Integration Guide. Oracle Bare Metal BOVPN

Similar documents
How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Configuration of an IPSec VPN Server on RV130 and RV130W

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

VPNC Scenario for IPsec Interoperability

Virtual Tunnel Interface

FAQ about Communication

Configuring VPNs in the EN-1000

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Large-Scale Distributed Enterprise with BOVPN Virtual Interfaces and OSPF

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

Google Cloud VPN Interop Guide

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Deploying VPN IPSec Tunnels with Cisco ASA/ASAv VTI on Oracle Cloud Infrastructure

The EN-4000 in Virtual Private Networks

Google Cloud VPN Interop Guide

Firepower Threat Defense Site-to-site VPNs

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

Integration Guide. LoginTC

Table of Contents 1 IKE 1-1

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Google Cloud VPN Interop Guide

NCP Secure Enterprise macos Client Release Notes

Deploy VPN IPSec Tunnels on Oracle Cloud Infrastructure. White Paper September 2017 Version 1.0

VPN Ports and LAN-to-LAN Tunnels

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Virtual Private Networks

Efficient SpeedStream 5861

VPN Auto Provisioning

NCP Secure Entry macos Client Release Notes

Configuring IPSec tunnels on Vocality units

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

Site-to-Site VPN with SonicWall Firewalls 6300-CX

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

Case 1: VPN direction from Vigor2130 to Vigor2820

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Integration Guide PRTG

Virtual Private Network. Network User Guide. Issue 05 Date

NCP Secure Enterprise macos Client Release Notes

Oracle Cloud Setting Up VPN from a Third-Party Gateway to an IP Network in Oracle Cloud

Defining IPsec Networks and Customers

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

MCR Connections to Oracle Cloud Infrastructure using FastConnect

VMware Cloud on AWS Getting Started. 18 DEC 2017 VMware Cloud on AWS

Configuring VPN Policies

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Virtual Tunnel Interface

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Virtual Private Cloud. User Guide. Issue 03 Date

Chapter 6 Virtual Private Networking

VPN Overview. VPN Types

Cisco Multicloud Portfolio: Cloud Connect

Oracle Cloud Infrastructure Virtual Cloud Network Overview and Deployment Guide ORACLE WHITEPAPER JANUARY 2018 VERSION 1.0

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Hillstone IPSec VPN Solution

HOW TO CONFIGURE AN IPSEC VPN

NCP Secure Managed Android Client Release Notes

Example - Configuring a Site-to-Site IPsec VPN Tunnel

How to configure IPSec VPN failover

AWS VPC Cloud Environment Setup

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

Secure Entry CE Client & Watchguard Firebox 700 A quick configuration guide to setting up the NCP Secure Entry CE Client in a simple VPN scenario

In the event of re-installation, the client software will be installed as a test version (max 10 days) until the required license key is entered.

Integration Guide. Auvik

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

IPsec Dead Peer Detection Periodic Message Option

Chapter 5 Virtual Private Networking

Biznet GIO Cloud - Build Site To Site VPN With Mikrotik. How To Build Site To Site VPN With Mikrotik

IPsec NAT Transparency

Sample excerpt. Virtual Private Networks. Contents

VPN Tracker for Mac OS X

IPsec NAT Transparency

Amazon Virtual Private Cloud. Network Administrator Guide

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

Transcription:

Integration Guide Oracle Bare Metal BOVPN Revised: 17 November 2017

About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. 2 Oracle Bare Metal BOVPN Integration Guide

Oracle Bare Metal BOVPN Integration Overview Oracle Bare Metal BOVPN service is a service offered by Oracle Cloud Infrastructure. This document describes the basic steps needed to build a Branch Office VPN between the Oracle Cloud and the Firebox. Platform and Software The hardware and software used to complete the steps outlined in this document include: WatchGuard Firebox with Fireware v12. Oracle Bare Metal Account with networking. Oracle Bare Metal BOVPN Setup Oracle documentation lists the basic structure to set up a Branch Office VPN. The steps listed will closely adhere to this general path: Gather Information Create your VCN (Virtual Cloud Network) Create your DRG (Dynamic Routing Gateway) Attach the DRG to your VCN. Update the routing in your VCN to use the DRG. Create a CPE (Customer-Premises Equipment) object and provide your router's public IP address. From your DRG, create and IPSec Connection to the CPE object and provide your static routes. Configure your CPE router (WatchGuard firewall). Oracle Bare Metal BOVPN Integration Guide 3

