Contents

Related Topics

BOVPN Virtual Interface for Static Routing to Microsoft Azure

In Fireware v11.12 and higher, you can configure a BOVPN virtual interface to connect your Firebox to a Microsoft Azure virtual network. This configuration uses an endpoint type that supports wildcard traffic selectors, and establishes an IPSec tunnel without the GRE tunneling protocol.

You can configure static or dynamic routing to Microsoft Azure. For information about dynamic routing to Azure, see BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure.

Example Scenario

This example shows the configuration settings for a BOVPN virtual interface and static routing between a Firebox at Site A, and a Microsoft Azure virtual network at Site B. For detailed instructions, see Configure a route-based VPN connection to a Microsoft Azure virtual network (Fireware v11.12 and higher) in the WatchGuard Knowledge Base.

Site A Firebox

For this example, the Firebox at Site A has one external interface and one trusted network.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24

Site B (Microsoft Azure)

For this example, the Microsoft Azure virtual network at Site B has one external virtual interface and one trusted virtual network.

Interface Type Name IP Address
0 External External 198.51.100.2/24
1 Trusted Trusted 10.0.100.1/24

BOVPN Virtual Interface Configuration

For this example, we assume that Site A and Site B agree to use a pre-shared key.

On your Firebox, you must change the default Phase 1 settings from IKEv1 to IKEv2. Static VPNs routes between your Firebox and Azure require IKEv2.

All other BOVPN virtual interface settings can remain at the default values.

Site A BOVPN Virtual Interface Configuration

The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:

  • In Fireware v11.12 or higher, a Remote Endpoint Type drop-down list appears that contains two choices: Firebox, and Cloud VPN or Third-Party Gateway. For this example, select the Cloud VPN or Third-Party Gateway endpoint type, which supports wildcard traffic selectors and does not use GRE.
  • The Credential Method uses the pre-shared key the two sites agreed upon.
  • The Gateway Endpoint settings are:
    • Local Gateway: 203.0.113.2 (the IP address of the external interface on the Site A Firebox)
    • Remote Gateway: 198.51.100.2 (the IP address of the external interface on the Site B Azure gateway)

Screen shot of new BOVPN virtual interface to Azure

Site A gateway configuration in Fireware Web UI.

Screen shot of new BOVPN virtual interface to Microsoft Azure

Site A gateway configuration in Policy Manager.

The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:

  • Route to: 10.0.100.0/24

Screen shot of VPN routes

Site A static route configuration in Fireware Web UI.

Screen shot of VPN routes

Site A static route configuration in Policy Manager.

Site B BOVPN Virtual Interface Configuration

On your Microsoft Azure virtual network, the gateway settings are:

  • Remote gateway: 203.0.113.2 (the IP address of the first external interface on the Firebox at Site A )
  • Local gateway: 198.51.100.2 (the IP address of the external interface on the Azure gateway at Site B )
  • VPN route: 10.0.1.0/24 (the IP address of the Site A network)

See Also

BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure

Configure a BOVPN Virtual Interface

BOVPN Virtual Interface with Policy-Based Routing

BOVPN Virtual Interface with Dynamic Routing

Give Us Feedback     Get Support     All Product Documentation     Technical Search