Oracle Bare Metal and Firebox Branch Office VPN Integration Guide
WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.
Oracle Bare Metal BOVPN® service is a service offered by Oracle Cloud Infrastructure. This document describes the basic steps to build a Branch Office VPN (BOVPN) tunnel between the Oracle Cloud Infrastructure and the WatchGuard Firebox.
Platform and Software
The hardware and software used to complete the steps outlined in this document include:
- WatchGuard Firebox M400 with Fireware v12.8.1
- Oracle Cloud Infrastructure account
Configure the Oracle Bare Metal VPN
Oracle documentation lists the basic structure to set up a site-to-site VPN. These steps provide a high-level overview of the process.
- Gather information.
- Create your VCN (Virtual Cloud Network) and a subnet in your VCN.
- Create your DRG (Dynamic Routing Gateway) and Virtual Cloud Network Attachment.
- Update the routing in your VCN to use the DRG.
- Update the security list in your VCN.
- Create a CPE (Customer-Premises Equipment) object and provide your CPE device's public IP address.
- Create an IPSec connection to the CPE object and provide your static routes.
Create Virtual Cloud Network and Subnet
- Log in to your Oracle Cloud as an administrator.
- In the upper-left corner, click the navigation menu.
- Click Networking.
- Click Virtual Cloud Networks.
- From the Compartment drop-down list, select your compartment. The available compartment depends on your permission.
- Click Create VCN.
- In the Name text box, type a name.
- In the IPv4 CIDR Blocks text box, type your CIDR block.
- Keep the default value for other settings.
- Click Create VCN.
The Virtual Cloud Network is created.
- Click Create Subnet.
- In the Name text box, type a name.
- In the IPv4 CIDR Block text box, type the CIDR block. Typically a subnet has a CIDR block smaller than the VCN's CIDR.
- From the Route Table drop-down list, select the default route table you created earlier.
- For Subnet Access, select Private Subnet.
- From the Security Lists drop-down list, select the default security list you created earlier.
- Keep the default value for other settings.
- Click Create Subnet.
Create the Dynamic Routing Gateway and Virtual Cloud Network Attachment
- From the navigation menu, select Networking > Customer Connectivity > Dynamic Routing Gateway.
- From the Compartment drop-down list, select your compartment.
- Click Create Dynamic Routing Gateway.
- In the Name text box, type a friendly name.
- Click Create Dynamic Routing Gateway.
- From the Resources section, click Virtual Cloud Networks Attachments.
- Click Create Virtual Cloud Network Attachment.
- In the Attachment name text box, type a name.
- From the Virtual Cloud Network drop-down list, select the VCN you created.
- Click Create Virtual Cloud Network Attachment.
Update the Routing Table
- From the navigation menu, select Networking > Virtual Cloud Networks.
- Click the VCN you created.
- In the Resources section, click Route Tables.
- Click the default route table you created earlier.
- Click Add Route Rules.
- From the Target Type drop-down list, select Dynamic Routing Gateway.
- In the Destination CIDR Block text box, type the destination CIDR block.
- Click Add Route Rules.
Update the Security List
- From the navigation menu, select Networking > Virtual Cloud Networks.
- Click the VCN you created.
- Under Resources, click Security Lists.
- Click the default security list you created earlier.
- In the Resources section, click Ingress Rules.
- Select the rules and click Edit.
- For the ICMP protocol rules, update the Type to All.
- Click Save changes.
For testing purposes, we allowed inbound ICMP traffic on all ports. Remove this rule after testing.
Create Customer-Premises Equipment (CPE)
- From the navigation menu, select Networking > Customer Connectivity > Customer-Premises Equipment.
- From the Compartment drop-down list, select your compartment.
- Click Create Customer-Premises Equipment.
The Create Customer-Premises Equipment page opens. - In the Name text box, type a friendly name.
- In the Public IP Address text box, type the public IP address of your Firebox.
- In the CPE Vendor Information section, from the Vendor drop-down list, select WatchGuard.
- From the Platform/Version drop-down list, select Firebox with Fireware v12.
- Click Create CPE.
Create an IPSec Connection
- From the navigation menu, select Networking > Customer Connectivity > Site-to-Site VPN.
- Click Create IPSec Connection.
- In the Name text box, type a descriptive name.
- From the Create in Compartment drop-down list, select your compartment.
- From the Customer-Premises Equipment drop-down list, select the CPE object you created earlier.
