Integration Guide Oracle Bare Metal BOVPN Revised: 17 November 2017
About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. 2 Oracle Bare Metal BOVPN Integration Guide
Oracle Bare Metal BOVPN Integration Overview Oracle Bare Metal BOVPN service is a service offered by Oracle Cloud Infrastructure. This document describes the basic steps needed to build a Branch Office VPN between the Oracle Cloud and the Firebox. Platform and Software The hardware and software used to complete the steps outlined in this document include: WatchGuard Firebox with Fireware v12. Oracle Bare Metal Account with networking. Oracle Bare Metal BOVPN Setup Oracle documentation lists the basic structure to set up a Branch Office VPN. The steps listed will closely adhere to this general path: Gather Information Create your VCN (Virtual Cloud Network) Create your DRG (Dynamic Routing Gateway) Attach the DRG to your VCN. Update the routing in your VCN to use the DRG. Create a CPE (Customer-Premises Equipment) object and provide your router's public IP address. From your DRG, create and IPSec Connection to the CPE object and provide your static routes. Configure your CPE router (WatchGuard firewall). Oracle Bare Metal BOVPN Integration Guide 3
Create Virtual Cloud Network 1. Select your Compartment in the Oracle Cloud infrastructure. 2. Click Networking > Virtual Cloud Networks. The Create Virtual Cloud Network selection box appears. The compartments available will depend on your permissions. 3. Leave the default value on the dialog box, click Create Virtual Cloud Network. You have now created the Virtual Cloud Network. Next you must create the Dynamic Routing Gateways. Create Dynamic Routing Gateways 1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways. The Create Dynamic Routing Gateway dialog box appears. Click Create Dynamic Routing Gateway. 2. The Create in Compartment field auto populates to the current compartment name. Enter the compartment name if you want to create the DRG in a different compartment. 3. In the Name field, enter a friendly name. Note the name cannot be changed later in the console. 4 Oracle Bare Metal BOVPN Integration Guide
4. Click Create Dynamic Routing Gateway. The created DRG appears in the console. Once the DRG is created you must attach the DRG to the Cloud Network. Attach Dynamic Routing Gateway to a Cloud Network 1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways. A list of available DRGs in the compartment appears. 2. Select the DRG you want to attach. 3. While still under the DRG under the left-hand side select the link for Virtual Cloud Networks. An option box for Attach to Virtual Cloud Network comes up. Update the Routing Table 1. On the Oracle Cloud Infrastructure console click Networking > Virtual Cloud Networks. A list of cloud networks available in your compartment appears. 2. Select the VCN you want. 3. Click Route Tables. A list of all the route tables appears. For each subnet that needs to communicate with your on-premises network, update that subnet's route table with a new route for the DRG. Oracle Bare Metal BOVPN Integration Guide 5
4. Select the Route Table you want and click Create Route Rule. 5. Enter the details for: CIDR: The CIDR for your on-premises network Target: The DRG you created earlier 6. Click Create. Create Customer-Premises Equipment (CPE) 1. On the Oracle Cloud Infrastructure console click Networking > Customer-Premises Equipment. 2. Click Create Customer-Premises Equipment. The Create Customer-Premises Equipment dialog box appears. Complete all the fields. Create in Compartment Name IP Address 6 Oracle Bare Metal BOVPN Integration Guide
3. Click Create. Link DRG to IPSec Connection 1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways. 2. Then select the DRG link already created. On the right-hand side are Resources > IPSec Connections. The Static Route CIDR must match the subnet that is the target on the WatchGuard firewall. Select the button for Create IPSec Connection. 3. Select the three dots to the right of the newly created IPSec connection. Here you can either view the Tunnel Information or Terminate the BOVPN. Under Tunnel Information you will find the shared secret and public IP address needed for each gateway in the configuration of the WatchGuard BOVPN gateway settings. Copy this shared key and public IP for use later. Note This IPSec connection has the option multiple public gateways. Multiple public gateways are possible to configure. Please follow the Configure VPN Failover in the WatchGuard documentation if you need this option. Oracle Bare Metal BOVPN Integration Guide 7