Create Virtual Cloud Network 1. Select your Compartment in the Oracle Cloud infrastructure. 2. Click Networking > Virtual Cloud Networks. The Create Virtual Cloud Network selection box appears. The compartments available will depend on your permissions. 3. Leave the default value on the dialog box, click Create Virtual Cloud Network. You have now created the Virtual Cloud Network. Next you must create the Dynamic Routing Gateways. Create Dynamic Routing Gateways 1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways. The Create Dynamic Routing Gateway dialog box appears. Click Create Dynamic Routing Gateway. 2. The Create in Compartment field auto populates to the current compartment name. Enter the compartment name if you want to create the DRG in a different compartment. 3. In the Name field, enter a friendly name. Note the name cannot be changed later in the console. 4 Oracle Bare Metal BOVPN Integration Guide

4. Click Create Dynamic Routing Gateway. The created DRG appears in the console. Once the DRG is created you must attach the DRG to the Cloud Network. Attach Dynamic Routing Gateway to a Cloud Network 1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways. A list of available DRGs in the compartment appears. 2. Select the DRG you want to attach. 3. While still under the DRG under the left-hand side select the link for Virtual Cloud Networks. An option box for Attach to Virtual Cloud Network comes up. Update the Routing Table 1. On the Oracle Cloud Infrastructure console click Networking > Virtual Cloud Networks. A list of cloud networks available in your compartment appears. 2. Select the VCN you want. 3. Click Route Tables. A list of all the route tables appears. For each subnet that needs to communicate with your on-premises network, update that subnet's route table with a new route for the DRG. Oracle Bare Metal BOVPN Integration Guide 5

4. Select the Route Table you want and click Create Route Rule. 5. Enter the details for: CIDR: The CIDR for your on-premises network Target: The DRG you created earlier 6. Click Create. Create Customer-Premises Equipment (CPE) 1. On the Oracle Cloud Infrastructure console click Networking > Customer-Premises Equipment. 2. Click Create Customer-Premises Equipment. The Create Customer-Premises Equipment dialog box appears. Complete all the fields. Create in Compartment Name IP Address 6 Oracle Bare Metal BOVPN Integration Guide

3. Click Create. Link DRG to IPSec Connection 1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways. 2. Then select the DRG link already created. On the right-hand side are Resources > IPSec Connections. The Static Route CIDR must match the subnet that is the target on the WatchGuard firewall. Select the button for Create IPSec Connection. 3. Select the three dots to the right of the newly created IPSec connection. Here you can either view the Tunnel Information or Terminate the BOVPN. Under Tunnel Information you will find the shared secret and public IP address needed for each gateway in the configuration of the WatchGuard BOVPN gateway settings. Copy this shared key and public IP for use later. Note This IPSec connection has the option multiple public gateways. Multiple public gateways are possible to configure. Please follow the Configure VPN Failover in the WatchGuard documentation if you need this option. Oracle Bare Metal BOVPN Integration Guide 7

WatchGuard Firewall BOVPN Setup The WatchGuard BOVPN setup should the match the transforms and IPSec Proposals passed by the Oracle BOVPN. The Oracle cloud may provide multiple options in BOVPN negotiation. In general, these settings listed below will be offered first offered which can provide a more stable BOVPN. Configuration Summary WatchGuard Phase One Settings: Version: IKE v1 Mode: Main No NAT Traversal No IKE Keep-alive DPD: o Traffic idle timeout 10 seconds o Max retries 3 Transform Settings: o Authentication SHA2-384 o Encryption AES(256-bit) o SA life 8 hours o Key Group Diffie-Hellman Group 5 WatchGuard Phase Two Settings: Enable Perfect Forward Secrecy, Diffie-Hellman Group 5 IPSec Proposals: o Type ESP (Encapsulating Security Payload) o Authentication SHA1 o Encryption AES(256-bit) Force Key Expiration, Time, 1 hour These are the steps to enter the above values, add the public IP address gateway, and tunnel routes to build the BOVPN. Configure Phase 2 IPSec Proposal from Fireware Web UI 1. We will configure the Phase 2 IPSec Proposal first in the Web UI as this will allow for access in a dropdown menu later. In the Fireware Web UI select VPN > Phase 2 Proposals. 2. Select Add to create a new proposal. 3. In the Name field enter the proposal a name. 4. The Description field is option. 5. From the Type drop-down list select ESP (Encapsulating Security Payload). 6. From the Authentication drop-down list select SHA1. 8 Oracle Bare Metal BOVPN Integration Guide

