About BOVPN Virtual Interfaces
For greater flexibility and networking capabilities, you can configure a Branch Office VPN (BOVPN) as a virtual interface. A BOVPN virtual interface defines a BOVPN tunnel that is treated in the configuration like an interface. The Firebox uses the routes table to determine whether to route a packet through the BOVPN virtual interface or through another interface.
Firebox to Firebox
Firebox to Third-Party Endpoints
You can configure a BOVPN virtual interface to a third-party VPN endpoint or cloud-based endpoint with or without GRE. Supported endpoints include cloud-based virtual networks, such as Microsoft Azure, Amazon AWS, and Cisco VTI endpoints.
With a BOVPN virtual interface, you can:
- Add static routes for a BOVPN virtual interface.
- Assign an IP address to the BOVPN virtual interface (required for dynamic routing, and recommended if either endpoint is behind a NAT device).
- Use a BOVPN virtual IP address in the dynamic routing configuration.
- Configure a BOVPN virtual interface gateway endpoint to use IPv6 addresses (Fireware v12.4 or higher).
- Configure policies to send traffic through a BOVPN virtual interface.
- Configure SD-WAN to use a single BOVPN virtual interface (Fireware v12.3 or higher).
- Configure SD-WAN to use multiple BOVPN virtual interfaces and to fail over based on loss, latency, and jitter metrics (Fireware v12.4 or higher).
- Configure a BOVPN between two Fireboxes through any interface.
- Configure a BOVPN between a Firebox and a third-party VPN endpoint that uses GRE.
- Configure a BOVPN between a Firebox and a third-party VPN endpoint or a cloud-based endpoint, including Microsoft Azure or Cisco VTI, that does not use GRE. Wildcard traffic selectors are supported.
- Configure a BOVPN between a Firebox and an Amazon AWS virtual network that includes redundant external IP addresses for the gateway.
- Specify different pre-shared keys for each gateway endpoint on your Firebox.
- Assign an IP address and netmask for dynamic routing to a third-party VPN endpoint.
- Use IKEv2 for connections to a remote gateway.
In Fireware v12.2.1 or lower, you can configure policy-based routing to use a BOVPN virtual interface. You cannot configure policy-based routing for failover from a BOVPN virtual interface or to a BOVPN virtual interface. In Fireware v12.3 or higher, SD-WAN replaces policy-based routing.
You can configure both BOVPN gateways and tunnels, and BOVPN virtual interfaces on your Firebox. You can configure each BOVPN gateway endpoint pair in a branch office VPN gateway or within a BOVPN virtual interface, but not both at the same time.
A BOVPN virtual interface provides greater scalability for organizations that have dynamic networks. This is because you do not need to change the BOVPN tunnel route configuration when network changes are made on one or both sides of the BOVPN tunnel. This is especially valuable if you have local networks behind the Fireboxes that were learned through routers, and you want these networks to be accessible through the BOVPN.
A BOVPN virtual interface supports multicast routing, but does not support broadcast routing.
In Fireware v12.5 or higher, you can specify an ECDSA (EC) certificate for a BOVPN virtual interface. For more information about EC certificates, see About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.
Maximum Transmission Unit (MTU)
In most cases, you can use the default MTU values on the Firebox:
- For GRE-based virtual interfaces, the MTU is 1476.
- For VTI-based virtual interfaces, the MTU is 1500.
In Fireware v12.5 or higher, you can specify a custom maximum transmission unit (MTU) value for BOVPN virtual interfaces. The MTU setting is specific to individual BOVPN virtual interfaces and is not a global Firebox setting.
You might need to specify a custom MTU value if your Firebox connects to a third-party VPN endpoint that drops packets that exceed a certain size. For example, a Microsoft Azure VPN gateway requires an MTU of 1400. To determine whether the third-party endpoint requires a custom MTU value, see the documentation provided by the third-party vendor.
In Fireware v12.5, you must use the CLI to configure the MTU setting. Use this command:
diagnose vpn "/ipsec/vif/mtu/set \“[interface_name]\" [MTU]"
For example, to change the MTU for the interface BovpnVif.1 to 1400, specify:
diagnose vpn "/ipsec/vif/mtu/set \"BovpnVif.1\" 1400"