Integration Guide

Oracle Bare Metal BOVPN

Revised: 17 May 2018

About This Guide

Guide Type
Documented Integration — WatchGuard or a Technology Partner has provided documentation demonstrating
integration

Guide Details
WatchGuard provides integration instructions to help our customers configure WatchGuard products to work
with products created by other organizations. If you need more information or technical support about how to
configure a third-party product, see the documentation and support resources for that product.

2 Oracle Bare Metal BOVPN Integration Guide

Oracle Bare Metal BOVPN Integration Overview

Oracle Bare Metal BOVPN service is a service offered by Oracle Cloud Infrastructure. This document
describes the basic steps needed to build a Branch Office VPN between the Oracle Cloud and the Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

▪ WatchGuard Firebox with Fireware® v12.

▪ Oracle Bare Metal Account with networking.

Oracle Bare Metal BOVPN Setup

Oracle documentation lists the basic structure to set up a Branch Office VPN. The steps listed will closely
adhere to this general path:

▪ Gather Information
▪ Create your VCN (Virtual Cloud Network)
▪ Create your DRG (Dynamic Routing Gateway)
▪ Attach the DRG to your VCN.
▪ Update the routing in your VCN to use the DRG.
▪ Create a CPE (Customer-Premises Equipment) object and provide your router's public IP address.
▪ From your DRG, create and IPSec Connection to the CPE object and provide your static routes.
▪ Configure your CPE router (WatchGuard firewall).

Oracle Bare Metal BOVPN Integration Guide 3

Create Virtual Cloud Network
1. Select your Compartment in the Oracle Cloud infrastructure.
2. Click Networking > Virtual Cloud Networks. The Create Virtual Cloud Network selection box
appears. The compartments available will depend on your permissions.
3. Leave the default value on the dialog box, click Create Virtual Cloud Network.

You have now created the Virtual Cloud Network. Next you must create the Dynamic Routing Gateways.

Create Dynamic Routing Gateways

1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways. The
Create Dynamic Routing Gateway dialog box appears. Click Create Dynamic Routing Gateway.
2. The Create in Compartment field auto populates to the current compartment name. Enter the
compartment name if you want to create the DRG in a different compartment.
3. In the Name field, enter a friendly name.
Note the name cannot be changed later in the console.

4 Oracle Bare Metal BOVPN Integration Guide

 4. Click Create Dynamic Routing Gateway. The created DRG appears in the console.

Once the DRG is created you must attach the DRG to the Cloud Network.

Attach Dynamic Routing Gateway to a Cloud Network

1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways. A list
of available DRGs in the compartment appears.
2. Select the DRG you want to attach.
3. While still under the DRG under the left-hand side select the link for Virtual Cloud Networks. An
option box for Attach to Virtual Cloud Network comes up.

Update the Routing Table

1. On the Oracle Cloud Infrastructure console click Networking > Virtual Cloud Networks. A list of cloud
networks available in your compartment appears.
2. Select the VCN you want.
3. Click Route Tables. A list of all the route tables appears.
For each subnet that needs to communicate with your on-premises network, update that subnet's route
table with a new route for the DRG.

Oracle Bare Metal BOVPN Integration Guide 5

 4. Select the Route Table you want and click Create Route Rule.

5. Enter the details for:

▪ CIDR: The CIDR for your on-premises network

▪ Target: The DRG you created earlier

6. Click Create.

Create Customer-Premises Equipment (CPE)

1. On the Oracle Cloud Infrastructure console click Networking > Customer-Premises Equipment.

2. Click Create Customer-Premises Equipment.

The Create Customer-Premises Equipment dialog box appears. Complete all the fields.

▪ Create in Compartment
▪ Name
▪ IP Address

6 Oracle Bare Metal BOVPN Integration Guide

 3. Click Create.

Link DRG to IPSec Connection

1. On the Oracle Cloud Infrastructure console click Networking > Dynamic Routing Gateways.
2. Then select the DRG link already created. On the right-hand side are Resources > IPSec
Connections. The Static Route CIDR must match the subnet that is the target on the WatchGuard
firewall. Select the button for Create IPSec Connection.

3. Select the three dots to the right of the newly created IPSec connection. Here you can either view the
Tunnel Information or Terminate the BOVPN. Under Tunnel Information you will find the shared

Oracle Bare Metal BOVPN Integration Guide 7

 secret and public IP address needed for each gateway in the configuration of the WatchGuard BOVPN
gateway settings. Copy this shared key and public IP for use later.

Note This IPSec connection has the option multiple public gateways. Multiple public gateways are
possible to configure. Please follow the Configure VPN Failover in the WatchGuard documentation if you
need this option.

WatchGuard Firewall BOVPN Setup

The WatchGuard BOVPN setup should match the transforms and IPSec Proposals passed by the Oracle
BOVPN. The Oracle cloud may provide multiple options in BOVPN negotiation. In general, the settings listed
here will be offered first, which can provide a more stable BOVPN.

Configuration Summary
WatchGuard Phase One Settings:

▪ Version: IKE v1
▪ Mode: Main
▪ No NAT Traversal
▪ No IKE Keep-alive
▪ DPD:
o Traffic idle timeout 10 seconds
o Max retries 3
▪ Transform Settings:
o Authentication SHA2-384
o Encryption AES(256-bit)
o SA life 8 hours
o Key Group Diffie-Hellman Group 5

WatchGuard Phase Two Settings:

▪ Enable Perfect Forward Secrecy, Diffie-Hellman Group 5

▪ IPSec Proposals:
o Type ESP (Encapsulating Security Payload)

8 Oracle Bare Metal BOVPN Integration Guide

 o Authentication SHA1
o Encryption AES(256-bit)
▪ Force Key Expiration, Time, 1 hour

These are the steps to enter the above values, add the public IP address gateway, and tunnel routes to build
the BOVPN.

Configure Phase 2 IPSec Proposal from Fireware® Web UI

1. We will configure the Phase 2 IPSec Proposal first in the Web UI as this will allow for access in a drop-
down menu later. In the Fireware® Web UI select VPN > Phase 2 Proposals.
2. Select Add to create a new proposal.
3. In the Name field enter the proposal a name.
4. The Description field is option.
5. From the Type drop-down list select ESP (Encapsulating Security Payload).
6. From the Authentication drop-down list select SHA1.
7. From the Encryption drop-down list select AES(256-bit).
8. For Force Key Expiration select the check box and enter 1 hours.
9. Click Save.

Configure Gateway Settings

1. Select VPN > BOVPN Virtual Interface.
1. Click Add.
2. In the General Settings tab section, select Use Pre-Shared Key and paste the Pre-Shared Key from
the Oracle IPSec Connection settings.

Oracle Bare Metal BOVPN Integration Guide 9

 3. In the Gateway Endpoint section, select Add.
The New Gateway Endpoints Settings dialog box appears
4. On the Local Gateway tab, for the Specify the gateway ID for tunnel authentication select By IP
Address and specify the IP address. By default, this will be the primary public address assigned to the
firewall.
5. On Remote Gateway tab, for the Specify the remote gateway IP address for a tunnel select Static
IP Address and enter the public IP address your got from the Oracle Bare Metal IPSec Connection
settings.

10 Oracle Bare Metal BOVPN Integration Guide

 6. Click OK.

Note The Advanced tab here. If you configure multiple public IP addresses for VPN failover you must enter
each different shared key on the tab for each remote public gateway. See Configure VPN Failover for more
information.

Configure VPN Routes

1. Continue in the BOVPN Virtual Interface by selecting the VPN Routes tab.
2. Select Add.
3. From the Choose Type drop-down list, select an option:

▪ Host IPv4 - Select this option if only one IPv4 host is the VPN destination.
▪ Network IPv4 - Select this option if you have a full IPv4 network as the VPN destination.
▪ Host IPv6 - Select this option if only one IPv6 host is the VPN destination. (Oracle does not support
IPv6)

4. Network IPv6 - Select this option if you have a full IPv6 network as the VPN destination.
Note Oracle does not support IPv6.
5. In the Route To field, enter the network address or host address.
6. In the Metric field, type or select a metric value for the route.
7. Click OK.

Note At the bottom of the BOVPN Virtual Interfaces page there is a selection option for Add this Tunnel to
the BOVPN-allow policies. If this is not selected you will need to manually add a policy to allow this traffic.

Configure Phase 1 Settings for IKEv1 from Fireware Web UI

1. Continue with the BOVPN Virtual Interface by selecting the Phase 1 Settings tab.
2. From the Version drop-down list select IKEv1.
3. For the Mode drop-down list select Main.
4. Remove the selections for NAT Traversal and IKE Keep-alive.
5. Check mark to select Dead Peer Detection.

Oracle Bare Metal BOVPN Integration Guide 11

 ▪ For Traffic Idle Timeout enter 10 seconds.
▪ For Max retries enter 3.

6. In the Transform Settings section, select the transform you want and then click Edit.
7. From the Authentication drop-down list, select SHA2-384.
8. From the Encryption drop-down list, select AES (256-bit).
9. Change the SA Life to 8 hours.
10. From the Key Group drop-down list select Diffie-Hellman Group 5.

Assign the Phase 2 Proposal

Continue with the BOVPN Virtual Interface on the Phase 2 Settings tab:
1. Check mark to select to Enable Perfect Forward Secrecy, from the drop-down list select Diffie-
Hellman Group 5.
1. If there are any IPSec Proposals listed remove them.
2. Then use the drop-down box to select the Phase 2 Proposal created earlier in these directions.
3. Click Save.

12 Oracle Bare Metal BOVPN Integration Guide

You can check on the status of the VPN in the Web UI > System Status > VPN Statistics > Branch Office
VPN tab.

Oracle Bare Metal BOVPN Integration Guide 13

Test the Branch Office VPN

Usually you need some type of traffic sent through a VPN like ping or a server connection to verify traffic
passing through a VPN. On the Oracle side, this requires a virtual server. If you do not have a test device on
the WatchGuard side of the VPN, run the Diagnostics Tasks on your Firebox.

To run diagnostic tasks for your Firebox:

1. Select System Status > Diagnostics.

The Diagnostics page appears with the Diagnostics File tab selected.
2. Select the Network tab.
The Network page appears.
3. From the Task drop-down list select Ping.
4. In the Address text box, type an IP address or host name.
5. Select Advanced Options and you can ping from a local firewall interface.

The options explained are:

▪ -I, The dash capital I is used to specify the IP address of the local interface you wish to ping from.
▪ The IP following the argument should be an interface IP assigned to the firewall.
▪ The last IP is the final target for the ping command.

14 Oracle Bare Metal BOVPN Integration Guide