Juniper SRX300 and Firebox BOVPN Virtual Interface Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a BOVPN virtual interface between a WatchGuard Firebox and a Juniper® SRX300.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.7
  • Juniper SRX300 v19.4R3-S1.3

Topology

This diagram shows the topology for a BOVPN virtual interface connection between a Firebox and a Juniper SRX300.

topology diagram

Configure the Firebox

On the Firebox, configure a Branch Office VPN (BOVPN) virtual interface connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
  4. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key.
  8. In the adjacent text box, type the pre-shared key.

Screenshot of Firebox, picture11

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the Physical drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screenshot of firebox, picture12

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the public IP address of the ge-0/0/0.0 interface on the Juniper SRX300.
  4. Select By IP Address.
  5. In the adjacent text box, type the public IP address of the ge-0/0/0.0 interface on the Juniper SRX300.

Screenshot of firebox, picture13

  1. Click OK.
  2. In the Gateway Endpoint section, select Start Phase 1 tunnel when it is inactive.
  3. Select Add this tunnel to the BOVPN-Allow policies.

Screenshot of firebox, picture14

  1. Select the VPN Routes tab.

Screenshot of firebox, picture15

  1. Click Add.
    The VPN Route Settings dialog box opens.
  2. From the Choose Type drop-down list, select Network IPv4.
  3. In the Route To text box, type the network IP address of the route that uses this virtual interface.

Screenshot of firebox, picture16

  1. Click OK.
  2. Select the Assign virtual interface IP addresses check box.
  3. In the Local IP address and Peer IP address or netmask text boxes, type the virtual interface IP addresses.

Screenshot of firebox, picture17

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep the default values for all other Phase 1 Settings.

Screenshot of firebox, picture18

  1. Keep the default values for all Phase 2 Settings.

Screenshot of firebox, picture19

  1. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, see BOVPN Virtual Interfaces.

Configure the Juniper SRX300

Follow these steps to configure the settings for your Juniper device.

Configure Basic Settings

  1. Log in to the Juniper Web Device Manager at https://<IP address of the Juniper device>.
    The default IP address is https://192.168.1.1.
  2. Configure the Juniper interfaces.
    For information on how to configure interfaces, see the Juniper documentation.

Screenshot of Juniper, picture25

Screenshot of Juniper, picture26

  1. Configure the zones and bind the zones and interfaces. For information about how to configure zones, see the Juniper documentation.

Screenshot of Juniper, picture27

  1. Configure the global addresses. For information about how to configure global addresses, see the Juniper documentation.

Screenshot of Juniper, picture28

  1. Configure static routes. For information about how to configure static routes, see the Juniper documentation.

Screenshot of Juniper, picture29

Configure IPSec VPN Phase 1 Settings

On your Juniper device:

  1. Select Configure > Security Services > IPsec VPN > IKE (Phase I).
  2. Select the Proposal tab.
  3. Click +.
  4. In Name text box, type a name for the proposal.
  5. From the Authentication algorithm drop-down list, select sha-256.
  6. From the Authentication Method drop-down list, select pre-shared-keys.
  7. From the DH Group drop-down list, select group14.
  8. From the Encryption algorithm drop-down list, select aes-256-cbc.
  9. In the Lifetime seconds text box, type the number of seconds.

Screenshot of Juniper, picture30

  1. Click OK.
    The proposal appears in the list.

Screenshot of Juniper, picture31

  1. Select the IKE Policy tab.
  2. Click +.
  3. In the Name text box, type a name for the policy.
  4. From the Mode drop-down list, select main.
  5. Select User Defined.
  6. From the Proposal List, select the proposal you created.

