About BOVPN Virtual Interfaces
For greater flexibility and networking capabilities, you can configure a Branch Office VPN (BOVPN) as a virtual interface. A BOVPN virtual interface defines a BOVPN tunnel that is treated in the configuration like an interface. The Firebox uses the routes table to determine whether to route a packet through the BOVPN virtual interface or through another interface.
You can configure a BOVPN virtual interface tunnel between any two Fireboxes that run Fireware OS v11.8 or higher.
In Fireware v11.11 and higher, you can configure a BOVPN virtual interface to a third-party VPN endpoint with the GRE tunneling protocol. In Fireware v11.12 and higher, you can configure a BOVPN virtual interface to a third-party VPN endpoint or cloud-based endpoint without GRE. Supported endpoints include cloud-based virtual networks, such as Microsoft Azure, and Cisco VTI endpoints.
With a BOVPN virtual interface, you can:
- Add static routes for a BOVPN virtual interface
- Assign an IP address to the BOVPN virtual interface (required for dynamic routing)
- Use a BOVPN virtual IP address in the dynamic routing configuration
- Configure policies to send traffic through a BOVPN virtual interface
- Configure policy-based routing to use a BOVPN virtual interface
- Configure a BOVPN between two Fireboxes through any interface (Fireware v11.9.4 and higher)
- Configure a BOVPN between a Firebox and a third-party VPN endpoint that uses GRE (Fireware v11.11 and higher)
- Configure a BOVPN between a Firebox and a third-party VPN endpoint or a cloud-based endpoint, including Microsoft Azure or Cisco VTI, that does not use GRE (Fireware v11.12 and higher). Wildcard traffic selectors are supported.
- Configure a BOVPN between a Firebox and an Amazon AWS virtual network that includes redundant external IP addresses for the gateway (Fireware v11.12.2 and higher)
- Specify different pre-shared keys for each gateway endpoint on your Firebox (Fireware v11.12.2 and higher)
- Assign an IP address and netmask for dynamic routing to a third-party VPN endpoint (Fireware v11.11 and higher)
- Use IKEv2 for connections to a remote gateway (Fireware v11.11.2 and higher)
You cannot configure policy-based routing for failover from a BOVPN virtual interface or to a BOVPN virtual interface.
You can configure both BOVPN gateways and tunnels, and BOVPN virtual interfaces on your Firebox. You can configure each BOVPN gateway endpoint pair in a branch office VPN gateway or within a BOVPN virtual interface, but not both at the same time.
A BOVPN virtual interface provides greater scalability for organizations that have dynamic networks. This is because you do not need to change the BOVPN tunnel route configuration when network changes are made on one or both sides of the BOVPN tunnel. This is especially valuable if you have local networks behind the Fireboxes that were learned through routers, and you want these networks to be accessible through the BOVPN.
A BOVPN virtual interface supports multicast routing, but does not support broadcast routing.