BOVPN Virtual Interface with Dynamic Routing

One reason to use a BOVPN virtual interface is to enable the Firebox to use dynamic routing to learn the routes to private networks on a peer Firebox, or on a third-party endpoint, through the VPN tunnel. When you use dynamic routing with a BOVPN virtual interface, the device at each end of the tunnel automatically learns the routes to networks advertised by the other gateway.

To configure dynamic routing with BGP to Microsoft Azure, you must use Microsoft PowerShell. Dynamic routing with OSPF to Microsoft Azure is not currently supported. For more information, see BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure.

Example Scenario

This example shows the configuration settings for a BOVPN virtual interface and dynamic routing between two Fireboxes at Site A and Site B. The two sites use OSPF to dynamically update routes through the BOVPN virtual interface.

Site A Firebox

For this example, the Site A Firebox has two external interfaces, one trusted network, and four optional networks.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24
2 Optional Optional-1 10.0.2.1/24
3 Optional Optional-2 10.0.3.1/24
4 Optional Optional-3 10.0.4.1/24
5 Optional Optional-4 10.0.5.1/24
6 External External-2 190.0.2.2/24

The administrator at Site A wants to propagate routes for the Trusted, Optional-1, and Optional-2 networks through the BOVPN tunnel, but does not want to propagate routes for the Optional-3 and Optional-4 networks.

Site B Firebox

For this example, the Site B Firebox has one external interface, one trusted network, and three optional networks.

Interface Type Name IP Address
0 External External 198.51.100.2/24
1 Trusted Trusted 10.50.1.1/24
2 Optional Optional-1 10.50.2.1/24
3 Optional Optional-2 10.50.3.1/24
4 Optional Optional-3 10.50.4.1/24

The administrator at Site B wants to propagate routes for the Trusted and Optional-1 networks through the BOVPN tunnel, but does not want to propagate routes for the Optional-2 and Optional-3 networks.

BOVPN Virtual Interface Configuration

The BOVPN virtual interface on each Firebox device must be configured to use the same settings. For this example, we assume that Site A and Site B agree to use a pre-shared key and to use these IP addresses for the BOVPN virtual interface:

Site A BOVPN virtual interface local IP address: 10.1.1.1

Site B BOVPN virtual interface local IP address: 10.2.2.2

All other BOVPN virtual interface settings remain at the default values.

Site A BOVPN Virtual Interface Configuration

The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:

  • In Fireware v11.12 or higher, a Remote Endpoint Type drop-down list appears that contains two options: Firebox, and Cloud VPN or Third-Party Gateway. To configure a tunnel between two Firebox devices, select the Firebox endpoint type, which uses the GRE protocol to encapsulate the IPSec tunnel.
  • The Credential Method uses the pre-shared key the two sites agreed upon.
  • The Gateway Endpoints list includes two gateway endpoint pairs, one for each external interface at Site A.
    • First gateway endpoint pair
      • Local Gateway: 203.0.113.2 (the IP address of the first external interface on the Site A Firebox device)
      • Remote Gateway: 198.51.100.2 (the external interface IP address of the Site B Firebox device)
    • Second gateway endpoint pair
      • Local Gateway: 190.0.2.2 (the IP address of the second external interface on the Site A Firebox device)
      • Remote Gateway: 198.51.100.2 (the external interface IP address of the Site B Firebox device)

Screen shot of the BOVPN Virtual Interfaces page, Gateway Settings tab
Site A gateway configuration in Fireware Web UI.

Screen shot of the New BOVPN Virtual Interface dialog box, Gateway Settings tab
Site A gateway configuration in Policy Manager.

The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:

  • Assign virtual IP addresses: Enabled
  • Local IP address: 10.1.1.1
  • Peer IP address: 10.2.2.2

Screen shot of the BOVPN Virtual Interfaces page, VPN Routes tab
Site A VPN routes in Fireware Web UI.

Screen shot of the New BOVPN Virtual Interface dialog box, VPN Routes tab
Site A VPN routes in Policy Manager.

The Site B Firebox device must use the same interface IP addresses, except that the local and peer IP addresses are reversed.

Site B BOVPN Virtual Interface Configuration

The configuration at Site B is exactly the same as at Site A, except that the local and remote gateway IP addresses are reversed, and the local and peer IP addresses are reversed.

