WatchGuard Support Center

Knowledge Base - Article

Article

000007236
 Configure a policy-based VPN connection to a Microsoft Azure virtual network (Fireware v11.11.x)

Information
How can I configure a policy-based VPN connection between a Firebox and a Microsoft Azure virtual network?

When you configure a virtual network with Microsoft Azure, you can establish a VPN from your local area network to the Azure virtual network. In Fireware v11.11.x, to establish a VPN connection to Azure, you must configure a policy-based BOVPN tunnel.

In this article, the term policy-based routing refers to the Microsoft definition, which is different from the WatchGuard definition. The BOVPN configuration in this article is not related to policy-based routing settings within a firewall policy.

To configure a route-based VPN to Azure, you must configure a BOVPN virtual interface in Fireware v11.12 and higher. For more information about route-based VPNs, see Configure a route-based VPN connection to a Microsoft Azure virtual network (Fireware v11.12 and higher).

To connect your Microsoft Azure network to more than one Firebox device, see Configure a VPN between a Windows Azure network and multiple Firebox or XTM devices.

Configure the Azure Virtual Network

To configure your Azure virtual network, connect to the Azure Management Portal at manage.windowsazure.com, and follow these instructions from Microsoft: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-vnet-arm-pportal/.

Gather Information about the Azure Virtual Network

Use this template to keep the information gathered from your Azure virtual network. We recommend that you save this information in a text file so that you can copy and paste information to your Firebox configuration.

Azure Virtual Network Settings

Local gateway IP address (Azure gateway IP address) —
Remote gateway IP address (Firebox gateway IP address) —
Shared key (Auto-generated by Azure) —
Local network IP address (Azure local network) —
Remote network IP address (Local network behind your Firebox) —

Standard Azure VPN Settings

To establish an encrypted VPN tunnel, the Firebox and the Azure gateway negotiate settings and exchange information in two phases: Phase 1 and Phase 2. To successfully negotiate the tunnel, the Firebox and Azure must use identical Phase 1 and Phase 2 settings. If the Phase 1 and Phase 2 settings do not match, the VPN tunnel is not built.

These Firebox settings are compatible with Azure:

Phase 1
IKE version — IKEv1
Mode — Main
NAT Traversal — Yes
Dead Peer Detection — No
Authentication — SHA1
Encryption — 3DES
Key Group — Diffie-Hellman Group 2

For added security, you can choose to select AES(256), a stronger encryption algorithm.

Phase 2
Perfect Forward Secrecy (PFS) — No
Perfect Forward Secrecy (PFS) is not currently supported for VPN connections between Firebox devices and Azure.
IPSec Proposal — ESP–AES–SHA1. 
The AES key length is 256.

For the most recent list of protocols and algorithms supported by Microsoft for VPNs, see the Phase 1 and Phase 2 tables at https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices.

Example Configuration 

In this example, we use these values:

Azure
Local gateway ID — 203.0.113.50
Remote gateway ID (Firebox) — 198.51.100.3
Local IP address — 203.0.113.50
Remote IP address (Firebox) — 198.51.100.3
Local network — 172.16.0.0./16

Firebox
Local gateway ID — 198.51.100.3
Remote gateway ID (Azure) — 203.0.113.50
Local IP address — 198.51.100.3
Remote IP address (Azure) — 203.0.113.50
Local network — 10.0.1.0/24

​Configure the Firebox

You can configure your Firebox with Fireware Web UI or with Policy Manager. To configure your Firebox, follow the instructions in the section for your configuration tool:

Configure the Firebox with Web UI

To configure a policy-based VPN connection to Azure in Fireware Web UI, first add a gateway:

  1. Connect to Fireware Web UI at https://[Firebox-IP-address]:8080.
  2. Select VPN > Branch Office VPN.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this gateway.
  5. In the Use Pre-Shared Key text box, paste the auto-generated shared key you copied from the Azure Management Portal.
    Screen shot of Add Gateway page
  6. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  7. In the Local Gateway section, type the external IP address of your Firebox. For example, 198.51.100.3.
    Screen shot of completed Gateway Settings page
  8. Select the Remote Gateway tab. 
  9. In the Static IP Address text box, type the gateway IP address for the Azure virtual network. For example, 203.0.113.50
  10. In the By IP Address text box, type the gateway ID of the Azure virtual network. For example, 203.0.113.50.
    Screen shot of Gateway Endpoint Settings box
  11. Click OK.  
  12. Click Save.

