To configure a managed BOVPN tunnel between two managed Fireboxes, you can manually start the Add VPN Wizard, or use the drag-and-drop method to select the devices and start the wizard.
Before you can complete this procedure, you must:
- Make sure that link aggregation is not enabled for the external interface of the device at either end of the managed tunnel.
For more information about how to configure link aggregation interfaces, go to Configure Link Aggregation.
- Configure the networks for the dynamic Fireboxes at both ends of the tunnel and get the policies from any new dynamic devices.
For more information, go to Add VPN Resources.
- Define the Security Template to use for the managed tunnel.
For more information on Security Templates, go to Add Security Templates.
- Define a VPN Firewall Policy Template, if you want to restrict the type of traffic allowed across the managed tunnel.
For more information on VPN Firewall Policy Templates, go to Add VPN Firewall Policy Templates.
- To use a WINS server or DNS server (Windows Internet Name Service/Domain Name System) for name resolution, you must first configure a WINS server that contains a database of NetBIOS name resolution for the local network or configure a DNS server, which uses a similar method. If your domain uses only Active Directory, you must use DNS for name resolution.
For more information about WINS or DNS servers, go to Configure Network DNS and WINS Servers.
On the Device Management tab:
- Select the device name for one of the tunnel endpoints. Drag-and-drop the selected device name to the name of the device at the other tunnel endpoint.
Or, click .
Or, select Edit > Create a new VPN.
The Add VPN wizard starts.
- If you used the drag-and-drop procedure in Step 1, the wizard shows the two endpoint devices you selected with drag-and-drop, and the VPN resource that the tunnel uses.
If you did not use drag-and-drop, select the endpoints from the Device drop-down list.
- From the VPN Resource drop-down list, select a VPN resource for each device.
To make a null-route VPN tunnel to force all traffic through a VPN, select Hub Network.
Use this setting as the VPN resource for the device that hosts the null-route VPN.
The remote device then sends all traffic through the VPN to the device that has Hub Network as the local resource.
- Click Next.
- From the Security Template drop-down list, select the Security Template that matches the type of security and type of authentication to use for this tunnel.
- To use a WNS or DNS server for name resolution, select the check box for each DNS and WINS servers to use. Click Next.
- From the VPN Firewall Policy Template drop-down list, select the VPN Firewall Policy Template for the type of traffic to allow through this tunnel. If no VPN Firewall Policy Templates have been defined, the default Any policy is applied to the tunnel.
- Click Next.
The final page of the wizard shows that the configuration is complete.
- Select the Expire Lease to update the configuration on both devices check box.
This option sends a command to expire the lease on both devices, so that the devices immediately update their configuration. It does not cause the devices to reboot..
- Click Finish to create the VPN tunnel.