Oracle Bare Metal and Firebox BOVPN Virtual Interface Integration Guide

Oracle Bare Metal BOVPN® service is a service offered by Oracle Cloud Infrastructure. This document describes the basic steps to build a Branch Office VPN (BOVPN) virtual interface connection between the Oracle Cloud Infrastructure and the WatchGuard Firebox.

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

Contents

Platform and Software

The hardware and software used in this document include:

  • WatchGuard Firebox with Fireware v12.10.1
  • Oracle Cloud Infrastructure account

The screeshot of topology diagram

Configure the Oracle Bare Metal VPN

For information about the basic structure to set up a site-to-site VPN, go to the Oracle documentation.

To configure the Oracle Bare Metal VPN:

  1. Create a Virtual Cloud Network and Subnet.
  2. Create the Dynamic Routing Gateway and Virtual Cloud Network Attachment.
  3. Update the Routing Table.
  4. Update the Security List.
  5. Create the Customer-Premises Equipment (CPE).
  6. Create an IPSec Connection.

Create a Virtual Cloud Network and Subnet

To create a virtual cloud network and subnet:

  1. Log in to the Oracle Cloud with an administrator account.

Screenshot of Oracle Cloud, get started

  1. From the navigation menu, select Networking > Virtual Cloud Networks.

Screenshot of Oracle Cloud, Networking virtual cloud networks

  1. From the Compartment drop-down list, select your compartment. The available compartment depends on your permission.
  2. Click Create VCN.
    The Create a Virtual Cloud Network page opens.

Screenshot of Oracle Cloud, create VCN 001

  1. In the Name text box, type a name. In this example, we use MyVCN
  2. In the IPv4 CIDR Blocks text box, type your CIDR block.
  3. Keep the default values for other settings.
  4. Click Create VCN.
    The virtual cloud network is created with a default route table and security list.

Screenshot of Oracle Cloud, My VCN

  1. To view the default route table, from the Resources section, click Route Tables.

Screenshot of Oracle Cloud,route tables

  1. To view the default security list, from the Resources section, click Security Lists.

Screenshot of Oracle Cloud, Security Lists

  1. Click Subnets(0), then click Create Subnet.
    The Create Subnet page opens.

Screenshot of Oracle Cloud, create my subnet 001

  1. In the Name text box, type a name.
  2. In the IPv4 CIDR Block text box, type the CIDR block. Generally, a subnet CIDR block is smaller than the VCN CIDR block.
  3. From the Route Table drop-down list, select the default route table.
  4. For Subnet Access, select Private Subnet.
  5. From the Security Lists drop-down list, select the default security list.
  6. Keep the default values for other settings.
  7. Click Create Subnet.

Create the Dynamic Routing Gateway and Virtual Cloud Network Attachment

To create the Dynamic Routing Gateway and Virtual Cloud Network Attachment:

  1. From the navigation menu, select Networking > Customer Connectivity > Dynamic Routing Gateway.
  2. From the Compartment drop-down list, select your compartment.
  3. Click Create Dynamic Routing Gateway.
    The Create Dynamic Routing Gateway page opens.

Screenshot of Oracle Cloud, create DRG 001

  1. In the Name text box, type a name.
  2. Click Create Dynamic Routing Gateway.
    The Dynamic Routing Gateway is created.

Screenshot of Oracle Cloud, My DRG

  1. From the Resources section, click VCN Attachments.
  2. Click Create Virtual Cloud Network Attachment.
    The Create VCN Attachment page opens.

Screenshot of Oracle Cloud, create VCN attachment 001

  1. In the Attachment Name text box, type a name.
  2. From the Virtual Cloud Network drop-down list, select the VCN you created in Create a Virtual Cloud Network and Subnet.
  3. Click Create VCN Attachment.

Update the Routing Table

To update the routing table:

  1. From the navigation menu, select Networking > Virtual Cloud Networks.
  2. Select the VCN you created in Create a Virtual Cloud Network and Subnet.
  3. From the Resources section, click Route Tables.
  4. Select the default route table.
  5. Click Add Route Rules.
    The Add Route Rules page opens.

