CenturyLink Cloud BOVPN Integration Guide

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a CenturyLink Cloud site.

Topology

This diagram shows the topology used to test this integration.

Configure the Firebox

To configure a BOVPN on your Firebox, you must:

• Add a BOVPN gateway
• Add a new Phase 2 proposal
• Add a BOVPN tunnel

CenturyLink Cloud does not support all default Firebox BOVPN settings. The procedures in this guide indicate when you must change a default Firebox setting.

To add a gateway, from Fireware Web UI:

1. Log in as a user with administrator credentials.
2. Select VPN > Branch Office VPN.
3. In the Gateways section, click Add.
4. In the Gateway Name text box, type a name to identify this BOVPN Gateway. In our example, we use gateway.1.
5. From the Address Family drop-down list, select IPV4 Addresses.
6. In the Credential Method section, select Use Pre-Shared Key.
7. In the adjacent text box, type the pre-shared key.

8. In the Gateway Endpoint section, click Add.
   The Gateway Endpoint Settings dialog box appears.
9. On the Local Gateway tab, from the External Interface drop-down list, select External.
10. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
11. Select By IP Address.
12. In the adjacent text box, type the public (external) IP address of your Firebox.

13. On the Remote Gateway tab, select Static IP Address.
14. In the adjacent text box, type the outgoing public IP address of the CenturyLink Cloud site.
15. Select By IP Address.
16. In the adjacent text box, again type the outgoing public IP address of the CenturyLink Cloud site.

17. Click OK.
18. In the Gateway Endpoint section, select Start Phase 1 tunnel when Firebox starts.

19. Click the Phase 1 Settings tab.
20. From the Version drop-down list, select IKEv1.
21. From the Mode drop-down list, select Main.
22. Click Add.
    The Transform Settings dialog box appears.
23. From the Authentication drop-down list, select SHA1.
24. From the Encryption drop-down list, select AES(256-bit).
25. Keep the default SA Life value, which is 24 hours.
26. From the Key Group drop-down list, select Diffie-Hellman Group 5.

27. Click OK.

28. Click Save.

Next, add a Phase 2 proposal:

1. Select VPN > Phase 2 Proposals.
2. Click Add.
3. In the Name text box, type name of this proposal. In our example, we specify ESP-SHA1-AES256.
4. In the Description text box, type a description for this Phase 2 proposal.
5. From the Type drop-down list, select ESP (Encapsulating Security Payload).
6. From the Authentication drop-down list, select SHA1.
7. From the Encryption drop-down list, select AES(256-bit).
8. Set Force Key Expiration to 1 hour.
9. Keep the default values for all other settings.

10. Click Save.

Next, add a tunnel:

1. Select VPN > Branch Office VPN.
2. In the Tunnels section, click Add.
   
3. In the Name text box, type a name to identify this Branch Office VPN Tunnel. In our example, we use tunnel.1.
4. From the Gateway drop-down list, select gateway.1.
5. In the Addresses section, click Add.
   The Tunnel Route Settings dialog box appears.
6. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
7. In the Network IP text box, type the network IP address of the local network behind the Firebox.
8. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
9. In the Network IP text box, type the network IP address of the local network for the CenturyLink Cloud site.
10. Keep the default values for all other settings.

11. Click OK.

12. Click Phase 2 Settings.
13. Enable Enable Perfect Forward Secrecy.
14. From the drop-down list, select Diffie-Hellman Group 5.
15. Select the default Phase 2 proposal and click Remove.
16. From the drop-down list, select ESP-SHA1-AES256.
17. Click Add.

18. Click Save.

Configure CenturyLink Cloud

When you enable PFS in Phase 2, the Diffie-Hellman group is inherited from the Phase 1 settings.

To configure the CenturyLink network settings:

1. Log in to your CenturyLink Control Portal.
2. Select Network > Networks.

3. To add a new network, click +network.

Next, configure the CenturyLink Site-to-Site VPN settings:

1. Select Network > Site-to-Site VPN.
2. Click +site-to-site VPN.
3. In the Sites and Networks section, from the Control Portal Site drop-down list, select your Portal Site.
4. To add the CenturyLink internal protected networks, in the Tunnel Encrypted Subnets section, click add network block.
5. In the Site Name text box, type your site name.
6. In the Device Type text box, type your device type.
7. In the VPN Peer IPv4 Address text box, type your public IP address.
8. To add the CenturyLink internal protected networks, in the Tunnel Encrypted Subnets section, click add network block.

9. Click next: phase 1.
10. From the Encryption Algorithm drop-down list, select AES-256.
11. From the Hashing Algorithm drop-down list, select SHA1 (96).
12. In the Pre-Shared Key text boxes, type the pre-shared key.
13. From the Diffie-Hellman Group drop-down list, select Group 5.

14. Click next: phase 2.
15. Set PFS Enabled to ON.

16. Click finish.

Test the Integration

1. Log in to the Firebox Web UI.
2. Select System Status > VPN Statistics.
3. Verify the BOVPN tunnel is active.
4. Verify the hosts behind the Firebox and behind CenturyLink Cloud can successfully ping each other.