Mobile VPN Traffic Through a Branch Office VPN (BOVPN) Tunnel

You can configure a Firebox to send traffic from mobile VPN users to a remote network through a branch office VPN (BOVPN) tunnel. When you configure a mobile VPN, you specify virtual IP addresses to assign to mobile VPN users. These are the IP addresses the Firebox sees when the mobile users send traffic to the local network or to a remote network connected by a BOVPN tunnel.

To enable mobile VPN clients to get access to network resources through a BOVPN tunnel, you must make sure that:

  • The mobile VPN client sends traffic to the remote networks through the mobile VPN tunnel
  • The BOVPN can send traffic from mobile VPN user virtual IP addresses to the remote network
  • The policies that control mobile VPN and BOVPN traffic allow traffic between the mobile VPN clients and the remote network

Configure Mobile VPN Client Routes

There are two ways a mobile VPN client can route traffic to the Internet for mobile VPN users:

  • Default-route (full tunnel) — Internet traffic from a remote user goes through the VPN tunnel to the Firebox. This option is more secure because the Firebox examines Internet traffic that the user generates.
  • Split tunnel — Internet traffic from a remote user does not go through the VPN tunnel. This option is less secure because the Firebox does not examine Internet traffic that the user generates.

For more information about these options, go to Internet Access Options for Mobile VPN Users.

Mobile VPN with IKEv2

For Mobile VPN with IKEv2, we recommend default-route VPN.

To learn how to configure the default-route VPN options for a Windows VPN client, go to Internet Access Through a Mobile VPN with IKEv2 Tunnel

Mobile VPN with L2TP

For Mobile VPN with L2TP, we recommend default-route VPN.

To learn how to configure the default-route VPN options for a Windows VPN client, go to Internet Access Through a Mobile VPN with L2TP Tunnel.

Mobile VPN with SSL

When you configure Mobile VPN with SSL on your Firebox, you select whether to bridge or route VPN traffic to the network.

If you select Bridge VPN Traffic, the Firebox assigns each VPN client an IP address on one of your internal networks. With this configuration, the Mobile VPN with SSL client sends all traffic that does not overlap with the client's local network through the SSL VPN tunnel. This enables traffic to go through the BOVPN tunnel as if the client were directly connected to your internal network.

If you select Routed VPN Traffic, you can configure the client to force all client traffic through the tunnel, or to send only specific network traffic through the tunnel. If you don't force all the traffic through the tunnel, you must select Specify allowed resources, and then specify the network resources the VPN client can access through the tunnel. If you specify the allowed network resources, make sure the allowed resources list includes the IP address of the remote networks.

Mobile VPN with IPSec

You can configure Mobile VPN with IPSec to force all network traffic from the VPN client through the tunnel, or you can specify the network resources the VPN client can access through the tunnel. If you specify the allowed network resources in the Mobile VPN with IPSec profile, make sure the allowed resources list includes the IP address of the remote networks.

For information about how to edit the allowed resources, go to Modify an Existing Mobile VPN with IPSec Group Profile

If you edit the allowed resources in a Mobile VPN with IPSec group profile, the resource list is not automatically updated in the Mobile VPN with IPSec policies for this group. You must edit the allowed resources in the Mobile VPN with IPSec policies and update if necessary to add the same resources.

For information about how to edit the IPSec policies, go to Configure Policies to Filter IPSec Mobile VPN Traffic.

If you update the allowed resources in an existing Mobile VPN with IPSec profile, you must distribute a new configuration file to each user.

For information about how to distribute configuration profiles, go to Distribute the Software and Profiles.

Configure Manual BOVPN Routes

BOVPN tunnel routes define which local network traffic the Firebox sends through the VPN tunnel to remote networks. If you want the Firebox to send traffic from mobile VPN users through a BOVPN tunnel, you must make sure that the BOVPN configuration includes a tunnel route from the network that includes the mobile VPN client's virtual IP address to the remote network.

If a BOVPN tunnel route to the remote network has a local address of 0.0.0.0/0, then all traffic from the local network that does not overlap with other configured routes is sent through the BOVPN tunnel, including traffic from your mobile VPN clients.

If you need to add a new BOVPN tunnel route that includes the mobile VPN client virtual IP addresses, make sure to add the matching route in the VPN configuration on the remote VPN device. For more information, go to Add Routes for a Tunnel.

For an example of how to add VPN tunnel routes for connections from the Mobile VPN with SSL client, go to Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel.

In Fireware v12.4 or higher, you can configure IPv6 BOVPN gateway endpoints. However, you cannot configure the Firebox to send mobile VPN traffic through an IPv6 BOVPN tunnel.

Configure BOVPN Virtual Interface Routes

For a BOVPN virtual interface, you do not explicitly configure the local and remote addresses for each tunnel route. Instead, you configure static routes that use the BOVPN virtual interface as a gateway. Because BOVPN virtual interface routes do not specify which local networks can send traffic through the tunnel, traffic from mobile VPN clients can be sent through the tunnel to any destination as long as a route exists to the remote network.

For information about BOVPN virtual interface routes, go to Configure VPN Routes.

In Fireware v12.4 or higher, you can configure IPv6 gateway endpoints for BOVPN virtual interfaces. However, you cannot configure the Firebox to send mobile VPN traffic through a 6in6 BOVPN virtual interface tunnel.

Configure Policies to Allow the Connection

Policies control traffic allowed through all VPN tunnels. You must make sure that all policies that control VPN traffic allow the traffic between the remote network and the virtual IP addresses of the mobile VPN users.

On the remote device, confirm that the policy that allows traffic through the BOVPN tunnel includes the virtual IP address of the VPN client. If the remote device is a Firebox, the alias of the BOVPN tunnel appears in the BOVPN-Allow.in and BOVPN-Allow.out policies by default. This means that the policy allows all traffic that matches the routes for this tunnel.

On the local device, the policies that control mobile VPN traffic also apply to traffic through the BOVPN tunnel. Make sure that the policies for each mobile VPN client allow connections to remote network resources.

Mobile VPN with IKEv2

When you configure Mobile VPN with IKEv2, the IKEv2 setup wizard automatically creates the Allow IKEv2-Users policy that allows traffic from the user group IKEv2-Users to Any. If you have modified this policy to be more specific, you could need to update your policy to include the remote networks.

For more information, go to About IKEv2 Policies.

Mobile VPN with L2TP

When you configure Mobile VPN with L2TP, the L2TP setup wizard automatically creates the Allow L2TP-Users policy that allows traffic from the user group L2TP-Users to Any. If you have modified this policy to be more specific, you could need to update your policy to include the remote networks.

For more information, go to About L2TP Policies.

Mobile VPN with SSL

When you configure Mobile VPN with SSL, the Firebox automatically creates the Allow SSLVPN-Users policy that allows traffic from the user group SSLVPN-Users to Any. If you have modified this policy to be more specific, you could need to update your policy to include the remote networks.

For more information, go to Manually Configure the Firebox for Mobile VPN with SSL.

Mobile VPN with IPSec

The policies that apply to traffic from Mobile VPN with IPSec users are in the Mobile VPN with IPSec tab in Policy Manager. By default, Mobile VPN with IPSec users have full access to all resources with the Any Mobile VPN with IPSec policy. If you make a change to the allowed resources for a Mobile VPN with IPSec profile, you might also need to update the policy for that profile to include the new resources.

For information about how to edit the IPSec policies, go to Configure Policies to Filter IPSec Mobile VPN Traffic.

Related Topics

Virtual IP Addresses and Mobile VPNs

About Manual IPSec Branch Office VPNs