The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:

  • In Fireware v11.12 or higher, a Remote Endpoint Type drop-down list appears that contains two options: Firebox, and Cloud VPN or Third-Party Gateway. To configure a tunnel between two Firebox devices, select the Firebox endpoint type, which uses the GRE protocol to encapsulate the IPSec tunnel.
  • The Credential Method uses the pre-shared key the two sites agreed upon.
  • The Gateway Endpoints list includes two gateway endpoint pairs, one for each external interface at Site A.
    • First gateway endpoint pair
      • Local Gateway: 198.51.100.2 (the external interface IP address of the Site B Firebox device)
      • Remote Gateway: 203.0.113.2 (the IP address of the first external interface on the Site A Firebox device)
    • Second gateway endpoint pair
      • Local Gateway: 198.51.100.2 (the external interface IP address of the Site B Firebox device)
      • Remote Gateway: 190.0.2.2 (the IP address of the second external interface on the Site A Firebox device)

Screen shot of the BOVPN Virtual Interfaces page, Gateway Settings tab
Site B gateway configuration in Fireware Web UI.

Screen shot of the New BOVPN Interface dialog box, Gateway Settings tab
Site B gateway configuration in Policy Manager.

The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:

  • Assign virtual IP addresses: Enabled
  • Local IP address: 10.2.2.2
  • Peer IP adddress: 10.1.1.1

Screen shot of the BOVPN Virtual Interface page, VPN Routes tab
Site B VPN routes in Fireware Web UI.

Screen shot of the New BOVPN Virtual Interface, VPN Routes tab
Site B VPN routes in Policy Manager.

Dynamic Routing Configuration

After you define virtual interface IP addresses, you can use them in the dynamic routing configuration.

In the OSPF configuration:

  • Use the Peer IP address in the BOVPN virtual interface configuration to refer to the peer-to-peer network.
  • Use the Device Name (bvpn1) in the BOVPN virtual interface configuration to refer to the BOVPN interface.

In this example configuration, Site A propagates routes for the Trusted, Optional-1 and Optional-2 local networks. Site B propagates routes for the Trusted and Optional-1 local networks.

This example shows two options to configure OSPF on each Firebox.

After the configuration files are saved to the devices at Site A and Site B, the BOVPN tunnel becomes active and dynamic routes are propagated through the tunnel.

See Dynamic Network Routes

After the BOVPN tunnel is established, each device uses OSPF to learn the routes to the connected networks propagated by the peer device.

You can see the learned routes in WatchGuard System Manager and Firebox System Manager when you expand the BOVPN virtual interface for each Firebox device.

For the Firebox device at Site A, Firebox System Manager shows two entries under the Route to section. These correspond to the two private networks that were specified in the Site B OSPF configuration.

10.50.1.0/24 metric 20
10.50.2.0/24 metric 20

Screen shot of Firebox System Manager front panel tab Branch Office VPN tunnels at Site A

For the Firebox device at Site B, Firebox System Manager shows three entries under the Route to section. These correspond to the three private networks that were specified in the Site A OSPF configuration.

10.0.1.0/24 metric 20
10.0.2.0/24 metric 20
10.0.3.0/24 metric 20

Screen shot of Firebox System Manager front panel tab Branch Office VPN tunnels at Site B

In the Firebox System Manager Status Report tab, the dynamic network routes appear in the IPv4 Routes section. For more information about the route table, see Read the Firebox Route Tables.

In Fireware Web UI, the learned network routes appear in the route table for each Firebox. To see the routes, select System Status > Routes. For more information about the routes table in Fireware Web UI, see Routes.

The interface name used for routes that use the BOVPN virtual interface is the Device Name that is automatically assigned when you create the BOVPN virtual interface. The name of the first BOVPN virtual interface is bvpn1.

For this example, the routes that use the bvpn1 interface at Site A are:

Destination Interface Gateway Description
10.2.2.2 bvpn1 0.0.0.0 The virtual BOVPN interface peer IP address
10.50.1.0 bvpn1 10.2.2.2 Route learned from Site B
10.50.2.0 bvpn1 10.2.2.2 Route learned from Site B

For this example, the routes that use the bvpn1 interface at Site B are:

Destination Interface Gateway Description
10.1.1.1 bvpn1 0.0.0.0 The virtual BOVPN interface peer IP address
10.0.1.0 bvpn1 10.1.1.1 Route learned from Site A
10.0.2.0 bvpn1 10.1.1.1 Route learned from Site A
10.0.3.0 bvpn1 10.1.1.1 Route learned from Site A

See Also

Configure a BOVPN Virtual Interface

Configure IPv4 Routing with OSPF

BOVPN Virtual Interface Examples

BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure

BOVPN Virtual Interface for Static Routing to Microsoft Azure

Give Us Feedback     Get Support     All Product Documentation     Technical Search