Screenshot of Oracle Cloud, Add route rules 001

  1. From the Target Type drop-down list, select Dynamic Routing Gateway.
  2. From the Destination Type drop-down list, select CIDR Block.
  3. In the Destination CIDR Block text box, type the destination CIDR block.
  4. Click Add Route Rules.

Update the Security List

To update the security list:

  1. From the navigation menu, select Networking > Virtual Cloud Networks.
  2. Select the VCN you created in Create a Virtual Cloud Network and Subnet.
  3. From the Resources section, click Security Lists.
  4. Click the default security list you created in Create a Virtual Cloud Network and Subnet
  5. From the Resources section, click Ingress Rules.
    The Ingress Rules page opens.

Screenshot of Oracle Cloud, ingress rules

  1. Select the rules you want to update, then click Edit.
  2. For the ICMP protocol rules, update the Type to All.
  3. Click Save Changes.

For test purposes, we allow inbound ICMP traffic on all ports. Remove this rule after you complete the test.

Create the Customer-Premises Equipment (CPE)

To create the customer-premises equipment:

  1. From the navigation menu, select Networking > Customer Connectivity > Customer-Premises Equipment.
  2. From the Compartment drop-down list, select your compartment.
  3. Click Create CPE.
    The Create CPE page opens.

Screenshot of Oracle Cloud, create CPE 001

  1. In the Name text box, type a name.
  2. In the IP Address text box, type the public IP address of your Firebox.
  3. From the CPE Vendor Information section, from the Vendor drop-down list, select WatchGuard.
  4. From the Platform/Version drop-down list, select Firebox with Fireware v12.
  5. Keep the default values for other settings.
  6. Click Create CPE.

Create an IPSec Connection

To create an IPSec connection:

  1. From the navigation menu, select Networking > Customer Connectivity > Site-to-Site VPN.
  2. Click Create IPSec Connection.
    The Create IPSec Connection page opens.

Screenshot of Oracle Cloud, create IPSec connection

  1. In the Name text box, type a name.
  2. From the Create in Compartment drop-down list, select your compartment.
  3. From the Customer-Premises Equipment drop-down list, select the CPE object you created in Create the Customer-Premises Equipment (CPE).
  4. From the Dynamic Routing Gateway Compartment drop-down list, select the DRG you created earlier.
  5. In the Routes to Your On-Premises Network text box, type your on-premise network.
  6. Expand the Tunnel 1 section.
    The Tunnel 1 settings appear.

Screenshot of Oracle Cloud, IPSec Tunnel 1 Static Routing

  1. In the Name text box, type a name.
  2. Select the Provide Custom Shared Secret check box.
  3. In the Shared Secret text box, type the shared secret key.
  4. From the IKE Version drop-down list, select IKEv2.
  5. For Routing Type, select Static Routing.
  6. Click Show Advanced Options.
    The Tunnel 1 advanced options appear.

Screenshot of Oracle Cloud, Phase1-001

  1. Expand Phase One (ISAKMP) Configuration.
  2. Select the Set Custom Configurations check box.
  3. From the Custom Encryption Algorithm drop-down list, select AES_256_CBC.
  4. From the Custom Authentication Algorithm drop-down list, select SHA2_256.
  5. From the Custom Diffie-Hellman Group drop-down list, select GROUP14.
  6. Expand Phase Two (IPSec) Configuration.
    The Phase Two (IPSec) Configuration settings appear.

Screenshot of Oracle Cloud, picture 2-001

  1. Select the Set Custom Configurations check box.
  2. From the Custom Encryption Algorithm drop-down list, select AES_256_CBC.
  3. From the Custom Authentication Algorithm drop-down list, select HMAC_SHA2_256_128.
  4. Keep the default values for other settings.
  5. Repeat steps 8-24 to configure Tunnel 2.

Screenshot of Oracle Cloud, IPSec Tunnel 2 static routing

  1. Click Create IPSec Connection.
  2. From the new IPSec connection, from the Oracle VPN IP Address column, copy the IP addresses.

Screenshot of Oracle Cloud, site to site vpn

Configure the Firebox

To configure the Firebox, you must:

  1. Configure the Phase 2 IPSec Proposal
  2. Configure the BOVPN Virtual Interface

Configure the Phase 2 IPSec Proposal

To configure the Phase 2 IPSec proposal:

  1. Log in to Fireware Web UI at https://<your firebox IP address>:8080.
  2. Select VPN > Phase 2 Proposals.
  3. To create a new proposal, click Add.
    The Phase 2 Proposal Add page opens.

