Related Topics
BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS)
In Fireware v11.12.2 and higher, you can configure a BOVPN virtual interface to connect your Firebox to an Amazon Web Services (AWS) virtual network. Amazon refers to this virtual network as a Virtual Private Cloud (VPC).
This example summarizes the configuration settings for static routing between a Firebox BOVPN virtual interface and an AWS VPC. For general, step-by-step instructions that explain how to configure a virtual interface, see Configure a BOVPN Virtual Interface.
To get the pre-shared keys and AWS IP addresses to complete your Firebox configuration, you must download a configuration file from your AWS VPC console. Select VPN Connections > Download Configuration, and select the Generic vendor.
For more information about how to configure the AWS VPN settings, see the Amazon Virtual Private Cloud User Guide.
Configuration Example
Firebox Interfaces
For this example, the Firebox has one external interface and one trusted network.
| Interface | Type | Name | IP Address |
|---|---|---|---|
| 0 | External | External | 203.0.113.2/24 |
| 1 | Trusted | Trusted | 10.0.1.1/24 |
AWS Interfaces
For this example, the AWS VPN configuration has two external virtual interfaces and one trusted virtual network.
An AWS VPN configuration includes one virtual private gateway with two external IP addresses for redundancy. AWS automatically determines which IP address is the primary IP address.
Failover between the external IP addresses is enabled by default. If the primary AWS external IP address is unavailable, VPN traffic automatically fails over to the other AWS external IP address.
| Interface | Type | Name | IP Address |
|---|---|---|---|
| 0 | External | External1 | 198.51.100.2/24 |
| 1 | External | External2 | 192.0.2.2/24 |
| 2 | Trusted | Trusted | 10.0.100.1/24 |
Firebox Configuration
To configure a redundant gateway that uses both AWS external IP addresses, you must configure one BOVPN virtual interface that includes two gateway endpoints.
You must specify different pre-shared keys for each gateway endpoint on your Firebox, which requires Fireware v11.12.2 or higher.
On the Gateway Settings tab:
- Remote Endpoint Type is Cloud VPN or Third-Party Gateway
- Credential Method is Use Pre-Shared Key.
Keep the text box empty. Later in the configuration process, you must specify a different pre-shared key for each gateway in the gateway endpoint settings. - Gateway Endpoint settings are:
- Local Gateway ID — 203.0.113.2 (external interface of the Firebox)
- Remote Gateway IP address and ID — 198.51.100.2 (first IP address of the AWS virtual private gateway)
- Remote Gateway IP address and ID — 192.0.2.2 (second IP address of the AWS virtual private gateway)
Gateway configuration in the Web UI
Gateway configuration in Policy Manager
In the Advanced settings for each gateway endpoint, specify the pre-shared key included in your AWS configuration file. The AWS configuration file includes two pre-shared keys, one for each gateway endpoint.
Pre-shared key settings in the Web UI
Pre-shared key settings in Policy Manager
On the VPN Routes tab, specify the route to the trusted (private) network of your AWS VPC. To find this IP address in your AWS configuration, select Subnets or Route Tables.
- Choose Type — Network IPv4
- Route to — 10.0.100.0/24
Static route configuration in the Web UI
Static route configuration in Policy Manager
During VPN negotiations, AWS identifies the authentication and encryption algorithm settings from the Firebox and automatically uses the same settings, if they are supported. AWS supports specific proposals. You cannot edit the list of proposals available in AWS.
On the Phase 1 Settings tab for both gateways, we recommend these settings for stronger security:
- Authentication — SHA2-256
- Encryption — AES (256-bit)
- Diffie-Hellman Group — 14
In Fireware v12.0 and higher, the default Diffie-Hellman setting is Group 14. In Fireware v11.12.4 and lower, the default Diffie-Hellman setting is Group 2. AWS supports both groups.
Keep all other Phase 1 settings at the default values. Do not change the default Version setting of IKEv1. AWS does not support IKEv2.
Phase 1 settings in the Web UI
Phase 1 settings in Policy Manager
For stronger security, we recommend the default ESP-AES256-SHA256 transform in the Phase 2 settings.
Fireware v11.12.4 or lower has different default Phase 2 settings. If your Firebox has Fireware v11.12.4 or lower, we recommend that you add a new Phase 2 proposal that specifies ESP, AES (256-bit) for encryption, and SHA2-256 for authentication. For more information, see Add a Phase 2 Proposal.
On the Phase 2 Settings tab for both gateways:
- Enable Perfect Forward Secrecy — Selected
- Diffie-Helman — Group 14
- Phase 2 IPSec Proposal — ESP-AES256-SHA256
In Fireware v12.0 and higher, the default Diffie-Hellman setting is Group 14. In Fireware v11.12.4 and lower, the default Diffie-Hellman setting is Group 2. AWS supports both groups.
Phase 2 settings in the Web UI
Phase 2 settings in Policy Manager
AWS Configuration
In your AWS VPN configuration, the settings are:
- Customer Gateway Address — 203.0.113.2 (external interface on the Firebox )
- VPN Connections:
- Tunnel 1 — 198.51.100.2 (first IP address of the AWS virtual private gateway)
- Tunnel 2 — 192.0.2.2 (second IP address of the AWS virtual private gateway)
- Static Route — 10.0.1.0/24 (trusted network of the Firebox)
For more information about how to configure the AWS VPN settings, see the Amazon Virtual Private Cloud User Guide.