- From the Dynamic Routing Gateway Compartment drop-down list, select the DRG you created earlier.
- In the Routes to your On-Premises Network text box, type your on-premise network.
- In the Tunnel 1 section, in the Name text box, type a name.
- Select Provide custom shared secret.
- In the Shared Secret text box, type the shared secret key.
- From the IKE Version drop-down list, select IKEv2.
- For Routing Type, select Policy Based Routing.
- In the Associations section, in the On-Premises CIDRs text box, type your on-premise CIDR block.
- In the Oracle Cloud CIDRs text box, type your Oracle Cloud CIDR block.
- Click Show Advanced Options.
- Expand Phase One (ISAKMP) Configuration.
- Select Set Custom Configurations.
- From the Custom Encryption Algorithm drop-down list, select AES_256_CBC.
- From the Custom Authentication Algorithm drop-down list, select SHA2_256.
- From the Custom Diffie-Hellman Group drop-down list, select GROUP14.
- Expand Phase Two (IPSec) Configuration.
- Check Set Custom Configurations.
- From the Custom Encryption Algorithm drop-down list, select AES_256_CBC.
- From the Custom Authentication Algorithm drop-down list, select HMAC_SHA2_256_128.
- Keep the default value for other settings.
- Repeat steps 8–25 to configure Tunnel 2.
- Click Create IPSec Connection.
- From the new IPSec connection, copy the IP addresses from the Oracle VPN IP Address column.
Configure the Firebox
Configure the Phase 2 IPSec Proposal
- Log in to Fireware Web UI at https://<your firebox IP address>:8080.
- Select VPN > Phase 2 Proposals.
- To create a new proposal, click Add .
- In the Name text box, type a name for the proposal.
- (Optional) Type a Description.
- From the Type drop-down list, select ESP (Encapsulating Security Payload).
- From the Authentication drop-down list, select SHA2.
- From the Encryption drop-down list, select AES(256-bit).
- For Force Key Expiration, select the Time check box and type 1 hour.
- Click Save.
Configure the Branch Office VPN
- Select VPN > Branch Office VPN.
The Branch Office VPN configuration page opens. - In the Gateways section, click Add.
- In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
- From the Address Family drop-down list, select IPv4 Addresses.
- In the Credential Method section, select Use Pre-Shared Key.
- In the adjacent text box, type the pre-shared key.
- In the Gateway Endpoint section, click Add.
The Gateway Endpoint Settings dialog box opens. - From the External Interface drop-down list, select External.
- From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
The Primary Interface IP Address is the primary IP address you configured on the selected external interface. - Select By IP Address.
- In the adjacent text box, type the public IP address of the External Firebox interface.
- Select the Remote Gateway tab.
- Select Static IP Address.
- In the adjacent text box, type the Oracle VPN IP address that you copied from the Oracle Bare Metal IPSec connection.
- Select By IP Address.
- In the adjacent text box, type the Oracle VPN IP address that you copied from the Oracle Bare Metal IPSec connection.
- Click OK.
- Repeat steps 7-17 to create another Gateway Endpoint. In Steps 14 and 16, specify the other Oracle VPN IP address.
- In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.
- Select the Phase 1 Settings tab.
- From the Version drop-down list, select IKEv2.
- In the Transform Settings section, select the default setting, and click Edit.
- In the SA Life text box, type 8 and select hours from the drop-down list.
- Keep all other settings as the default values.
- Click OK.
- Click Save.
- In the Tunnels section, click Add.
- From the Gateway drop-down list, select the gateway that you configured.
- In the Addresses section, click Add.
- In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
- In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
- In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
- In the Network IP text box, type the remote IP segment. This is the local network protected by the Oracle Cloud.
- Click OK.
- Select the Phase 2 Settings tab.
- Select the Enable Perfect Forward Secrecy check box. From the drop-down list, select Diffie-Hellman Group 5.
- In the IPSec Proposals section, from the Phase 2 Proposals drop-down list, select the phase 2 proposal you created, and click Add.
- Remove any other proposals that appear on the list.
- Click Save.
Test the Integration
To test the integration, from Fireware Web UI:
- Select System Status > VPN Statistics.
- Select the Branch Office VPN tab.
- Verify that the VPN is established.
- Verify that Host1 (behind the Firebox) and Host2 (behind the Oracle Cloud ) can ping each other.