BOVPN Virtual Interface Examples

When you configure a branch office VPN as a virtual interface, the Firebox sends a packet through the tunnel based on the outgoing interface for the packet. The BOVPN virtual interface is in the routing table, and the decision about whether to send traffic through the VPN tunnel is affected by static and dynamic routes, and by policy-based routing. This provides flexibility in how you can configure the Firebox to use a BOVPN tunnel.

Because a BOVPN virtual interface is considered another interface in the configuration, it provides many flexible configuration and routing options. The subsequent sections include three configuration options that show some of the methods you can use to configure a Firebox to use a BOVPN virtual interface to achieve different objectives.

Metric-Based VPN Failover and Failback

Diagram showing an MPLS and BOVPN connection between two sites

Objective

For two sites that are connected with an MPLS link, enable traffic to automatically failover and failback to a secondary branch office VPN connection over an IP network.

Configuration Summary

  • Configure the external interfaces for the primary connection between the two sites over the MPLS network. The primary connection must use dynamic routing, or must be configured as a BOVPN virtual interface. This is required so the primary route either gets a higher metric or is removed from the routing table when the primary connection is not available.
  • Configure a BOVPN virtual interface for the secondary link between the two sites.
  • Add a BOVPN virtual interface static route, and set a high metric (for example, 200) for the route

For a detailed configuration example, see BOVPN Virtual Interface with Metric-Based Failover.

How it works

With this configuration, there are two routes between the two sites, one over the MPLS network, and another static route through the BOVPN virtual interface. When two routes are available, the final decision about which path a packet takes is based on which route has higher priority (a lower metric) than the other. Because the BOVPN virtual interface route has a high metric, the Firebox uses the primary route through the MPLS link, when it is available. If the MPLS link is not available, the primary route is either removed from the routing table, or is assigned a higher metric than the route for the secondary BOVPN virtual interface. The Firebox then uses the route for the secondary BOVPN virtual interface, because it has the lowest route metric. When the MPLS route is available again, the Firebox automatically fails back to use that route, because it has a lower metric.

You could use a similar configuration to enable automatic failover and failback between two BOVPN virtual interfaces. To enable automatic failover and failback, create two BOVPN virtual interfaces, with a static route for each, and set the metric for the preferred BOVPN route lower than the metric for the backup BOVPN route.

BOVPN Virtual Interface with Dynamic Routing

Diagram of a BOVPN connection between two sites, each with multiple local networks

Objective

Enable two sites to dynamically exchange information about multiple local networks through a secure VPN tunnel. With this configuration, you do not have to manually add and maintain explicitly configured routes between all the private networks at each site.

To configure dynamic routing with BGP to Microsoft Azure, you must use Microsoft PowerShell. Dynamic routing with OSPF to a Microsoft Azure virtual network is not supported. For more information, see BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure.

Dynamic routing with OSPF to an Amazon Web Services virtual network is not supported. For more information, see BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS).

Configuration summary

  • Configure a branch office VPN between the two sites as a BOVPN virtual interface. On the VPN Routes tab, configure virtual IP addresses. Make sure to select the Start Phase 1 tunnel when it is inactive check box.
  • Enable dynamic routing between the two sites. In the dynamic routing configuration, use the virtual IP addresses as the peer network IP addresses.
    • For OSPF, use the network command, and configure the peer virtual IP address with a /32 netmask.
      For example: network <peer_virtual_ip>/32 area 0.0.0.0
    • For BGP, use the neighbor command, and the peer virtual IP address
      For example: neighbor <peer_virtual_ip> remote-as 65535
  • Use dynamic routing commands to configure which local networks each device propagates routes for. To control the dynamic routes, you can use the Interface Cost for OSPF or the Local Preference for BGP. For OSPF, the lower the Interface Cost, the more preferred the route is. For BGP, the higher the Local Preference, the more preferred the route is.

For detailed BOVPN configuration examples with dynamic routing see:

How it works

The BOVPN virtual interface makes a connection between the two sites. Each site propagates routes for the local networks, based on the dynamic routing configuration. The dynamic routing protocol enables each of the gateways to automatically learn the routes to the local networks behind the gateway at the other end of the BOVPN tunnel. The dynamic routing protocol you choose specifies whether the routes are preferred based on Interface Cost, Local Preference, or both.

BOVPN Virtual Interface with Policy-Based Routing

Diagram of two sites connected by two BOVPN links, one high latency, one low latency

Objective

One site (Site A) has a single external interface and two branch office VPN gateways to another site (Site B) that has two external interfaces. The two network connections at Site B have different quality or cost. The objective is to send latency-sensitive traffic, such as VoIP through the tunnel over the network with the lowest latency, and send all other traffic, such as FTP, through the other tunnel route.

Configuration Summary

On the Site A device:

  • Configure a BOVPN virtual interface between Site A and the Site B external interface that uses the low-latency link. On the VPN Route tab, you do not have to add routes. The first BOVPN virtual interface is bvpn1. Make sure to select the Start Phase 1 tunnel when it is inactive check box in the BOVPN virtual interface configuration.
  • Configure another BOVPN virtual interface between Site A and the second External interface at Site B. The second BOVPN virtual interface is bvpn2. You can add routes for other traffic.
  • Edit the SIP policy for VoIP traffic.
    • In the From list, add the network address of the local network where traffic handled by this policy originates
    • In the To list, add the network address of the trusted or optional network at the remote site where traffic handled by this policy is routed.
    • Enable policy-based routing. Select the BOVPN virtual interface with a lower latency for this policy.
  • For all other traffic, you can define either static routes, or dynamic routes, and use the other BOVPN virtual interface that has higher latency.

On the Site B device:

  • Configure a BOVPN virtual interface between the first External interface at Site B and Site A. Again, on the VPN Route tab you do not have to add routes. This is bvpn1 and again is the low-latency link in this example. Make sure that the Start Phase 1 tunnel when it is inactive check box is selected.
  • Configure a BOVPN virtual interface between Site A and the second External interface at Site B. This is bvpn2. You can add routes for other traffic.
  • Edit the SIP policy for VoIP traffic.
    • In the From list, add the network address of the local network where traffic handled by this policy originates.
    • In the To list, add the network address of the trusted or optional network at the remote site where traffic handled by this policy is routed.
    • Enable policy-based routing. Select the BOVPN virtual interface with a lower latency for this policy.
  • For all other traffic, you can define either static routes, or dynamic routes, and use the other BOVPN virtual interface that has higher latency.

For a detailed configuration example. see BOVPN Virtual Interface with Policy-Based Routing.

How it Works

The two BOVPN virtual interfaces each make a connection between the two sites. The source and destination addresses are specified by the policy, in this example the SIP policy. Although the routes are not defined in the BOVPN virtual interface settings, the SIP policy uses policy-based routing (PBR) to redirect traffic through the tunnel that has the lower latency connection. This encrypts the packets and sends the traffic through the tunnel. This configuration does not provide failover to the other tunnel, because you cannot configure PBR failover from a BOVPN virtual interface to another BOVPN virtual interface.

If all VoIP traffic originates from Site A, you do not have to configure policy-based routing in the policy at Site B. For SIP connections that originate at Site A and go to Site B through the tunnel, the response traffic is automatically sent through the same tunnel through which it was received.

See Also

About Data Loss Prevention

About Dynamic Routing

Configure Policy-Based Routing

 

Give Us Feedback     Get Support     All Product Documentation     Technical Search