Oracle Bare Metal and Firebox Branch Office VPN Integration Guide

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

Oracle Bare Metal BOVPN® service is a service offered by Oracle Cloud Infrastructure. This document describes the basic steps to build a Branch Office VPN (BOVPN) tunnel between the Oracle Cloud Infrastructure and the WatchGuard Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • WatchGuard Firebox M400 with Fireware v12.8.1
  • Oracle Cloud Infrastructure account

Topology Diagram

Configure the Oracle Bare Metal VPN

Oracle documentation lists the basic structure to set up a site-to-site VPN. These steps provide a high-level overview of the process.

  1. Gather information.
  2. Create your VCN (Virtual Cloud Network) and a subnet in your VCN.
  3. Create your DRG (Dynamic Routing Gateway) and Virtual Cloud Network Attachment.
  4. Update the routing in your VCN to use the DRG.
  5. Update the security list in your VCN.
  6. Create a CPE (Customer-Premises Equipment) object and provide your CPE device's public IP address.
  7. Create an IPSec connection to the CPE object and provide your static routes.

Create Virtual Cloud Network and Subnet

  1. Log in to your Oracle Cloud as an administrator.
  2. In the upper-left corner, click the navigation menu.

Screenshot of Oracle Cloud, picture1

  1. Click Networking.

Screenshot of Oracle Cloud, picture2

  1. Click Virtual Cloud Networks.
  2. From the Compartment drop-down list, select your compartment. The available compartment depends on your permission.
  3. Click Create VCN.
  4. In the Name text box, type a name.
  5. In the IPv4 CIDR Blocks text box, type your CIDR block.
  6. Keep the default value for other settings.

Screenshot of Oracle Cloud, picture3

  1. Click Create VCN.
    The Virtual Cloud Network is created.

Screenshot of Oracle Cloud, picture4

  1. Click Create Subnet.
  2. In the Name text box, type a name.
  3. In the IPv4 CIDR Block text box, type the CIDR block. Typically a subnet has a CIDR block smaller than the VCN's CIDR.
  4. From the Route Table drop-down list, select the default route table you created earlier.
  5. For Subnet Access, select Private Subnet.
  6. From the Security Lists drop-down list, select the default security list you created earlier.
  7. Keep the default value for other settings.

Screenshot of Oracle Cloud, picture5

  1. Click Create Subnet.

Create the Dynamic Routing Gateway and Virtual Cloud Network Attachment

  1. From the navigation menu, select Networking > Customer Connectivity > Dynamic Routing Gateway.
  2. From the Compartment drop-down list, select your compartment.
  3. Click Create Dynamic Routing Gateway.
  4. In the Name text box, type a friendly name.

Screenshot of Oracle Cloud, picture6

  1. Click Create Dynamic Routing Gateway.

Screenshot of Oracle Cloud, picture7

  1. From the Resources section, click Virtual Cloud Networks Attachments.
  2. Click Create Virtual Cloud Network Attachment.
  3. In the Attachment name text box, type a name.
  4. From the Virtual Cloud Network drop-down list, select the VCN you created.

Screenshot of Oracle Cloud, picture8

  1. Click Create Virtual Cloud Network Attachment.

Update the Routing Table

  1. From the navigation menu, select Networking > Virtual Cloud Networks.
  2. Click the VCN you created.
  3. In the Resources section, click Route Tables.
  4. Click the default route table you created earlier.
  5. Click Add Route Rules.
  6. From the Target Type drop-down list, select Dynamic Routing Gateway.
  7. In the Destination CIDR Block text box, type the destination CIDR block.

Screenshot of Oracle Cloud, picture9

  1. Click Add Route Rules.

Update the Security List

  1. From the navigation menu, select Networking > Virtual Cloud Networks.
  2. Click the VCN you created.
  3. Under Resources, click Security Lists.
  4. Click the default security list you created earlier.
  5. In the Resources section, click Ingress Rules.
  6. Select the rules and click Edit.
  7. For the ICMP protocol rules, update the Type to All.
  8. Click Save changes.

Screenshot of Oracle Cloud, picture10

For testing purposes, we allowed inbound ICMP traffic on all ports. Remove this rule after testing.

Create Customer-Premises Equipment (CPE)

  1. From the navigation menu, select Networking > Customer Connectivity > Customer-Premises Equipment.
  2. From the Compartment drop-down list, select your compartment.
  3. Click Create Customer-Premises Equipment.
    The Create Customer-Premises Equipment page opens.
  4. In the Name text box, type a friendly name.
  5. In the Public IP Address text box, type the public IP address of your Firebox.
  6. In the CPE Vendor Information section, from the Vendor drop-down list, select WatchGuard.
  7. From the Platform/Version drop-down list, select Firebox with Fireware v12.

