Contents

Related Topics

BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS)

In Fireware v11.12.2 and higher, you can configure a BOVPN virtual interface to connect your Firebox to an Amazon Web Services (AWS) virtual network. Amazon refers to this virtual network as a Virtual Private Cloud (VPC).

This example summarizes the configuration settings for dynamic routing between a Firebox BOVPN virtual interface and an AWS VPC. AWS supports the BGP dynamic routing protocol. OSPF is not supported.

For general, step-by-step instructions that explain how to configure a virtual interface, see Configure a BOVPN Virtual Interface.

To get the pre-shared keys and AWS IP addresses to complete your Firebox configuration, you must download a configuration file from your AWS VPC console. Select VPN Connections > Download Configuration, and select the Generic vendor.
For more information about how to configure the AWS VPN settings, see the Amazon Virtual Private Cloud User Guide.

Configuration Example

Firebox Interfaces

For this example, the Firebox has one external interface and one trusted network.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24

AWS Interfaces

For this example, the AWS VPN configuration has two external virtual interfaces and one trusted virtual network.

An AWS VPN configuration includes one virtual private gateway with two external IP addresses for redundancy. AWS automatically determines which IP address is the primary IP address.

Failover between the external IP addresses is enabled by default. If the primary AWS external IP address is unavailable, VPN traffic automatically fails over to the other AWS external IP address.

Interface Type Name IP Address
0 External External1 198.51.100.2/24
1 External External2 192.0.2.2/24
2 Trusted Trusted 10.0.100.1/24

Firebox Configuration

To configure a redundant gateway that uses both AWS external IP addresses, you must configure two BOVPN virtual interfaces.

On the Gateway Settings tab for the first virtual interface (for this example, toAWS-1):

  • Remote Endpoint Type is Cloud VPN or Third-Party Gateway
  • Credential Method is Use Pre-Shared Key. Specify the pre-shared key included in the AWS VPN configuration file for IPSec Tunnel #1.
  • Gateway Endpoint settings are:
    • Local Gateway ID — 203.0.113.2 (external interface of the Firebox)
    • Remote Gateway IP address and ID — 198.51.100.2 (first IP address of the AWS virtual private gateway)

For the second virtual interface (for this example, toAWS-2):

  • Remote Endpoint Type is Cloud VPN or Third-Party Gateway
  • Credential Method is Use Pre-Shared Key.
    Specify the pre-shared key included in the AWS VPN configuration file for IPSec Tunnel #2.
  • Gateway Endpoint settings are:
    • Local Gateway ID — 203.0.113.2 (external interface of the Firebox)
    • Remote Gateway IP address and ID — 192.0.2.2 (second IP address of the AWS virtual private gateway)

In the Web UI, the gateway settings are:

Screen shot of BOVPN virtual interface gateway settings

Gateway configuration for the first virtual interface in the Web UI

Screen shot of BOVPN virtual interface gateway settings

Gateway configuration for the second virtual interface in the Web UI

In Policy Manager, the gateway settings are:

Screen shot of BOVPN virtual interface settings

Gateway configuration for the first virtual interface in Policy Manager

Screen shot of the BOVPN virtual interface gateway settings

Gateway configuration for the second virtual interface in Policy Manager

On the VPN Routes tab, specify the virtual IP addresses included in the AWS VPN configuration file. The netmask assigned by AWS is always /30 (255.255.255.252).

For the first virtual interface (toAWS-1):

  • Assign virtual interface IP addresses — Selected
  • Local IP address — 169.254.11.254
    In the AWS VPN Configuration file, in the IPSec Tunnel #1 section, this is the Inside Customer Gateway IP address.
  • Peer IP address or netmask — 255.255.255.252
    In the AWS VPN Configuration file, in the IPSec Tunnel #1 section, this is the Inside Customer Gateway netmask.

For the second virtual interface (toAWS-2):

  • Assign virtual interface IP addresses — Selected
  • Local IP address — 169.254.9.162
    In the AWS VPN Configuration file, in the IPSec Tunnel #2 section, this is the Inside Customer Gateway IP address.
  • Peer IP address or netmask — 255.255.255.252
    In the AWS VPN Configuration file, in the IPSec Tunnel #2 section, this is the Inside Customer Gateway netmask.

