BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS)

You can configure a VPN connection between your Firebox and Amazon Web Services (AWS). For example, you might configure a VPN so that hosts on your local network can securely connect to resources on your Amazon Virtual Private Cloud (VPC).

For VPN connections to AWS, we recommend that you configure a BOVPN virtual interface on the Firebox instead of a BOVPN. You can use static or dynamic routing.

In this example, we show a VPN configuration with:

  • Dynamic BGP routing
  • One Firebox external physical interface
  • Two Firebox BOVPN virtual interfaces
  • One AWS gateway with two IP addresses for failover

AWS does not support OSPF.

Configure AWS

An AWS VPN configuration includes one virtual private gateway with two external IP addresses for redundancy. AWS automatically determines which IP address is the primary IP address.

Failover between the external IP addresses is enabled by default. If the primary AWS external IP address is unavailable, VPN traffic automatically fails over to the other AWS external IP address.

For detailed instructions about how to configure the AWS VPN settings, go to the Amazon Virtual Private Cloud User Guide.

Download the AWS Configuration File

Before you configure the Firebox, download the configuration file from your AWS account:

  1. Log in to the AWS Management Console at https://aws.amazon.com/console.
  2. Click to expand All Services.
  3. In the Networking & Content Delivery section, click VPC.
  4. From the navigation menu, in the Virtual Private Network section, click Site-to-Site VPN Connections.
  5. Select the box for the connection.
  6. Click Download Configuration.
  7. From the Vendor drop-down list, select WatchGuard, Inc.
  8. From the Software drop-down list, select Fireware OS 11.12.2 +.
  9. Click Download.
    A .txt file downloads to your desktop.
  10. Open the .txt file in a text editor.

Find the AWS Pre-Shared Keys and IP Addresses

The .txt configuration file contains the pre-shared keys, gateway IP addresses for AWS Tunnel 1 and Tunnel 2, and routes to the trusted (private) network of your AWS VPC.

You can also find the IP addresses in your AWS configuration:

  • For the gateway IP addresses, select Virtual Private Network > Site-to-Site VPN Connections > [name].
  • For the routes, select Virtual Private Cloud > Subnets or Virtual Private Cloud > Route Tables.

For this example, the AWS configuration uses these IP addresses:

  • Customer Gateway Address203.0.113.2 (external interface on the Firebox )
  • VPN Connections:
    • Tunnel 1 — 198.51.100.2 (first IP address of the AWS virtual private gateway)
    • Tunnel 2192.0.2.2 (second IP address of the AWS virtual private gateway)
  • Static Route10.0.1.0/24 (trusted network of the Firebox)

Gateway ID203.0.113.2 (external interface on the Firebox)

Remote gateway IP address198.51.100.2 (first IP address of the AWS virtual private gateway)

Remote gateway ID198.51.100.2 (first IP address of the AWS virtual private gateway)

VPN route for the VPC

  • Outside IP addresses:
    • Customer Gateway203.0.113.2 (external interface on the Firebox)
    • Virtual Private Gateway198.51.100.2 (first IP address of the AWS virtual private gateway)
  • Inside IP addresses:
  • BGP:
    • Neighbor IP address169.254.11.254
    • Customer Gateway ASN10001 (the BGP ASN of the Firebox)
  • Outside IP addresses:
    • Customer Gateway203.0.113.2 (external interface on the Firebox)
    • Virtual Private Gateway192.0.2.2 (second IP address of the AWS virtual private gateway)
  • Inside IP addresses:
  • BGP:
    • Neighbor IP address169.254.9.162
    • Customer Gateway ASN10001 (the BGP ASN of the Firebox)

Configure the Firebox

For this example, the Firebox has one external interface and one trusted network:

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24

Add the BOVPN Virtual Interfaces

To configure a redundant gateway that uses both AWS external IP addresses, you must configure two BOVPN virtual interfaces.

  1. Select VPN > BOVPN Virtual Interfaces.
  2. Click Add.
  3. In the Interface Name text box, type a name that describes the virtual interface. In our example, we use toAWS-1.
  4. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  5. From the Gateway Address Family drop-down list, select IPv4 Addresses. AWS does not support IPv6 for VPN tunnels.
  6. For the credential method, select Use Pre-Shared Key.
  7. Specify the pre-shared key included in the AWS VPN configuration file for IPSec Tunnel #1. AWS supports only the pre-shared key authentication method for site-to-site VPNs.
  8. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  9. From the Physical drop-down list, select External.
  10. From the Interface IP Address drop-down list, select Primary IPv4 Interface Address.
  11. Select By IP Address.
  12. In the adjacent text box, type the IP address for the Firebox external interface. In our example, we use 203.0.113.2.
  13. Select the Remote Gateway tab.
  14. Select Static IP Address.
  15. In the adjacent text box, type the first IP address of the AWS virtual private gateway. In our example, we use 198.51.100.2.