Next, you must create a tunnel between your Firebox and the Azure virtual network. To access to more than one remote IP subnet through the VPN tunnel, you must add a tunnel route to each remote subnet from each local subnet that must access it.

To add a tunnel in Fireware Web UI:

  1. Select VPN > Branch Office VPN.
  2. In the Tunnels section, click Add.
  3. In the Name text box, type a name to identify this tunnel.
  4. From the Gateway drop-down list, select the gateway that you just created.
    Screen shot of Add Tunnel page
  5. In the Addresses section, click Add.
  6. In the Local IP section, from the Choose Type drop-down list, select Host IPv4Network IPv4, Host Range IPv4, or Any (0.0.0.0/0), For example, select Network IPv4.
  7. In the Network IP text box, type the network IP address of your local network. For example, 10.0.1.0/24.
  8. In the Remote IP section, from the Choose Type drop-down list, select Host IPv4Network IPv4, Host Range IPv4, or Any (0.0.0.0/0), For example, select Network IPv4.
  9. In Network IP text box, type the network IP address of the local Azure virtual network. For example, 172.16.0.0./16.
    Screen shot of tunnel route settings
  10. Click OK.
    The Addresses list is populated.
    Screen shot of completed tunnel addresses page
  11. To enable VPN access to another remote subnet, repeat Steps 2–10 to add another tunnel route from the local subnet to the other remote subnet. Do not change the settings on the Phase 2 Settings tab. The default Phase 2 settings match the settings for Microsoft Azure VPN.
  12. Click Save.

Configure the Firebox with Policy Manager

To configure a policy-based VPN connection to Azure in Policy Manager:

  1. Start WatchGuard System Manager and connect to your Firebox.
  2. In WatchGuard System Manager, Tools > Policy Manager.
  3. Select VPN > Branch Office Gateways.
    The Gateways dialog box appears.
  4. Click Add.
    The New Gateway dialog box appears.
  5. In the Gateway Name text box, type a name to identify this gateway.
  6. In the Use Pre-Shared Key text box, paste the auto-generated shared key you copied from the Azure Management Portal.
  7. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints dialog box appears.
  8. In the Local Gateway section, select By IP Address.
  9. Type the external IP address of your Firebox. For example, 198.51.100.3.  
  10. From the External Interface drop-down list, select the external interface to use.
  11. In the Remote Gateway section, select Static IP address.
  12. In the IP Address text box, type the Azure gateway IP address. For example, 203.0.113.50.
  13. Select By IP Address
  14. In the IP Address text box, type the Azure gateway ID. For example, 203.0.113.50.
    Screen shot of completed Gateway Settings page
  15. Click OK.
  16. Click the Phase 1 Settings tab.
  17. In the Transform Settings list, select the Phase1 Transform SHA1-3DES.
  18. Click Edit.
    The Phase 1 Transform dialog box appears.
  19. From the Encryption drop-down list, select AES (256-bit)
    Screen shot of the Phase1 Transform dialog box
  20. Click OK.
    SHA1-AES (256-bit) appears in the Phase 1 Transform list. 
    User-added image
  21. Click OK.

Next, you must create a tunnel between your Firebox and the Azure virtual network. To access to more than one remote IP subnet through the VPN tunnel, you must add a tunnel route to each remote subnet from each local subnet that must access it.

To add a tunnel in Fireware Web UI:

  1. Select VPN > Branch Office Tunnels.
  2. Click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a name to identify the tunnel.
  4. From the Gateway drop-down list, select the gateway you just created.
  5. On the Addresses tab, click Add.
    The Tunnel Route Settings dialog box appears.
  6. In the Local text box, type the network IP address of the trusted network on your Firebox. For example, 10.0.1.0/24.
  7. In the Remote text box, type the network IP address of the address space for your Azure virtual network. For example, 172.16.0.0/16.
    Screen shot of Tunnel Route Settings dialog box
  8. Click OK.
    The Addresses list is populated.
    Screen shot of newly added tunnel
  9. To enable VPN access to another remote subnet, repeat Steps 2–8 to add another tunnel route from the local subnet to the other remote subnet. Do not change the settings on the Phase 2 Settings tab. The default Phase 2 settings match the settings for Microsoft Azure VPN.
  10. Click OK.
  11. Click Close.
  12. Save the configuration to your Firebox.

See Also

VPN Tunnel Status and Subscription Services
Configure IPSec VPN Phase 1 Settings
Configure Phase 2 Settings
Monitor and Troubleshoot BOVPN Tunnels