Google Cloud BOVPN Integration Guide

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and Google Cloud Platform.

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.10
  • Google Cloud Platform

Additional charges might apply for the use of Google Cloud Platform.

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and Google Cloud Platform.

The screenshot of Test topology

Configure the Firebox

To configure a BOVPN connection on the Firebox:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
  3. From the Gateways section, click Add.
    The Branch Office VPN configuration page opens.

Screen shot of the General Setting tab

  1. In the Gateway Name text box, type a name to identify this BOVPN gateway.
  2. From the Address Family drop-down list, select IPv4 Addresses.
  3. From the Credential Method section, select Use Pre-Shared Key.
  4. In the adjacent text box, type the pre-shared key.
  5. In the adjacent drop-down list, keep the default String-Basedvalue.
  6. From the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

Screenshot of firebox, picture2, gateway endpoint settings, local gateway.

  1. From the External Interface drop-down list, select External.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  3. To specify the gateway ID for tunnel authentication, select By IP Address.
  4. In the adjacent text box, type the primary IP address of the External Firebox interface.
  5. Select the Remote Gateway tab.

Screenshot of firebox, picture3, remmote gateway settings.

  1. To specify the remote gateway IP address for a tunnel, select Static IP Address.
  2. In the adjacent text box, type the External IP address of your Google Cloud connection.
  3. To specify the remote gateway ID for tunnel authentication, select By IP Address.
  4. In the adjacent text box, type the External IP address of your Google Cloud connection.
  5. Keep the default values for all other options.
  6. Click OK.

Screenshot of firebox, picture4, general settings page.

  1. From the Gateway Endpoint section, select the Start Phase 1 Tunnel When Firebox Starts check box.
  2. Select the Phase 1 Settings tab.

Screen shot of the Phase 1 Settings

  1. From the Version drop-down list, select IKEv2.
  2. Keep the default values for all other Phase 1 settings.
  3. Click Save.
    The Branch Office VPN page opens.

Screenshot of firebox, picture6, add tunnels.

  1. From the Tunnels section, click Add.
    The Branch Office VPN tunnel configuration page opens.

Screenshot of firebox, picture7, add a address.

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. From the Addresses section, click Add.
    The Tunnel Route Settings page opens.

Screenshot of firebox, picture8, tunnel route settings.

  1. From the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
  3. From the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network protected by Google Cloud.
  5. Click OK.
  6. Keep the default values for the Phase 2 Settings tab.

Screenshot of firebox, picture9, phase 2 settings.

  1. Click Save.

Configure the Google Cloud VPN

To configure the Google Cloud VPN, perform these steps:

  1. Create a VPC Network
  2. Reserve a Static Address
  3. Create a VPN Connection
  4. Create the Firewall Rules

Create a VPC Network

Before you create your VPC Network, you should enable the Compute Engine API. Google charges you for the Compute Engine API in your projects. For more information, go to the Google Cloud documentation.

To create a VPC Network:

  1. Log in to the Google Cloud Platform.
  2. Select a project or create a new one. In this example, we use My First Project.
  3. From the navigation menu, select VPC Network > VPC Networks.
    The Product Details page opens.

Screenshot of the enabling the Compute Engine API in Google Cloud

  1. Click Enable.
    The VPC Networks page opens.

Screenshot of the enable Compute Engine API 001 in Google Cloud

  1. Click Create VPC Network.
    The Create a VPC Network page opens.

Screenshot of the VPC network 001 in Google Cloud

  1. In the Name text box, type a name for the VPC network. In our example, we use cloud-vpc-network.
  2. From the Subnets section, from the Subnet Creation Mode option, select Custom.
  3. From the New Subnet section, in the Name text box, type a name for the subnet. In our example, we use subnet-asia-east1-192-168-1.
  4. From the Region drop-down list, select a specific geographical location where you can host your resources. In our example, we select Asia-East1.
  5. In the IPv4 Range text box, specify the IP address range for this subnet. In our example, we use 192.168.1.0/24.
  6. (Optional) For Flow Logs, select On.
  7. Click Done.
  8. Keep the default values for all other settings.
  9. Click Create.