Screen shot of BOVPN virtual interface gateway settings

  1. Select VPN > BOVPN Virtual Interfaces.
  2. Click Add.
  3. In the Interface Name text box, type a name that describes the virtual interface. In our example, we use toAWS-2.
  4. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  5. From the Gateway Address Family drop-down list, select IPv4 Addresses. AWS does not support IPv6 for VPN tunnels.
  6. For the credential method, select Use Pre-Shared Key.
  7. Specify the pre-shared key included in the AWS VPN configuration file for IPSec Tunnel #2. AWS supports only the pre-shared key authentication method for site-to-site VPNs.
  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. From the Physical drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary IPv4 Interface Address.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address for the Firebox external interface. In our example, we use 203.0.113.2.
  6. Select the Remote Gateway tab.
  7. Select Static IP Address.
  8. In the adjacent text box, type the first IP address of the AWS virtual private gateway. In our example, we use 192.0.2.2.
  9. Click OK.

Screen shot of BOVPN virtual interface gateway settings

Configure the Virtual Interface IP Address and Netmask

  1. Select the VPN Routes tab.
  2. Select Assign virtual interface IP addresses.
  3. In the Local IP address text box, type the IP address. In our example, we use 169.254.11.254 .
    In the AWS VPN Configuration file, in the IPSec Tunnel #1 section, this is the Inside Customer Gateway IP address.
  4. In the Peer IP address or netmask text box, type the netmask. The netmask assigned by AWS is always /30 (255.255.255.252).
    In the AWS VPN Configuration file, in the IPSec Tunnel #1 section, this is the Inside Customer Gateway netmask.

Screen shot of the virtual IP addresses

  1. Select the VPN Routes tab.
  2. Select Assign virtual interface IP addresses.
  3. In the Local IP address text box, type the IP address. In our example, we use 169.254.9.162 .
    In the AWS VPN Configuration file, in the IPSec Tunnel #2 section, this is the Inside Customer Gateway IP address.
  4. In the Peer IP address or netmask text box, type the netmask. The netmask assigned by AWS is always /30 (255.255.255.252).
    In the AWS VPN Configuration file, in the IPSec Tunnel #2 section, this is the Inside Customer Gateway netmask.

Screen shot of the virtual IP addresses

Configure the Phase 1 and Phase 2 Settings

During VPN negotiations, AWS identifies the authentication and encryption algorithm settings from the Firebox. If AWS supports the settings, AWS automatically uses the same settings. AWS supports specific proposals. You cannot edit the AWS configuration to specify different proposals.

In Fireware v12.10 and higher, Fireware supports Diffie-Hellman Group 21.

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2. AWS also supports IKEv1.
  3. In the Transform Settings section, click Add.
    The Transform Settings dialog box appears.
  4. From the Authentication drop-down list, select SHA2-256. AWS also supports SHA-1.
  5. From the Encryption drop-down list, select AES (256-bit). AWS also supports AES (128-bit) is also supported.
  6. From the Diffie-Hellman Group drop-down list, select 14. AWS also supports groups 2, 15, 19, 20, and 21.
  7. Click OK and keep all other Phase 1 settings at the default values.

Screen shot of the Phase 1 settings for a BOVPN virtual interface

  1. Select Enable Perfect Forward Secrecy.
  2. From the drop-down list, select Diffie-Helman Group 14.
    Groups 1, 2, 5, 15, 19, 20, and 21 are also supported.
  3. From the IPSec Proposals drop-down list, select ESP-AES256-SHA256.
    SHA1 and AES128 are also supported.
  4. Repeat these steps to configure the Phase 2 settings for the second BOVPN virtual interface.

Screen shot of Phase 2 settings

Specify BGP Commands

The AWS BGP ASN and the virtual IP address (the BGP peer address) are defined by AWS and cannot be changed.

  1. Select Network > Dynamic Routing.
  2. Select Enable Dynamic Routing.
  3. Select the BGP tab.
  4. Select the Enable check box.
  5. Specify the BGP commands. In our example, we specify these commands:
router bgp 10001
!
! to AWS VPC 1st ext-if
!
neighbor 169.254.11.253 remote-as 7224
neighbor 169.254.11.253 activate
neighbor 169.254.11.253 timers 10 30
!
! to AWS VPC 2nd ext-if
!
neighbor 169.254.9.161 remote-as 7224
neighbor 169.254.9.161 activate
neighbor 169.254.9.161 timers 10 30
!
! To advertise additional prefixes to Amazon VPC, copy the 'network' statement
! and identify the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
!
network 10.0.1.0/24

Screen shot of BGP settings

If you configure more than one trusted network on your Firebox, and you want AWS to learn the route to an additional trusted network, use an additional network command. For example:

network 10.0.1.0/24

network 10.0.2.0/24

Related Topics

BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS)