Contents

BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS)

You can configure a BOVPN virtual interface to connect your Firebox to an Amazon Web Services (AWS) virtual network. Amazon refers to this virtual network as a Virtual Private Cloud (VPC).

This example summarizes the configuration settings for dynamic routing between a Firebox BOVPN virtual interface and an AWS VPC. AWS supports the BGP dynamic routing protocol. OSPF is not supported.

For general, step-by-step instructions that explain how to configure a virtual interface, see Configure a BOVPN Virtual Interface.

To get the pre-shared keys and AWS IP addresses to complete your Firebox configuration, you must download a configuration file from your AWS VPC console. Select Site-to-Site VPN Connections > [connection name] > Download Configuration > WatchGuard.
For more information about how to configure the AWS VPN settings, see the Amazon Virtual Private Cloud User Guide.

Configuration Example

Firebox Interfaces

For this example, the Firebox has one external interface and one trusted network.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24

AWS Interfaces

For this example, the AWS VPN configuration has two external virtual interfaces and one trusted virtual network.

An AWS VPN configuration includes one virtual private gateway with two external IP addresses for redundancy. AWS automatically determines which IP address is the primary IP address.

Failover between the external IP addresses is enabled by default. If the primary AWS external IP address is unavailable, VPN traffic automatically fails over to the other AWS external IP address.

Interface Type Name IP Address
0 External External1 198.51.100.2/24
1 External External2 192.0.2.2/24
2 Trusted Trusted 10.0.100.1/24

Firebox Configuration

To configure a redundant gateway that uses both AWS external IP addresses, you must configure two BOVPN virtual interfaces.

On the Gateway Settings tab for the first virtual interface (for this example, toAWS-1):

  • Remote Endpoint Type is Cloud VPN or Third-Party Gateway
  • Credential Method is Use Pre-Shared Key. Specify the pre-shared key included in the AWS VPN configuration file for IPSec Tunnel #1.
  • Gateway Endpoint settings are:
    • Local Gateway ID203.0.113.2 (external interface of the Firebox)
    • Remote Gateway IP address and ID198.51.100.2 (first IP address of the AWS virtual private gateway)

For the second virtual interface (for this example, toAWS-2):

  • Remote Endpoint Type is Cloud VPN or Third-Party Gateway
  • Credential Method is Use Pre-Shared Key.
    Specify the pre-shared key included in the AWS VPN configuration file for IPSec Tunnel #2.
  • Gateway Endpoint settings are:
    • Local Gateway ID203.0.113.2 (external interface of the Firebox)
    • Remote Gateway IP address and ID192.0.2.2 (second IP address of the AWS virtual private gateway)

In the Web UI, the gateway settings are:

Screen shot of BOVPN virtual interface gateway settings

Gateway configuration for the first virtual interface in the Web UI

Screen shot of BOVPN virtual interface gateway settings

Gateway configuration for the second virtual interface in the Web UI

In Policy Manager, the gateway settings are:

Screen shot of BOVPN virtual interface settings

Gateway configuration for the first virtual interface in Policy Manager

Screen shot of the BOVPN virtual interface gateway settings

Gateway configuration for the second virtual interface in Policy Manager

On the VPN Routes tab, specify the virtual IP addresses included in the AWS VPN configuration file. The netmask assigned by AWS is always /30 (255.255.255.252).

For the first virtual interface (toAWS-1):

  • Assign virtual interface IP addresses — Selected
  • Local IP address169.254.11.254
    In the AWS VPN Configuration file, in the IPSec Tunnel #1 section, this is the Inside Customer Gateway IP address.
  • Peer IP address or netmask255.255.255.252
    In the AWS VPN Configuration file, in the IPSec Tunnel #1 section, this is the Inside Customer Gateway netmask.

For the second virtual interface (toAWS-2):

  • Assign virtual interface IP addresses — Selected
  • Local IP address169.254.9.162
    In the AWS VPN Configuration file, in the IPSec Tunnel #2 section, this is the Inside Customer Gateway IP address.
  • Peer IP address or netmask255.255.255.252
    In the AWS VPN Configuration file, in the IPSec Tunnel #2 section, this is the Inside Customer Gateway netmask.