Screenshot of tcreating VPC network 002 in Google Cloud

Reserve a Static Address

To reserve a static address;

  1. From the navigation menu, select VPC Network > IP Addresses.
    The IP Addresses page opens.

Screenshot of GCP IP address

  1. Click Reserve External Static IP Address.
    The Reserve a Static Address page opens.

Screenshot of the static address settings in Google Cloud

  1. In the Name text box, type a name for the External IP address. In our example, we use google-cloud-vpn-ip.
  2. From the Region drop-down list, select a region where you want to create the static address. In our example, we select asia-east1 (Taiwan).
  3. Keep the default values for all other settings.
  4. Click Reserve.

Create a VPN Connection

To create a VPN connection:

  1. From the navigation menu, select Networking > Network Connectivity > VPN.
  2. Click Create VPN Connection.
  3. From the VPN Options section, select Classic VPN.
  4. Click Continue.
    The Create a VPN Connection page opens.

Screen shot of the completed VPN connection settings in Google Cloud

  1. From the Google Compute Engine VPN Gateway section, in the Name text box, specify a name for the VPN gateway.
  2. From the Network drop-down list, select the network you created. In our example, we select cloud-vpc-network.
  3. From the Region drop-down list, select a region. In our example, we select asia-east1 (Taiwan).
  4. From the IP Address drop-down list, select the IP address you created. In our example, we select google-cloud-vpn-ip.
  5. From the Tunnels section, in the Name text box, type a name for the tunnel.
  6. In the Remote Peer IP Address text box, type the External IP address of the remote peer.
  7. From the IKE Version drop-down list, select IKEv2.
  8. In the IKE Pre-shared Key text box, type the IKE pre-shared key for this tunnel.
  9. For Routing Options, select Policy-based.
  10. In the Remote Network IP Ranges text box, type the IP address ranges of the remote networks.
  11. From the Local Subnetworks drop-down list, select subnet-asia-east1-192-168-1.
  12. Click Done.
  13. Click Create.

Create the Firewall Rules

To create the firewall rules:

  1. From the navigation menu, select Networking > VPC Network > Firewall.
  2. Click Create Firewall Rule.
    The Create a Firewall Rule page opens.

Screen shot of the firewall rule settings in Google Cloud

  1. In the Name text box, type a name for this rule.
  2. For Logs, select On.
  3. From the Network drop-down list, select the network you created. In our example, we select cloud-vpc-network.
  4. For Direction of Traffic, select Ingress.
  5. For Action on Match, select Allow.
  6. From the Targets drop-down list, select All Instances In the Network.
  7. From the Source Filter drop-down list, select IP Ranges.
  8. In the Source IPv4 Ranges text box, type the IP address ranges of remote internal networks.
  9. For Protocols and Ports, select Allow All or Specified Protocols and Ports. In our example, we select Allow All.
  10. Keep the default values for all other settings.
  11. Click Create.
  12. To create an egress rule, repeat steps 2-13.

Screen shot of the firewall rules list in Google Cloud

  1. Click Create.

Google Cloud VPN auto-negotiates authentication and encryption settings and the key group with the Firebox. You cannot edit these settings in the Google Cloud VPN configuration.

For more information about Google Cloud VPN configuration and supported IKE ciphers, go to Google Cloud VPN Documentation.

Test the Integration

To test the integration:

  1. From the Google Cloud Platform navigation menu, select Networking > Network Connectivity > VPN.
  2. Select the Cloud VPN Tunnelstab. The data shows the VPN is established.

Screenshot of google cloud platform, picture9. vpn, cloud vpn tunnels.

  1. From Fireware Web UI, select System Status > VPN Statistics.
    The VPN Statistics page opens.

Screenshot of firebox, picture10, vpn statistics.

  1. Select the Branch Office VPN tab. The data shows the VPN is established.
  2. Verify that host behind the Firebox is able to ping the host in the Google Cloud Platform.