Configure BOVPN Virtual Interface IP Addresses

If you want to use a BOVPN virtual interface in your dynamic routing configuration, you must configure virtual interface IP addresses. For a BOVPN between two Fireboxes, these addresses define the endpoints of the GRE tunnel that encapsulates traffic through this BOVPN virtual interface.

For a BOVPN virtual interface to another Firebox, you specify two IP virtual interface IP addresses:

  • Local IP address — The IP address to use for the local end of the tunnel. It must match the Peer IP address configured on the Firebox at the other end of the tunnel.
  • Peer IP address or netmask — The IP address to use for the remote end of the tunnel. The Peer IP address must match the Local IP address configured on the Firebox at the other end of the tunnel. If it it is a netmask, it must match the netmask configured on the third-party endpoint at the other end of the tunnel.

You configure these settings differently for a BOVPN between a Firebox and a third-party VPN peer. For more information, see Virtual Interface IP Addresses for a VPN to a Third-Party Endpoint.

We recommend that you select IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. The private network ranges are:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

You can use the same local virtual interface IP address for more than one BOVPN virtual interface. This would be appropriate, for example, on the hub device in a hub/spoke VPN configuration that uses dynamic routing.

To use the same local virtual IP address for more than one BOVPN virtual interface the Firebox must use Fireware XTM v11.9.3 or higher.

If you enable a BOVPN virtual interface for a FireCluster, make sure that the IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.

When you configure dynamic routing for a BOVPN virtual interface, use the virtual interface IP addresses rather than the device name.

See Also

About Dynamic Routing

Give Us Feedback     Get Support     All Product Documentation     Technical Search