Configure a BOVPN Virtual Interface

When you configure a BOVPN virtual interface, you configure the BOVPN gateway settings, VPN routes, and other VPN settings. For each BOVPN virtual interface, the Device Name (for example, bvpn1) is automatically assigned and is not configurable. The Device Name is used to identify this interface in the Status Report in Firebox System Manager.

To add a BOVPN Virtual Interface in the Web UI:

1. Select VPN > BOVPN Virtual Interfaces.
   The list of BOVPN Virtual Interfaces appears.
2. Click Add.
   The BOVPN Virtual Interface settings appear.

3. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
4. From the Remote Endpoint Type drop-down list (Fireware v11.12 and higher), select either Firebox or Cloud VPN or Third-Party Gateway.

• To connect to another Firebox, or to a third-party endpoint that supports GRE over IPSec, select Firebox.
• To connect to a cloud VPN gateway such as Microsoft Azure, Amazon AWS, or another third-party endpoint that supports wildcard traffic selectors, select Cloud VPN or Third-Party Gateway. When you select this option, GRE is not used.

3. In the Credential Method section, select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication procedure this tunnel uses. 

If you select Use Pre-Shared Key

Type or paste the shared key. You must use the same shared key on the remote device. This shared key must use only standard ASCII characters, and can be up to 79 characters in length.

If you select Use IPSec Firebox Certificate

The table below the radio button shows current certificates on the device that include the Extended Key Usage (EKU) identifier known as "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2). For a Firebox that uses Fireware v11.11.4 or higher, you can also select a certificate that does not include an EKU identifier. To see a list of available certificates that do not include an EKU identifier, select Show All Certificates.

For more information, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.

4. In the Gateway Endpoint section, add at least one pair of gateway endpoints. For more information, see Define Gateway Endpoints for a BOVPN Virtual Interface.

To add a BOVPN Virtual Interface, from Policy Manager:

1. Select VPN > BOVPN Virtual Interfaces.
   The BOVPN Virtual Interfaces dialog box appears.
2. Click Add.
   The New BOVPN Virtual Interface dialog box appears.

3. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
4. From the Remote Endpoint Typedrop-down list (Fireware v11.12 and higher), select either Firebox or Cloud VPN or Third-Party Gateway.

• To connect to another Firebox, or to a third-party endpoint that supports GRE over IPSec, select Firebox.
• To connect to a cloud VPN gateway such as Microsoft Azure, Amazon AWS, or another third-party endpoint that supports wildcard traffic selectors, select Cloud VPN or Third-Party Gateway. When you select this option, GRE is not used.

3. In the Credential Method section, select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication procedure this tunnel uses. 

If you select Use Pre-Shared Key

Type or paste the shared key. You must use the same shared key on the remote device. This shared key must use only standard ASCII characters, and can be up to 79 characters in length.

If you select Use IPSec Firebox Certificate

The table below the radio button shows current certificates on the device that include the Extended Key Usage (EKU) identifier known as "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2). For a Firebox that uses Fireware v11.11.4 or higher, you can also select a certificate that does not include an EKU identifier. To see a list of available certificates that do not include an EKU identifier, select Show All Certificates.

For more information, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.

4. In the Gateway Endpoints section, add at least one pair of gateway endpoints. For more information, see Define Gateway Endpoints for a BOVPN Virtual Interface.

The Gateway Settings tab also contains these settings.

Use Modem for failover

If you have a modem interface configured on your Firebox, you can select this check box to configure the branch office VPN to fail over to a modem if all external interfaces cannot connect. You cannot select this check box if the local gateway endpoint uses a modem interface.

In Policy Manager in Fireware v12.0.2 and lower, this check box does not appear if modem failover is not enabled. In Fireware Web UI in Fireware v12.0.2 and lower, you cannot select this check box if modem failover is not enabled. For more information, see Configure VPN Modem Failover.

You cannot use a modem for failover from a BOVPN virtual interface if any local gateway endpoint uses an interface that is not an external interface.

Start Phase 1 tunnel when it is inactive

When selected, this option causes the Firebox to automatically restart the tunnel if it is not active. This check box is selected by default for XTM 2, 3, and 5 Series devices, and in the Fireware Web UI. Clear this check box if you do not want the Firebox to automatically start the tunnel.

If you clear this check box, the Firebox still automatically restarts the tunnel when it is inactive if any policy uses policy-based routing to route outbound traffic to this BOVPN virtual interface.

Add this tunnel to the BOVPN-Allow policies

When selected, this option adds the tunnel to the BOVPN-Allow.in and the BOVPN-Allow.out policies. These policies allow all traffic that matches the routes for this tunnel.

To restrict traffic through the tunnel, clear this check box and create custom policies for types of traffic that you want to allow through the tunnel. To create custom policies in Policy Manager, use the BOVPN Policy wizard, as described in Define Custom Tunnel Policies.

The other tabs to configure these settings for the BOVPN virtual interface:

• Select the VPN Routes tab to add routes that you want to use this VPN virtual interface and to configure virtual interface IP addresses for use in dynamic routing. For more information, see Configure VPN Routes.
• Select the Phase 1 Settings tab to configure the Phase 1 settings for this BOVPN virtual interface. These settings are exactly the same as the Phase 1 settings you can configure for a BOVPN gateway. For more information, see Configure IPSec VPN Phase 1 Settings.
• Select the Phase 2 Settings tab to configure the Phase 2 settings for this BOVPN virtual interface. These settings are exactly the same as the Phase 1 settings you can configure for a BOVPN tunnel. For more information, see Configure Phase 2 Settings.
• Select the Multicast Settings tab to enable multicast routing over the tunnel. For more information, see Configure BOVPN Virtual Interface Multicast Settings.

Run the BOVPN Virtual Interface Configuration Report

After you add a gateway, you can run a report to see a summary of all settings for the BOVPN virtual interface. This report can be useful if you need to troubleshoot the VPN. It can also make it easier to compare the configured settings with the settings of the remote VPN endpoint device.

To run the report:

1. Select a configured BOVPN virtual interface.
2. Click Report.
   

For more information about this report, see Use the BOVPN Configuration Reports.

See Also

About BOVPN Virtual Interfaces

BOVPN Virtual Interface Examples

BOVPN Virtual Interface for Dynamic Routing to Cisco

BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure

BOVPN Virtual Interface for Static Routing to Microsoft Azure

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.