Contents

Related Topics

Configure VPN Modem Failover

If you have enabled modem failover on your Firebox, you can configure the branch office VPN to fail over to a modem if all external interfaces cannot connect. The branch office VPN failover to a modem can be useful in a situation where you have a central office that accepts branch office VPN connections from one or more remote offices that use a modem for failover.

Before You Begin

Before you can configure modem failover for a branch office VPN, you must first enable and configure modem failover in the network settings. For more information, see Configure Modem Failover. After you enable modem failover, you can select the Use modem for failover check box when you add or edit a branch office VPN gateway.

Screen shot of the Gateway Endpoints list, with the Use modem for failover check box circled
The Use modem for failover check box is visible in Policy Manager only after you enable modem failover.


In Fireware Web UI, you cannot select the Use Modem for failover check box unless you have already enabled modem failover.

Branch Office VPN Configuration Requirements

To use a modem for VPN failover, the branch office VPN gateway configuration must meet these requirements:

  • The VPN gateway configuration must include a gateway endpoint pair for each enabled physical external interface.
  • The local gateway for each gateway endpoint pair must use an ID (rather than an IP address) as the ID for tunnel authentication.
  • If the device has more than one external interface, the local gateway for each local external interface must use a unique ID for tunnel authentication.
  • The remote gateway must be reachable. Either of these configurations meet this requirement:
  • The remote gateway has a static IP address, and the remote gateway ID is the static IP address
  • The remote gateway has a dynamic IP address, and the remote gateway ID is a domain name that resolves to the dynamic IP address.

Because the device with modem failover enabled uses an ID for tunnel authentication, this device must initiate the VPN connection. This means that you cannot enable modem failover for both devices configured as gateway endpoints for the same branch office VPN tunnel.

Configure a Branch Office VPN Gateway for Modem Failover

For more information about these gateway endpoint settings, see Define Gateway Endpoints for a BOVPN Gateway.

For more information about Phase1 settings, see Configure IPSec VPN Phase 1 Settings.

Configure a BOVPN Virtual Interface for Modem Failover

You cannot use a modem for failover from a BOVPN virtual interface if any local gateway endpoint uses an interface that is not an external interface.

To configure a BOVPN Virtual interface for modem failover in Fireware Web UI or Policy Manager:

  1. Select VPN > BOVPN Virtual Interfaces.
  2. Click Add.
    The New BOVPN Virtual Interface dialog box appears.
  3. In the Interface Name text box, type a name for this BOVPN virtual interface.
  4. Select the Phase1 Settings tab.
  5. From the Mode drop-down list, select Aggressive, or Main fallback to Aggressive.
  6. Select the General Settings tab.
  7. Configure the VPN  credential method.
    For more information, see Configure a BOVPN Virtual Interface.
  8. In the Gateway Endpoints section, click Add.
    The Gateway Endpoints Settings dialog box appears.
  9. Configure the BOVPN virtual interface name and credential method.
    For more information, see Configure a BOVPN Virtual Interface.
  10. Configure the gateway endpoints as described in the previous section.

Configure the Gateway on the Remote Device

Configure the device at the other end of the tunnel to use the same authentication and Phase 1 settings. Make sure the domain name matches the name you configured on the first device. Do not select the Attempt to resolve domain check box, since this ID is not a resolvable domain name.

Screen shot of the Configure Domain for Gateway ID dialog box
Remote gateway configured to use a domain name in Policy Manager.

Screen shot of the Gateway Endpoint Setting tab, Remote Gateway, with a domain name configured
Remote gateway configured to use a domain name in Fireware Web UI.

Configure Tunnels

After you have configured your gateway, you configure tunnels between the gateway endpoints just as you would for any other branch office VPN. For more information, see Configure Manual BOVPN Tunnels.

About Modem Failover

A Firebox does not use the modem for the branch office VPN unless it cannot send traffic through any external interface. If all external interfaces are down, the device starts a modem connection between the two sites. It then initiates a VPN connection over the modem connection. The device uses the first local gateway ID configured for the external interface as the local gateway ID for the modem connection. Because the branch office VPN connection over a modem uses the same authentication ID as a connection from an external interface, there is no need to change the configuration of the remote gateway to enable a connection through the modem.

See Also

Configure VPN Failover

VPN Modem Failover and Multi-WAN

Give Us Feedback     Get Support     All Product Documentation     Technical Search