7. From the Encryption drop-down list select AES(256-bit). 8. For Force Key Expiration select the check box and enter 1 hours. 9. Click Save. Configure Gateway Settings 1. Select VPN > BOVPN Virtual Interface. 1. Click Add. 2. In the General Settings tab section, select Use Pre-Shared Key and paste the Pre-Shared Key from the Oracle IPSec Connection settings. 3. In the Gateway Endpoint section, select Add. The New Gateway Endpoints Settings dialog box appears Oracle Bare Metal BOVPN Integration Guide 9

4. On the Local Gateway tab, for the Specify the gateway ID for tunnel authentication select By IP Address and specify the IP address. By default, this will be the primary public address assigned to the firewall. 5. On Remote Gateway tab, for the Specify the remote gateway IP address for a tunnel select Static IP Address and enter the public IP address your got from the Oracle Bare Metal IPSec Connection settings. 6. Click OK. Note The Advanced tab here. If you configure multiple public IP addresses for VPN failover you must enter each different shared key on the tab for each remote public gateway. See Configure VPN Failover for more information. Configure VPN Routes 1. Continue in the BOVPN Virtual Interface by selecting the VPN Routes tab. 2. Select Add. 3. From the Choose Type drop-down list, select an option: Host IPv4 - Select this option if only one IPv4 host is the VPN destination. Network IPv4 - Select this option if you have a full IPv4 network as the VPN destination. Host IPv6 - Select this option if only one IPv6 host is the VPN destination. (Oracle does not support IPv6) 10 Oracle Bare Metal BOVPN Integration Guide

4. Network IPv6 - Select this option if you have a full IPv6 network as the VPN destination. Note Oracle does not support IPv6. 5. In the Route To field, enter the network address or host address. 6. In the Metric field, type or select a metric value for the route. 7. Click OK. Note At the bottom of the BOVPN Virtual Interfaces page there is a selection option for Add this Tunnel to the BOVPN-allow policies. If this is not selected you will need to manually add a policy to allow this traffic. Configure Phase 1 Settings for IKEv1 from Fireware Web UI 1. Continue with the BOVPN Virtual Interface by selecting the Phase 1 Settings tab. 2. From the Version drop-down list select IKEv1. 3. For the Mode drop-down list select Main. 4. Remove the selections for NAT Traversal and IKE Keep-alive. 5. Check mark to select Dead Peer Detection. For Traffic Idle Timeout enter 10 seconds. For Max retries enter 3. Oracle Bare Metal BOVPN Integration Guide 11

6. In the Transform Settings section, select the transform you want and then click Edit. 7. From the Authentication drop-down list, select SHA2-384. 8. From the Encryption drop-down list, select AES (256-bit). 9. Change the SA Life to 8 hours. 10. From the Key Group drop-down list select Diffie-Hellman Group 5. Assign the Phase 2 Proposal Continue with the BOVPN Virtual Interface on the Phase 2 Settings tab: 1. Check mark to select to Enable Perfect Forward Secrecy, from the drop-down list select Diffie- Hellman Group 5. 1. If there are any IPSec Proposals listed remove them. 2. Then use the drop-down box to select the Phase 2 Proposal created earlier in these directions. 3. Click Save. You can check on the status of the VPN in the Web UI > System Status > VPN Statistics > Branch Office VPN tab. 12 Oracle Bare Metal BOVPN Integration Guide

Test the Branch Office VPN Usually you need some type of traffic sent through a VPN like ping or a server connection to verify traffic passing through a VPN. On the Oracle side, this requires a virtual server. If you do not have a test device on the WatchGuard side of the VPN, run the Diagnostics Tasks on your Firebox. To run diagnostic tasks for your Firebox: 1. Select System Status > Diagnostics. The Diagnostics page appears with the Diagnostics File tab selected. 2. Select the Network tab. The Network page appears. 3. From the Task drop-down list select Ping. 4. In the Address text box, type an IP address or host name. 5. Select Advanced Options and you can ping from a local firewall interface. The options explained are: -I, The dash capital I is used to specify the IP address of the local interface you wish to ping from. The IP following the argument should be an interface IP assigned to the firewall. The last IP is the final target for the ping command. Oracle Bare Metal BOVPN Integration Guide 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback