Oracle Bare Metal BOVPN Virtual Interface Integration Guide

Oracle Bare Metal BOVPN® service is a service offered by Oracle Cloud Infrastructure. This document describes the basic steps to build a Branch Office VPN (BOVPN) virtual interface connection between the Oracle Cloud and the Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • WatchGuard Firebox with Fireware v12
  • Oracle Bare Metal Account with networking

Configure the Oracle Bare Metal VPN

Oracle documentation lists the basic structure to set up a Branch Office VPN. These steps provide a high level overview of the process.

  1. Gather information.
  2. Create your VCN (Virtual Cloud Network).
  3. Create your DRG (Dynamic Routing Gateway).
  4. Attach the DRG to your VCN.
  5. Update the routing in your VCN to use the DRG.
  6. Create a CPE (Customer-Premises Equipment) object and provide your router's public IP address.
  7. From your DRG, create an IPSec connection to the CPE object and provide your static routes.
  8. Configure your CPE router (WatchGuard firewall).

Create Virtual Cloud Network

  1. Select your Compartment in the Oracle Cloud infrastructure.
  2. Select Networking > Virtual Cloud Networks. The Create Virtual Cloud Network window appears. The compartments available depend on your permissions.
  3. Leave the default values and click Create Virtual Cloud Network.
    The Virtual Cloud Network is created.

Create Dynamic Routing Gateways

  1. Select Networking > Dynamic Routing Gateways.
    The Create Dynamic Routing Gateway window appears.
  2. Click Create Dynamic Routing Gateway.
  3. The Create in Compartment text box contains the current compartment name by default. To create the DRG in a different compartment, type the name of that compartment.
  4. In the Name text box, type a friendly name. The name cannot be changed in the console later.

  1. Click Create Dynamic Routing Gateway. The created DRG appears in the console.

Attach Dynamic Routing Gateway to a Cloud Network

After you create the DRG, you must attach the DRG to the Cloud Network.

  1. Select Networking > Dynamic Routing Gateways.
  2. From the list of available DRGs in the compartment, select the DRG you want to attach.
  3. Select Virtual Cloud Networks.
  4. Click Attach to Virtual Cloud Network.

Update the Routing Table

  1. Select Networking > Virtual Cloud Networks.
  2. From the list of available cloud networks, select the VCN you want.
  3. Click Route Tables. A list of all the route tables appears.
  4. For each subnet that communicates with your on-premises network, update the subnet's route table with a new route for the DRG.
  5. Select the Route Table you want and click Create Route Rule.

  1. In the CIDR text box, type the CIDR for your on-premise network.
  2. For the Target, select the DRG you created.
  3. Click Create.

Create Customer-Premises Equipment (CPE)

  1. Select Networking > Customer-Premises Equipment.

  1. Click Create Customer-Premises Equipment.
    The Create Customer-Premises Equipment dialog box appears. Complete all the fields.
  2. In the Create in Compartment text box, type the name of the compartment to use.
  3. In the Name text box, type a friendly name.
  4. In the IP Address text box, type the public IP address of your router.

  1. Click Create.

Link DRG to IPSec Connection

  1. Select Networking > Dynamic Routing Gateways.
  2. Select the DRG link you created.
  3. Make sure that the value in the Static Route CIDR text box matches the subnet that is the target on the WatchGuard firewall.
  4. Click Create IPSec Connection.

  1. Next to the newly created IPSec connection, open the menu and select Tunnel Information.
  2. Copy the shared key and public IP values.

You can configure and use multiple public gateways for this IPSec connection. See Configure VPN Failover to for the steps to do this.

Configure the Firebox BOVPN Virtual Interface

The BOVPN virtual interface configuration on the Firebox should match the transforms and IPSec Proposals passed from the Oracle BOVPN, though Oracle Cloud might provide multiple options in BOVPN negotiation.

In general, the settings listed in the Configuration Summary are offered first and can provide a more stable BOVPN.

Configuration Summary

WatchGuard Phase One Settings:

  • Version — IKE v1
  • Mode —Main
  • No NAT Traversal
  • No IKE Keep-alive
  • DPD:
    • Traffic idle timeout — 10 seconds
    • Max retries — 3
  • Transform Settings:
    • Authentication — SHA2-384
    • Encryption — AES(256-bit)
    • SA life — 8 hours
    • Key Group — Diffie-Hellman Group 5

WatchGuard Phase Two Settings:

  • Perfect Forward Secrecy — Enabled, Diffie-Hellman Group 5
  • IPSec Proposals:
    • Type — ESP (Encapsulating Security Payload)
    • Authentication — SHA1
    • Encryption — AES(256-bit)
  • Force Key Expiration Time — 1 hour

These are the steps to enter the above values, add the public IP address gateway, and tunnel routes to build the BOVPN.

