About BOVPN Virtual Interfaces

For greater flexibility and networking capabilities, you can configure a Branch Office VPN (BOVPN) as a virtual interface. A BOVPN virtual interface defines a BOVPN tunnel that is treated in the configuration like an interface. The Firebox uses the routes table to determine whether to route a packet through the BOVPN virtual interface or another interface.

You can also route packets through the BOVPN virtual interface based on policies. For example, configure an SD-WAN action that includes one or more BOVPN virtual interfaces. Next, configure a policy that includes the SD-WAN action. The Firebox sends all outbound traffic that matches the policy through the interface or interfaces specified in the SD-WAN action. The SD-WAN configuration is separate from the BOVPN virtual interface configuration.

A BOVPN virtual interface provides greater scalability for organizations that have dynamic networks. This is because you do not have to change the BOVPN tunnel route configuration when network changes are made on one or both sides of the BOVPN tunnel. This is especially valuable if you have local networks behind the Fireboxes that were learned through routers, and you want these networks to be accessible through the BOVPN.

For configuration examples, see BOVPN Virtual Interface Examples.

To configure a BOVPN virtual interface, see Configure a BOVPN Virtual Interface.

In Fireware v12.2.1 or lower, you can configure policy-based routing to use a BOVPN virtual interface. You cannot configure policy-based routing for failover from a BOVPN virtual interface or to a BOVPN virtual interface. In Fireware v12.3 or higher, SD-WAN replaces policy-based routing.

Firebox to Firebox

With a BOVPN virtual interface, you can configure a BOVPN between:

  • Two Fireboxes (through any interface).
  • A locally-managed Firebox and a Firebox managed in WatchGuard Cloud

Firebox to Third-Party Endpoints

With a BOVPN virtual interface, you can configure a VPN to these third-party endpoints:

  • A Firebox and a third-party VPN endpoint that uses GRE.
  • A Firebox and a third-party VPN endpoint or a cloud-based endpoint, including Microsoft Azure or Cisco VTI, that does not use GRE. Wildcard traffic selectors are supported.
  • A Firebox and an Amazon AWS virtual network that includes redundant external IP addresses for the gateway.

Supported Settings

BOVPN virtual interfaces support these settings:

  • SD-WAN
    • Configure SD-WAN to use a single BOVPN virtual interface (Fireware v12.3 or higher).
    • Configure SD-WAN to use multiple BOVPN virtual interfaces and to fail over based on loss, latency, and jitter metrics (Fireware v12.4 or higher).
  • Policies — Configure policies to send traffic through a BOVPN virtual interface.
  • Static routes — Add static routes for a BOVPN virtual interface.
  • IPv6 — Configure a BOVPN virtual interface gateway endpoint to use IPv6 addresses (Fireware v12.4 or higher).
  • IKEv2 — Use IKEv2 for connections to a remote gateway.
  • Authentication
    • Specify different pre-shared keys for each gateway endpoint on your Firebox.
    • Specify a hex-based pre-shared key (Fireware v12.5.4 or higher).
    • Specify an ECDSA (EC) certificate (Fireware v12.5 or higher).
    • Specify a root or intermediate CA certificate for VPN peer verification (Fireware v12.6.2 or higher)
  • Dynamic routing
    • Assign an IP address to the BOVPN virtual interface (required for dynamic routing, and recommended if either endpoint is behind a NAT device).
    • Use a BOVPN virtual IP address in the dynamic routing configuration.
    • Assign an IP address and netmask for dynamic routing to a third-party VPN endpoint.
  • MTU — Specify a Maximum transmission unit (MTU) (Fireware v12.5 or higher).
  • Multicast routing  — A BOVPN virtual interface supports multicast routing, but does not support broadcast routing.

You can configure both BOVPN virtual interfaces and manual BOVPNs (BOVPNs that are not virtual interfaces) on your Firebox. However, you cannot reuse gateway pairs (local and remote gateways):

  • You cannot use the same gateway pair for a both BOVPN virtual interface and manual BOVPN.
  • You cannot use the same gateway pair for multiple BOVPN virtual interfaces.

See Also

BOVPN Virtual Interface Examples

Configure a BOVPN Virtual Interface

Configure a Maximum Transmission Unit (MTU) Value

About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates

Manual Branch Office VPN Tunnels