In the Web UI, the virtual IP address settings are:

Screen shot of the virtual IP addresses

Virtual IP address configuration for the first virtual interface in the Web UI

Screen shot of the virtual IP addresses

Virtual IP address configuration for the second virtual interface in the Web UI

In Policy Manager, the virtual IP address settings are:

Screen shot of the virtual IP addresses

Virtual IP address configuration for the first virtual interface in Policy Manager

Screen shot of virtual interface IP addresses

Virtual IP address configuration for the second virtual interface in Policy Manager

During VPN negotiations, AWS identifies the authentication and encryption algorithm settings from the Firebox and automatically uses the same settings, if they are supported. AWS supports specific proposals. You cannot edit the list of proposals available in AWS.

On the Phase 1 Settings tab for both virtual interfaces, we recommend these settings for stronger security:

  • Authentication — SHA2-256
  • Encryption — AES (256-bit)
  • Diffie-Hellman Group — 14

In Fireware v12.0 and higher, the default Diffie-Hellman setting is Group 14. In Fireware v11.12.4 and lower, the default Diffie-Hellman setting is Group 2. AWS supports both groups.

Keep all other Phase 1 settings at the default values. Do not change the default Version setting of IKEv1. AWS does not support IKEv2.

Screen shot of the Phase 1 settings for a BOVPN virtual interface

Phase 1 settings in the Web UI

Screen shot of the Phase 1 settings for a BOVPN virtual interface

Phase 1 settings in Policy Manager

For stronger security, we recommend the default ESP-AES256-SHA256 transform in the Phase 2 settings.

Fireware v11.12.4 or lower has different default Phase 2 settings. If your Firebox has Fireware v11.12.4 or lower, we recommend that you add a new Phase 2 proposal that specifies ESP, AES (256-bit) for encryption, and SHA2-256 for authentication. For more information, see Add a Phase 2 Proposal.

On the Phase 2 Settings tab for both virtual interfaces:

  • Enable Perfect Forward Secrecy — Selected
  • Diffie-Helman — Group 14
  • Phase 2 IPSec Proposal — ESP-AES256-SHA256

In Fireware v12.0 and higher, the default Diffie-Hellman setting is Group 14. In Fireware v11.12.4 and lower, the default Diffie-Hellman setting is Group 2. AWS supports both groups.

Screen shot of Phase 2 settings

Phase 2 settings in the Web UI

Screen shot of Phase 2 settings

Phase 2 settings in Policy Manager

The AWS BGP ASN and the virtual IP address (the BGP peer address) are defined by AWS and cannot be changed. The Firebox BGP dynamic routing configuration has these commands for the IP addresses in this example:

router bgp 10001
!
! to AWS VPC 1st ext-if
!
neighbor 169.254.11.253 remote-as 7224
neighbor 169.254.11.253 activate
neighbor 169.254.11.253 timers 10 30
!
! to AWS VPC 2nd ext-if
!
neighbor 169.254.9.161 remote-as 7224
neighbor 169.254.9.161 activate
neighbor 169.254.9.161 timers 10 30
!
! To advertise additional prefixes to Amazon VPC, copy the 'network' statement
! and identify the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
!
network 10.0.1.0/24

Screen shot of BGP settings

The configured BGP settings in the Web UI

Screen shot of BGP settings

The configured BGP settings in Policy Manager

If you configure more than one trusted network on your Firebox, and you want AWS to learn the route to an additional trusted network, use an additional network command. For example:

network 10.0.1.0/24

network 10.0.2.0/24

AWS Configuration

In your AWS VPN configuration file, the settings are:

IPSec Tunnel #1:

  • Outside IP addresses:
    • Customer Gateway — 203.0.113.2 (external interface on the Firebox)
    • Virtual Private Gateway — 198.51.100.2 (first IP address of the AWS virtual private gateway)
  • Inside IP addresses:
    • Customer Gateway — 169.254.11.254/30 (IP address of the first virtual interface on the Firebox)
    • Virtual Private Gateway — 169.254.11.253 (IP address for the first virtual interface of the AWS VPN)
  • BGP:
    • Neighbor IP address — 169.254.11.254
    • Customer Gateway ASN — 10001 (the BGP ASN of the Firebox)

IPSec Tunnel #2:

  • Outside IP addresses:
    • Customer Gateway — 203.0.113.2 (external interface on the Firebox)
    • Virtual Private Gateway — 192.0.2.2 (second IP address of the AWS virtual private gateway)
  • Inside IP addresses:
    • Customer Gateway — 169.254.9.162/30 (IP address of the second virtual interface on the Firebox)
    • Virtual Private Gateway — 169.254.9.161 (IP address for the second virtual interface of the AWS VPN)
  • BGP:
    • Neighbor IP address — 169.254.9.162
    • Customer Gateway ASN — 10001 (the BGP ASN of the Firebox)

For more information about how to configure your AWS VPC, see the Amazon Virtual Private Cloud User Guide.

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.