In the Web UI, the virtual IP address settings are:

Screen shot of the virtual IP addresses

Virtual IP address configuration for the first virtual interface in the Web UI

Screen shot of the virtual IP addresses

Virtual IP address configuration for the second virtual interface in the Web UI

In Policy Manager, the virtual IP address settings are:

Screen shot of the virtual IP addresses

Virtual IP address configuration for the first virtual interface in Policy Manager

Screen shot of virtual interface IP addresses

Virtual IP address configuration for the second virtual interface in Policy Manager

During VPN negotiations, AWS identifies the authentication and encryption algorithm settings from the Firebox and automatically uses the same settings, if they are supported. AWS supports specific proposals. You cannot edit the list of proposals available in AWS.

On the Phase 1 Settings tab for both virtual interfaces, we recommend these settings:

  • Version — IKEv2
    IKEv1 is also supported.
  • Authentication — SHA2-256
  • Encryption — AES (256-bit)
  • Diffie-Hellman Group — 14

In Fireware v12.0 and higher, the default Diffie-Hellman setting is Group 14. In Fireware v11.12.4 and lower, the default Diffie-Hellman setting is Group 2. AWS supports both groups.

Keep all other Phase 1 settings at the default values.

Screen shot of the Phase 1 settings for a BOVPN virtual interface

Phase 1 settings in the Web UI

Screen shot of the Phase 1 settings for a BOVPN virtual interface

Phase 1 settings in Policy Manager

On the Phase 2 Settings tab for both virtual interfaces, we recommend these settings:

  • Enable Perfect Forward Secrecy — Selected
  • Diffie-Helman — Group 14
  • Phase 2 IPSec Proposal — ESP-AES256-SHA256

Fireware v11.12.4 or lower has different default Phase 2 settings. If your Firebox has Fireware v11.12.4 or lower, we recommend that you add a new Phase 2 proposal that specifies ESP, AES (256-bit) for encryption, and SHA2-256 for authentication. For more information, see Add a Phase 2 Proposal.

In Fireware v12.0 and higher, the default Diffie-Hellman setting is Group 14. In Fireware v11.12.4 and lower, the default Diffie-Hellman setting is Group 2. AWS supports both groups.

Screen shot of Phase 2 settings

Phase 2 settings in the Web UI

Screen shot of Phase 2 settings

Phase 2 settings in Policy Manager

The AWS BGP ASN and the virtual IP address (the BGP peer address) are defined by AWS and cannot be changed. The Firebox BGP dynamic routing configuration has these commands for the IP addresses in this example:

router bgp 10001
!
! to AWS VPC 1st ext-if
!
neighbor 169.254.11.253 remote-as 7224
neighbor 169.254.11.253 activate
neighbor 169.254.11.253 timers 10 30
!
! to AWS VPC 2nd ext-if
!
neighbor 169.254.9.161 remote-as 7224
neighbor 169.254.9.161 activate
neighbor 169.254.9.161 timers 10 30
!
! To advertise additional prefixes to Amazon VPC, copy the 'network' statement
! and identify the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
!
network 10.0.1.0/24

Screen shot of BGP settings

The configured BGP settings in the Web UI

Screen shot of BGP settings

The configured BGP settings in Policy Manager

If you configure more than one trusted network on your Firebox, and you want AWS to learn the route to an additional trusted network, use an additional network command. For example:

network 10.0.1.0/24

network 10.0.2.0/24

AWS Configuration

In your AWS VPN configuration file, the settings are:

IPSec Tunnel #1:

  • Outside IP addresses:
    • Customer Gateway203.0.113.2 (external interface on the Firebox)
    • Virtual Private Gateway198.51.100.2 (first IP address of the AWS virtual private gateway)
  • Inside IP addresses:
    • Customer Gateway169.254.11.254/30 (IP address of the first virtual interface on the Firebox)
    • Virtual Private Gateway169.254.11.253 (IP address for the first virtual interface of the AWS VPN)
  • BGP:
    • Neighbor IP address169.254.11.254
    • Customer Gateway ASN10001 (the BGP ASN of the Firebox)

IPSec Tunnel #2:

  • Outside IP addresses:
    • Customer Gateway203.0.113.2 (external interface on the Firebox)
    • Virtual Private Gateway192.0.2.2 (second IP address of the AWS virtual private gateway)
  • Inside IP addresses:
    • Customer Gateway169.254.9.162/30 (IP address of the second virtual interface on the Firebox)
    • Virtual Private Gateway169.254.9.161 (IP address for the second virtual interface of the AWS VPN)
  • BGP:
    • Neighbor IP address169.254.9.162
    • Customer Gateway ASN10001 (the BGP ASN of the Firebox)

For more information about how to configure your AWS VPC, see the Amazon Virtual Private Cloud User Guide.

See Also

BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS)

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search