Configure the Phase 2 IPSec Proposal

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select VPN > Phase 2 Proposals.
  3. Click Add to create a new proposal.
  4. In the Name text box, type a name for the proposal.
  5. (Optional) Type a Description.
  6. From the Type drop-down list, select ESP (Encapsulating Security Payload).
  7. From the Authentication drop-down list, select SHA1.
  8. From the Encryption drop-down list, select AES(256-bit).
  9. For Force Key Expiration, select the Time check box and type 1 hour.
  10. Click Save.

Configure the Gateway Settings

  1. Select VPN > BOVPN Virtual Interface.
  2. Click Add.
  3. In the Credential Method section, select Use Pre-Shared Key and paste the pre-shared key from the Oracle IPSec connection settings.

  1. In the Gateway Endpoint section, click Add.
    The New Gateway Endpoints Settings dialog box appears
  2. From the Local Gateway tab, for Specify the gateway ID for tunnel authentication select By IP Address and type the IP address. By default, this is the primary public address assigned to the firewall.
  3. Select the Remote Gateway tab.
  4. For Specify the remote gateway IP address for a tunnel, select Static IP Address and type the public IP address you got from the Oracle Bare Metal IPSec connection settings.

  1. Click OK.

If you configured multiple public IP addresses for VPN failover, you must type the different shared key for each remote public gateway in the Advanced tab. See Configure VPN Failover for more information.

Configure the VPN Routes

  1. On the Add BOVPN Virtual Interface page, select the VPN Routes tab.
  2. Click Add.
  3. From the Choose Type drop-down list, select an option:
    • Host IPv4 — Select this option if only one IPv4 host is the VPN destination.
    • Network IPv4 — Select this option if you have a full IPv4 network as the VPN destination.
  4. In the Route To text box, enter the network address or host address.
  5. In the Metric text box, type or select a metric value for the route.
  6. Click OK.

At the bottom of the BOVPN Virtual Interfaces page there is an option for Add this Tunnel to the BOVPN-allow policies. If you do not select this check box, then you must manually add a policy to allow this traffic.

Configure the Phase 1 Settings for IKEv1

  1. On the Add BOVPN Virtual Interface page, select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv1.
  3. From the Mode drop-down list, select Main.
  4. Deselect the NAT Traversal and IKE Keep-alive check boxes.
  5. Select the Dead Peer Detection check box.
  1. In the Transform Settings section, select the transform you want. Click Edit.
  2. In the Transform Settings window, from the Authentication drop-down list, select SHA2-384.
  3. From the Encryption drop-down list, select AES (256-bit).
  4. In the SA Life text box, type 8 and select Hours from the drop-down list.
  5. From the Key Group drop-down list, select Diffie-Hellman Group 5.
  6. Click OK.

Assign the Phase 2 Proposal

  1. On the Add BOVPN Virtual Interface page, select the Phase 2 Settings tab.
  2. Select the Enable Perfect Forward Secrecy check box. From the drop-down list, select Diffie-Hellman Group 5.
  3. If there are any IPSec Proposals in the Phase 2 Proposals list, remove them.
  4. From the drop-down list below the Phase 2 Proposals list, select the Phase 2 Proposal you created.
  5. Click Save.

To check the status of the VPN, select System Status > VPN Statistics > Branch Office VPN.

Test the BOVPN

Usually some type of traffic must be sent through a VPN, such as a ping or a server connection, to verify that traffic passes through the VPN. On the Oracle side, this requires a virtual server. If you do not have a test device on the WatchGuard side of the VPN, run diagnostics tasks on your Firebox.

To run diagnostic tasks for your Firebox:

  1. Select System Status > Diagnostics.
    The Diagnostics page appears with the Diagnostics File tab selected.
  2. Select the Network tab.
    The Network page appears.
  3. From the Task drop-down list, select Ping.
  4. In the Address text box, type an IP address or host name.
  5. Select Advanced Options to ping from a local firewall interface.
    • The dash capital I (-I) is used to specify the IP address of the local interface you wish to ping from.
    • The IP that follows the argument should be an interface IP assigned to the firewall.
    • The last IP is the final target for the ping command.