WatchGuard Firewall BOVPN Setup The WatchGuard BOVPN setup should the match the transforms and IPSec Proposals passed by the Oracle BOVPN. The Oracle cloud may provide multiple options in BOVPN negotiation. In general, these settings listed below will be offered first offered which can provide a more stable BOVPN. Configuration Summary WatchGuard Phase One Settings: Version: IKE v1 Mode: Main No NAT Traversal No IKE Keep-alive DPD: o Traffic idle timeout 10 seconds o Max retries 3 Transform Settings: o Authentication SHA2-384 o Encryption AES(256-bit) o SA life 8 hours o Key Group Diffie-Hellman Group 5 WatchGuard Phase Two Settings: Enable Perfect Forward Secrecy, Diffie-Hellman Group 5 IPSec Proposals: o Type ESP (Encapsulating Security Payload) o Authentication SHA1 o Encryption AES(256-bit) Force Key Expiration, Time, 1 hour These are the steps to enter the above values, add the public IP address gateway, and tunnel routes to build the BOVPN. Configure Phase 2 IPSec Proposal from Fireware Web UI 1. We will configure the Phase 2 IPSec Proposal first in the Web UI as this will allow for access in a dropdown menu later. In the Fireware Web UI select VPN > Phase 2 Proposals. 2. Select Add to create a new proposal. 3. In the Name field enter the proposal a name. 4. The Description field is option. 5. From the Type drop-down list select ESP (Encapsulating Security Payload). 6. From the Authentication drop-down list select SHA1. 8 Oracle Bare Metal BOVPN Integration Guide
7. From the Encryption drop-down list select AES(256-bit). 8. For Force Key Expiration select the check box and enter 1 hours. 9. Click Save. Configure Gateway Settings 1. Select VPN > BOVPN Virtual Interface. 1. Click Add. 2. In the General Settings tab section, select Use Pre-Shared Key and paste the Pre-Shared Key from the Oracle IPSec Connection settings. 3. In the Gateway Endpoint section, select Add. The New Gateway Endpoints Settings dialog box appears Oracle Bare Metal BOVPN Integration Guide 9
4. On the Local Gateway tab, for the Specify the gateway ID for tunnel authentication select By IP Address and specify the IP address. By default, this will be the primary public address assigned to the firewall. 5. On Remote Gateway tab, for the Specify the remote gateway IP address for a tunnel select Static IP Address and enter the public IP address your got from the Oracle Bare Metal IPSec Connection settings. 6. Click OK. Note The Advanced tab here. If you configure multiple public IP addresses for VPN failover you must enter each different shared key on the tab for each remote public gateway. See Configure VPN Failover for more information. Configure VPN Routes 1. Continue in the BOVPN Virtual Interface by selecting the VPN Routes tab. 2. Select Add. 3. From the Choose Type drop-down list, select an option: Host IPv4 - Select this option if only one IPv4 host is the VPN destination. Network IPv4 - Select this option if you have a full IPv4 network as the VPN destination. Host IPv6 - Select this option if only one IPv6 host is the VPN destination. (Oracle does not support IPv6) 10 Oracle Bare Metal BOVPN Integration Guide
4. Network IPv6 - Select this option if you have a full IPv6 network as the VPN destination. Note Oracle does not support IPv6. 5. In the Route To field, enter the network address or host address. 6. In the Metric field, type or select a metric value for the route. 7. Click OK. Note At the bottom of the BOVPN Virtual Interfaces page there is a selection option for Add this Tunnel to the BOVPN-allow policies. If this is not selected you will need to manually add a policy to allow this traffic. Configure Phase 1 Settings for IKEv1 from Fireware Web UI 1. Continue with the BOVPN Virtual Interface by selecting the Phase 1 Settings tab. 2. From the Version drop-down list select IKEv1. 3. For the Mode drop-down list select Main. 4. Remove the selections for NAT Traversal and IKE Keep-alive. 5. Check mark to select Dead Peer Detection. For Traffic Idle Timeout enter 10 seconds. For Max retries enter 3. Oracle Bare Metal BOVPN Integration Guide 11
6. In the Transform Settings section, select the transform you want and then click Edit. 7. From the Authentication drop-down list, select SHA2-384. 8. From the Encryption drop-down list, select AES (256-bit). 9. Change the SA Life to 8 hours. 10. From the Key Group drop-down list select Diffie-Hellman Group 5. Assign the Phase 2 Proposal Continue with the BOVPN Virtual Interface on the Phase 2 Settings tab: 1. Check mark to select to Enable Perfect Forward Secrecy, from the drop-down list select Diffie- Hellman Group 5. 1. If there are any IPSec Proposals listed remove them. 2. Then use the drop-down box to select the Phase 2 Proposal created earlier in these directions. 3. Click Save. You can check on the status of the VPN in the Web UI > System Status > VPN Statistics > Branch Office VPN tab. 12 Oracle Bare Metal BOVPN Integration Guide
Test the Branch Office VPN Usually you need some type of traffic sent through a VPN like ping or a server connection to verify traffic passing through a VPN. On the Oracle side, this requires a virtual server. If you do not have a test device on the WatchGuard side of the VPN, run the Diagnostics Tasks on your Firebox. To run diagnostic tasks for your Firebox: 1. Select System Status > Diagnostics. The Diagnostics page appears with the Diagnostics File tab selected. 2. Select the Network tab. The Network page appears. 3. From the Task drop-down list select Ping. 4. In the Address text box, type an IP address or host name. 5. Select Advanced Options and you can ping from a local firewall interface. The options explained are: -I, The dash capital I is used to specify the IP address of the local interface you wish to ping from. The IP following the argument should be an interface IP assigned to the firewall. The last IP is the final target for the ping command. Oracle Bare Metal BOVPN Integration Guide 13