Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Guide Type
Documented Integration — WatchGuard or a Technology Partner has provided documentation demonstrating
integration
Guide Details
WatchGuard provides integration instructions to help our customers configure WatchGuard products to work
with products created by other organizations. If you need more information or technical support about how to
configure a third-party product, see the documentation and support resources for that product.
Oracle Bare Metal BOVPN service is a service offered by Oracle Cloud Infrastructure. This document
describes the basic steps needed to build a Branch Office VPN between the Oracle Cloud and the Firebox.
Oracle documentation lists the basic structure to set up a Branch Office VPN. The steps listed will closely
adhere to this general path:
▪ Gather Information
▪ Create your VCN (Virtual Cloud Network)
▪ Create your DRG (Dynamic Routing Gateway)
▪ Attach the DRG to your VCN.
▪ Update the routing in your VCN to use the DRG.
▪ Create a CPE (Customer-Premises Equipment) object and provide your router's public IP address.
▪ From your DRG, create and IPSec Connection to the CPE object and provide your static routes.
▪ Configure your CPE router (WatchGuard firewall).
You have now created the Virtual Cloud Network. Next you must create the Dynamic Routing Gateways.
Once the DRG is created you must attach the DRG to the Cloud Network.
6. Click Create.
▪ Create in Compartment
▪ Name
▪ IP Address
3. Select the three dots to the right of the newly created IPSec connection. Here you can either view the
Tunnel Information or Terminate the BOVPN. Under Tunnel Information you will find the shared
Note This IPSec connection has the option multiple public gateways. Multiple public gateways are
possible to configure. Please follow the Configure VPN Failover in the WatchGuard documentation if you
need this option.
The WatchGuard BOVPN setup should match the transforms and IPSec Proposals passed by the Oracle
BOVPN. The Oracle cloud may provide multiple options in BOVPN negotiation. In general, the settings listed
here will be offered first, which can provide a more stable BOVPN.
Configuration Summary
WatchGuard Phase One Settings:
▪ Version: IKE v1
▪ Mode: Main
▪ No NAT Traversal
▪ No IKE Keep-alive
▪ DPD:
o Traffic idle timeout 10 seconds
o Max retries 3
▪ Transform Settings:
o Authentication SHA2-384
o Encryption AES(256-bit)
o SA life 8 hours
o Key Group Diffie-Hellman Group 5
These are the steps to enter the above values, add the public IP address gateway, and tunnel routes to build
the BOVPN.
1. We will configure the Phase 2 IPSec Proposal first in the Web UI as this will allow for access in a drop-
down menu later. In the Fireware® Web UI select VPN > Phase 2 Proposals.
2. Select Add to create a new proposal.
3. In the Name field enter the proposal a name.
4. The Description field is option.
5. From the Type drop-down list select ESP (Encapsulating Security Payload).
6. From the Authentication drop-down list select SHA1.
7. From the Encryption drop-down list select AES(256-bit).
8. For Force Key Expiration select the check box and enter 1 hours.
9. Click Save.
Note The Advanced tab here. If you configure multiple public IP addresses for VPN failover you must enter
each different shared key on the tab for each remote public gateway. See Configure VPN Failover for more
information.
1. Continue in the BOVPN Virtual Interface by selecting the VPN Routes tab.
2. Select Add.
3. From the Choose Type drop-down list, select an option:
▪ Host IPv4 - Select this option if only one IPv4 host is the VPN destination.
▪ Network IPv4 - Select this option if you have a full IPv4 network as the VPN destination.
▪ Host IPv6 - Select this option if only one IPv6 host is the VPN destination. (Oracle does not support
IPv6)
4. Network IPv6 - Select this option if you have a full IPv6 network as the VPN destination.
Note Oracle does not support IPv6.
5. In the Route To field, enter the network address or host address.
6. In the Metric field, type or select a metric value for the route.
7. Click OK.
Note At the bottom of the BOVPN Virtual Interfaces page there is a selection option for Add this Tunnel to
the BOVPN-allow policies. If this is not selected you will need to manually add a policy to allow this traffic.
6. In the Transform Settings section, select the transform you want and then click Edit.
7. From the Authentication drop-down list, select SHA2-384.
8. From the Encryption drop-down list, select AES (256-bit).
9. Change the SA Life to 8 hours.
10. From the Key Group drop-down list select Diffie-Hellman Group 5.
Usually you need some type of traffic sent through a VPN like ping or a server connection to verify traffic
passing through a VPN. On the Oracle side, this requires a virtual server. If you do not have a test device on
the WatchGuard side of the VPN, run the Diagnostics Tasks on your Firebox.
▪ -I, The dash capital I is used to specify the IP address of the local interface you wish to ping from.
▪ The IP following the argument should be an interface IP assigned to the firewall.
▪ The last IP is the final target for the ping command.