Screenshot of Firebox, picture1

  1. In the Name text box, type a name for the proposal.
  2. (Optional) In the Description text box, type a description.
  3. From the Type drop-down list, select ESP (Encapsulating Security Payload).
  4. From the Authentication drop-down list, select SHA2-256.
  5. From the Encryption drop-down list, select AES(256-bit).
  6. For Force Key Expiration, select the Time check box, then type 1 hour.
  7. Click Save.

Configure the BOVPN Virtual Interface

To configure the BOVPN virtual interface:

  1. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  2. Click Add.
    The BOVPN Virtual Interfaces Add page opens.

Screenshot of Firebox, picture2

  1. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  2. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  3. From the Gateway Address Family drop-down list, select IPv4 Addresses.

  4. From the Credential Method section, select Use Pre-Shared Key.
  5. In the adjacent text box, type the pre-shared key.
  6. From the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

Screenshot of Firebox, picture3

  1. From the Physical drop-down list, select External.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.

    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  3. Select By IP Address.
  4. In the adjacent text box, type the public IP address of the External Firebox interface.
  5. Select the Remote Gateway tab.

Screenshot of Firebox, picture4

  1. Select Static IP Address.
  2. In the adjacent text box, type the Oracle VPN IP address that you copied from the Oracle Bare Metal IPSec connection.
  3. Select By IP Address.
  4. In the adjacent text box, type the Oracle VPN IP address that you copied from the Oracle Bare Metal IPSec connection.
  5. Click OK.
    The Gateway Endpoint details appear on the BOVPN Virtual Interfaces Add page.

Screenshot of Firebox, picture5

  1. From the Gateway Endpoint section, select the Start Phase 1 Tunnel When it is Inactive check box.
  2. Select the Add This Tunnel to the BOVPN-Allow Policies check box.
  3. Select the VPN Routes tab.
  4. Click Add.
    The VPN Route Settings dialog box opens.

Screenshot of Firebox, picture6

  1. From the Choose Type drop-down list, select Network IPv4.
  2. In the Route To text box, type the Network IP address of a route that uses this virtual interface.
  3. For Metric, type 1.
  4. Click OK.
    The VPN Route details appear on the BOVPN Virtual Interfaces Add page.

Screenshot of Firebox, picture7

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. From the Transform Settings section, select the default setting, then click Edit.
    The Transform Settings dialog box opens.

Screenshot of Firebox, picture8

  1. In the SA Life text box, type 8 and select Hours from the drop-down list.
  2. Keep the default values for all other settings.
  3. Click OK.
    The Transform Settings appear on the BOVPN Virtual Interfaces Add page.

Screenshot of Firebox, picture9

  1. Select the Phase 2 Settings tab.

Screenshot of Firebox, picture10

  1. Select the Enable Perfect Forward Secrecy check box.
  2. From the adjacent drop-down list, select Diffie-Hellman Group 5.
  3. From the IPSec Proposals section, from the Phase 2 Proposals drop-down list, select the phase 2 proposal you created, then click Add.
  4. Remove any other proposals that appear in the list.
  5. Click Save.
  6. Repeat steps 1-38 to create another BOVPN virtual interface, with these changes:
    1. In Steps 15 and 17, specify the other Oracle VPN IP address.
    2. In Step 25, for Metric, type 2.

Test the Integration

To test the integration, from Oracle Bare Metal:

  1. Make sure your IPSec connection status is Up and green.
    Oracle provisions two IPSec tunnels for the connection, only one of which is up. For more information about the IPSec tunnel redundancy, go to the Oracle Cloud Infrastructure documentation.

Screenshot of Firebox, OIC IPsec Tunnels

  1. Launch an instance into the VCN.
    For information about how to launch an instance, go to the Oracle Cloud Infrastructure documentation.
  2. Ping the instance from your on-premise network.

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screenshot of Firebox, VPN Statistic

  1. Verify that Host1 (behind the Firebox) is able to ping Host2 (in the Oracle Cloud).