Screenshot of Juniper, picture32

  1. Select the IKE Policy Options tab.
  2. Select Pre Shared Key.
  3. Select Ascii text.
  4. Type the pre-shared key.

Screenshot of Juniper, picture33

  1. Click OK.
    The policy appears in the list.

Screenshot of Juniper, picture34

  1. Select the Gateway tab.
  2. Click +.
    The Add Gateway dialog box opens.
  3. In the Name text box, type the Gateway name.
  4. From the Policy drop-down list, select the policy you created.
  5. From the External Interface drop-down list, select ge-0/0/0.0.
  6. Select Site to Site VPN.
  7. In the Remote Peer IP text box, type the IP address of the external Firebox interface. Click +.
  8. From the Local Identity Type drop-down list, select IP Address.
  9. In the IP Address text box, type the Juniper public IP address.
  10. From the Remote Identity Type drop-down list, select IP Address.
  11. In the IP Address text box, type the public IP address of Firebox.
  12. From the IKE Version drop-down list, select v2-only.
  13. Keep the default values for all other values.

Screenshot of Juniper, picture35

  1. Select the IKE Gateway Options tab.
  2. Select the Dead Peer Detection check box.
  3. Keep the default values for all other values.

Screenshot of Juniper, picture36

  1. Click OK.
    The gateway appears in the list.

Screenshot of Juniper, picture37

  1. To commit the changes, in the upper-right corner, click the button.
  2. Click Commit.

Configure IPsec VPN Phase 2 Settings

On your Juniper device:

  1. Select Configure > Security Services > IPsec VPN > IPsec (Phase II).
  2. Select the Proposal tab.
  3. Click +.
    The Add proposal dialog box opens.
  4. In the Name text box, type the proposal name.
  5. From the Authentication algorithm drop-down list, select hmac-sha-256-128.
  6. From the Encryption algorithm drop-down list, select aes-256-cbc.
  7. From the Protocol drop-down list, select esp.

Screenshot of Juniper, picture38

  1. Click OK.
    The proposal appears in the list.

Screenshot of Juniper, picture39

  1. Select the IPSec Policy tab.
  2. Click +.
    The Add policy dialog box opens.
  3. In the Name text box, type the policy name.
  4. From the Perfect Forward Secrecy drop-down list, select group14.
  5. Select User Defined.
  6. For Proposal List, select the proposal you created.

Screenshot of Juniper, picture40

  1. Click OK.

Screenshot of Juniper, picture41

  1. Select the VPN tab.
  2. Click +.
    The Add VPN dialog box opens.
  3. In the VPN Name text box, type the VPN name.
  4. From the Remote Gateway drop-down list, select GW-JUN-WG.
  5. From the IPSec Policy drop-down list, select ipsec-phase2-policy.
  6. From the Bind to tunnel interface drop-down list, select st0.0.
  7. From the Establish tunnels drop-down list, select immediately.

Screenshot of Juniper, picture42

  1. Click OK.
    The VPN shows in the list.

Screenshot of Juniper, picture43

  1. To commit the changes, in the upper-right corner, click the button.
  2. Click Commit.

Configure Security Policy Rules

On your Juniper device:

  1. Select Configure > Security Services > Security Policy > Rules.
  2. Click +.
    The Create Rule wizard opens.
  3. In the Rule name text box, type the rule name (for example, policy-trust-vpn).
  4. Click Next.
  5. From the Zone drop-down list, select trust.
  6. In the Address(es) text box, select Juniper_address.

Screenshot of Juniper, picture44

  1. Click Next.
  2. From the Zone drop-down list, select VPN.
  3. In the Address(es) text box, select WG_address.
  4. In the Dynamic Application text box, select None.
  5. In the Service(s) text box, select any.
  6. In the URL Category text box, select None.

Screenshot of Juniper, picture45

  1. Click Next.
  2. From the Rule Action drop-down list, select Permit.

Screenshot of Juniper, picture46

  1. Click Next.
  2. Click Finish.
  3. Click OK.
    The rule appears in the list.

Screenshot of Juniper, picture47

  1. To create another security policy, repeat steps 2 through 17.

Screenshot of Juniper, picture48

  1. To commit the changes, in the upper-right corner, click the button.
  2. Click Commit.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screenshot of Firebox, picture20

  1. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Juniper SRX300) can successfully ping each other.