Screenshot of Oracle Cloud, picture11

  1. Click Create CPE.

Create an IPSec Connection

  1. From the navigation menu, select Networking > Customer Connectivity > Site-to-Site VPN.
  2. Click Create IPSec Connection.
  3. In the Name text box, type a descriptive name.
  4. From the Create in Compartment drop-down list, select your compartment.
  5. From the Customer-Premises Equipment drop-down list, select the CPE object you created earlier.
  6. From the Dynamic Routing Gateway Compartment drop-down list, select the DRG you created earlier.
  7. In the Routes to your On-Premises Network text box, type your on-premise network.

Screenshot of Oracle Cloud, picture12

  1. In the Tunnel 1 section, in the Name text box, type a name.
  2. Select Provide custom shared secret.
  3. In the Shared Secret text box, type the shared secret key.
  4. From the IKE Version drop-down list, select IKEv2.
  5. For Routing Type, select Policy Based Routing.
  6. In the Associations section, in the On-Premises CIDRs text box, type your on-premise CIDR block.
  7. In the Oracle Cloud CIDRs text box, type your Oracle Cloud CIDR block.

Screenshot of Oracle Cloud, picture13

  1. Click Show Advanced Options.
  2. Expand Phase One (ISAKMP) Configuration.
  3. Select Set Custom Configurations.
  4. From the Custom Encryption Algorithm drop-down list, select AES_256_CBC.
  5. From the Custom Authentication Algorithm drop-down list, select SHA2_256.
  6. From the Custom Diffie-Hellman Group drop-down list, select GROUP14.

Screenshot of Oracle Cloud, picture14

  1. Expand Phase Two (IPSec) Configuration.
  2. Check Set Custom Configurations.
  3. From the Custom Encryption Algorithm drop-down list, select AES_256_CBC.
  4. From the Custom Authentication Algorithm drop-down list, select HMAC_SHA2_256_128.
  5. Keep the default value for other settings.

Screenshot of Oracle Cloud, picture15

  1. Repeat steps 8–25 to configure Tunnel 2.

Screenshot of Oracle Cloud, picture16

  1. Click Create IPSec Connection.
  2. From the new IPSec connection, copy the IP addresses from the Oracle VPN IP Address column.

Screenshot of Oracle Cloud, picture17

Configure the Firebox

Configure the Phase 2 IPSec Proposal

  1. Log in to Fireware Web UI at https://<your firebox IP address>:8080.
  2. Select VPN > Phase 2 Proposals.
  3. To create a new proposal, click Add .
  4. In the Name text box, type a name for the proposal.
  5. (Optional) Type a Description.
  6. From the Type drop-down list, select ESP (Encapsulating Security Payload).
  7. From the Authentication drop-down list, select SHA2.
  8. From the Encryption drop-down list, select AES(256-bit).
  9. For Force Key Expiration, select the Time check box and type 1 hour.

Screenshot of Firebox, picture1

  1. Click Save.

Configure the Branch Office VPN

  1. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  2. In the Gateways section, click Add.
  3. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  4. From the Address Family drop-down list, select IPv4 Addresses.
  5. In the Credential Method section, select Use Pre-Shared Key.
  6. In the adjacent text box, type the pre-shared key.

Screenshot of Firebox, picture2

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In the adjacent text box, type the public IP address of the External Firebox interface.

Screenshot of Firebox, picture3

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the Oracle VPN IP address that you copied from the Oracle Bare Metal IPSec connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the Oracle VPN IP address that you copied from the Oracle Bare Metal IPSec connection.

Screenshot of Firebox, picture4

  1. Click OK.
  2. Repeat steps 7-17 to create another Gateway Endpoint. In Steps 14 and 16, specify the other Oracle VPN IP address.
  3. In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.

Screenshot of Firebox, picture5

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. In the Transform Settings section, select the default setting, and click Edit.
  4. In the SA Life text box, type 8 and select hours from the drop-down list.
  5. Keep all other settings as the default values.

Screenshot of Firebox, picture6

  1. Click OK.

Screenshot of Firebox, picture7

  1. Click Save.
  2. In the Tunnels section, click Add.

Screenshot of Firebox, picture8

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screenshot of Firebox, picture9

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network protected by the Oracle Cloud.

Screenshot of Firebox, picture10

  1. Click OK.
  2. Select the Phase 2 Settings tab.
  3. Select the Enable Perfect Forward Secrecy check box. From the drop-down list, select Diffie-Hellman Group 5.
  4. In the IPSec Proposals section, from the Phase 2 Proposals drop-down list, select the phase 2 proposal you created, and click Add.
  5. Remove any other proposals that appear on the list.

Screenshot of Firebox, picture11

  1. Click Save.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screenshot of Firebox, picture12

  1. Verify that Host1 (behind the Firebox) and Host2 (behind the Oracle Cloud ) can ping each other.