BOVPN Virtual Interface for Static Routing to Microsoft Azure
In Fireware v11.12 and higher, you can configure a BOVPN virtual interface to connect your Firebox to a Microsoft Azure virtual network. This configuration uses an endpoint type that supports wildcard traffic selectors, and establishes an IPSec tunnel without the GRE tunneling protocol.
You can configure static or dynamic routing to Microsoft Azure. For information about dynamic routing to Azure, see BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure.
This example shows the configuration settings for a BOVPN virtual interface and static routing between a Firebox at Site A, and a Microsoft Azure virtual network at Site B. For detailed instructions, see Configure a route-based VPN connection to a Microsoft Azure virtual network (Fireware v11.12 and higher) in the WatchGuard Knowledge Base.
Site A Firebox
For this example, the Firebox at Site A has one external interface and one trusted network.
Site B (Microsoft Azure)
For this example, the Microsoft Azure virtual network at Site B has one external virtual interface and one trusted virtual network.
BOVPN Virtual Interface Configuration
For this example, we assume that Site A and Site B agree to use a pre-shared key.
On your Firebox, you must change the default Phase 1 settings from IKEv1 to IKEv2. Static VPNs routes between your Firebox and Azure require IKEv2.
All other BOVPN virtual interface settings can remain at the default values.
Site A BOVPN Virtual Interface Configuration
The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:
- In Fireware v11.12 or higher, a Remote Endpoint Type drop-down list appears that contains two choices: Firebox, and Cloud VPN or Third-Party Gateway. For this example, select the Cloud VPN or Third-Party Gateway endpoint type, which supports wildcard traffic selectors and does not use GRE.
- The Credential Method uses the pre-shared key the two sites agreed upon.
- The Gateway Endpoint settings are:
- Local Gateway: 203.0.113.2 (the IP address of the external interface on the Site A Firebox)
- Remote Gateway: 198.51.100.2 (the IP address of the external interface on the Site B Azure gateway)
Site A gateway configuration in Fireware Web UI.
Site A gateway configuration in Policy Manager.
The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:
- Route to: 10.0.100.0/24
Site A static route configuration in Fireware Web UI.
Site A static route configuration in Policy Manager.
Site B BOVPN Virtual Interface Configuration
On your Microsoft Azure virtual network, the gateway settings are:
- Remote gateway: 203.0.113.2 (the IP address of the first external interface on the Firebox at Site A )
- Local gateway: 198.51.100.2 (the IP address of the external interface on the Azure gateway at Site B )
- VPN route: 10.0.1.0/24 (the IP address of the Site A network)