to.
  4. From the Gateway drop-down list, select IPSECVTI_VTIV4 - 10.0.11.11.

Screenshot of pfSense, picture new12

  1. Click Save.
  2. Click Apply Changes.

Configure Rule Settings

  1. Select Firewall > Rules > IPsec.
  2. Click Add.
  3. From the Action drop-down list, select Pass.
  4. From the Protocol drop-down list, select Any.
  5. From the Source drop-down list, select Network.
  6. In the Source Address text box, type the remote network IP address.
  7. From the Destination drop-down list, select Network.
  8. In the Destination Address text box, type the local network IP address.
  9. Keep the default values for all other settings.

Screenshot of pfSense, picture new17

  1. Click Save.
  2. Click Apply Changes.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screenshot of Firebox, pictureof BOVPN-VTI-Statistic

  1. Verify that Host 1 (behind the Firebox) and Host 2 (behind the pfSense) can ping each other.