Contents

Juniper SRX320 and Firebox Cloud VPN Integration Guide

This document describes how to configure a BOVPN tunnel between WatchGuard Firebox Cloud and a Juniper® SRX320.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • WatchGuard Firebox Cloud v11.12.1 B522519 installed in Amazon Web Services (AWS)
  • Juniper SRX320 v15.1X49-D45

Test Topology

This diagram outlines the topology used in this integration:

Configure Firebox Cloud

Follow these steps to configure the BOVPN virtual interface on your Firebox.

  1. Log in to Firebox Cloud Web UI at https://<AWS public IP address>:8080.
  2. From the navigation menu, select VPN > BOVPN Virtual Interfaces.

  1. Click .

  1. Click Add.
  2. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  3. In the Credential Method section, select Use Pre-Shared Key.
  4. In the adjacent text box, type the pre-shared key.

  1. In the Gateway Endpoint section, click Add.

  1. From the Physical drop-down list, select External.
  2. Select By IP Address.
  3. In the adjacent text box, type the AWS public IP address for your Firebox Cloud.

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the public IP address of the ge-0/0/0.0 interface on the Juniper SRX320.
  4. Select By IP Address.
  5. In the adjacent text box, type the public IP address of the ge-0/0/0.0 interface on the Juniper SRX320.

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase1 tunnel when it is inactive check box.
  3. Select the Add this tunnel to the BOVPN-Allow policies check box.

  1. Select the VPN Routes tab.
  2. Click Add.
  3. From the Choose Type drop-down list, select Host IPv4 or Host IPv6. In our example, we specify an IPv4 IP address.
  4. In the Route To text box, type the IP address of a route that uses this virtual interface. In our example, we add a route to a server at 192.168.13.2.

  1. Click OK.
  2. Select the Assign virtual interface IP addresses check box.
  3. Type the Local and Peer virtual interface IP addresses in the text boxes.

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv1.
  3. From the Mode drop-down list, select Main.
  4. In the Transform Settings section, click Add.
  5. From the Authentication drop-down list, select SHA2-256.
  6. From the Encryption drop-down list, select AES(256-bit).
  7. From the Key Group drop-down list, select Diffie-Hellman Group 2
  8. Leave the default value for all other Phase 1 settings.

For stronger security, we recommend that you add a new Phase 2 proposal:

  1. Select VPN > Phase 2 Proposals.
  2. To add a new Phase 2 proposal, click Add.
  3. In the Name text box, type ESP-AES256-SHA2-256.
  4. From the Type drop-down list, select ESP (Encapsulating Security Payload).
  5. From the Authentication drop-down list, select SHA2-256.
  6. From the Encryption drop-down list, select AES(256-bit).
  7. Leave the default value for all other settings.

  1. Click Save.

Apply the new Phase 2 proposal to your BOVPN virtual interface:

  1. Select VPN > BOVPN Virtual Interfaces.
  2. Select the interface you added. Click Edit.
  3. Select the Phase 2 Settings tab.
  4. From the IPSec Proposals drop-down list, select ESP-AES256-SHA2-256.
  5. Click Add.
  6. Remove any other proposals that appear in the list. Leave the default value for all other Phase 2 settings.

  1. Click Save.

Configure the Juniper SRX320

Follow these steps to configure the settings for your Juniper device.

Basic Settings

  1. Log in to the Juniper Web UI at https://<IP address of the Juniper device>. The default IP address is https://192.168.1.1.
  2. Configure the Juniper interfaces.
  3. Configure the zones.
  4. Bind the zones and interfaces. In our example, zones and interfaces are bound as shown.

  1. In our example, the IP addresses for zones are shown below.

  1. Configure static routes. For information about how to configure static routes, see Juniper documentation.

IPSec VPN Phase 1 settings

  1. Select IPSec VPN > VPN Tunnel > Phase I.

  1. Select the Proposal tab.
  2. Click Add.
  3. In Name text box, type a name for the proposal.
  4. From the Authentication algorithm drop-down list, select sha-256.
  5. From the Authentication Method drop-down list, select pre-shared-keys.
  6. From the DH Group drop-down list, select group2.
  7. From the Encryption algorithm drop-down list, select aes-256-cbc.
  8. In the Lifetime seconds text box, type the number of seconds.

  1. Click OK.

  1. Select the IKE Policy tab.
  2. Click Add.
  3. In the Name text box, type a name for the policy.
  4. From the Mode drop-down list, select main.
  5. Select the User Defined check box.
  6. Select the proposal you created.

  1. Select the IKE Policy Options tab.
  2. Select Pre Shared Key.
  3. Select Ascii text. In the adjacent text box, type the pre-shared key.

  1. Click OK.

  1. Select the Gateway tab.
  2. Click Add.
  3. In the Name text box, type the Gateway name.
  4. From the Policy drop-down list, select the policy you created.
  5. From the External Interface drop-down list, select ge-0/0/0.0.
  6. From the Ike Version drop-down list, select v1-only.
  7. Select Site to Site Tunnel.
  8. In the Address/FQDN text box, type the AWS Public IP.
  9. From the Identity Type drop-down list, select IP Address.
  10. In the IP Address text box, type the public IP address.

  1. Click OK.

IPSec VPN Phase 2 Settings

  1. Select IPSec VPN > VPN Tunnel > Phase II.
  2. Select the Proposal tab.
  3. Click Add.
  4. In the Name text box, type the proposal name.
  5. From the Authentication algorithm drop-down list, select hmac-sha-256-128.
  6. From the Encryption algorithm drop-down list, select aes-256-cbc.
  7. From the Protocol drop-down list, select esp.

  1. Click OK.

  1. Navigate to the IPSec Policy page.
  2. Click Add.
  3. In the Name text box, type the policy name.
  4. Select User Defined.
  5. Select the proposal you created.

  1. Click OK.

  1. Select the Auto Key VPN tab.
  2. Click Add.
  3. In the VPN Name text box, type the VPN name.
  4. From the Remote Gateway drop-down list, select GW_JUN_WG.
  5. From the IPSec Policy drop-down list, select ipsec-phase2-policy.
  6. From the Bind to tunnel interface drop-down list, select st0.1.
  7. From the Establish tunnels drop-down list, select immediately.

  1. Click OK.

Security Policy Settings

  1. Select Security > Security Policy.

  1. In the Policy Name text box, type Juniper_WGCloud.
  2. From the Policy action drop-down list, select permit.
  3. Select Zone.
  4. From the From Zone drop-down list, select Internal.
  5. From the To Zone drop-down list, select VPN_Cloud.
  6. From the Source address list, select JUN.
  7. From the Destination address list, select VPN_Cloud.
  8. From the Application list, select Any.

  1. Select the Permit Action tab.
  2. From the VPN drop-down list, select VPN_JUN_Cloud.
  3. In the Pair Policy Name text box, type WGCloud_Juniper.

  1. Click OK.
  2. Create another policy like the one shown.

After you complete these steps, the Security Policy list appears as follows.

Test the Integration

  1. Log in to Fireware Web UI.
  2. Select System Status > VPN Statistics.
  3. Verify that the VPN tunnel is active.
  4. Create an ICMP policy on the Firebox to allow ICMP traffic. The Juniper SRX320 configuration includes an ICMP policy by default.

  1. Verify that the servers at 10.0.1.39 and 192.168.13.2 can successfully ping each other.

On the server at 10.0.1.39:

On the server at 192.168.13.2:

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search