About BOVPN Virtual Interfaces
For greater flexibility and networking capabilities, you can configure a Branch Office VPN (BOVPN) as a virtual interface. A BOVPN virtual interface defines a BOVPN tunnel that is treated in the configuration like an interface. The Firebox uses the routes table to determine whether to route a packet through the BOVPN virtual interface or through another interface.
For configuration examples, see BOVPN Virtual Interface Examples.
To configure a BOVPN virtual interface, see Configure a BOVPN Virtual Interface.
Firebox to Firebox
Firebox to Third-Party Endpoints
You can configure a BOVPN virtual interface to a third-party VPN endpoint or cloud-based endpoint with or without GRE. Supported endpoints include cloud-based virtual networks, such as Microsoft Azure, Amazon AWS, and Cisco VTI endpoints.
With a BOVPN virtual interface, you can:
- Add static routes for a BOVPN virtual interface.
- Assign an IP address to the BOVPN virtual interface (required for dynamic routing, and recommended if either endpoint is behind a NAT device).
- Use a BOVPN virtual IP address in the dynamic routing configuration.
- Configure a BOVPN virtual interface gateway endpoint to use IPv6 addresses (Fireware v12.4 or higher).
- Configure policies to send traffic through a BOVPN virtual interface.
- Configure SD-WAN to use a single BOVPN virtual interface (Fireware v12.3 or higher).
- Configure SD-WAN to use multiple BOVPN virtual interfaces and to fail over based on loss, latency, and jitter metrics (Fireware v12.4 or higher).
- Configure a BOVPN between two Fireboxes through any interface.
- Configure a BOVPN between a Firebox and a third-party VPN endpoint that uses GRE.
- Configure a BOVPN between a Firebox and a third-party VPN endpoint or a cloud-based endpoint, including Microsoft Azure or Cisco VTI, that does not use GRE. Wildcard traffic selectors are supported.
- Configure a BOVPN between a Firebox and an Amazon AWS virtual network that includes redundant external IP addresses for the gateway.
- Specify different pre-shared keys for each gateway endpoint on your Firebox.
- Assign an IP address and netmask for dynamic routing to a third-party VPN endpoint.
- Use IKEv2 for connections to a remote gateway.
- Specify an ECDSA (EC) certificate (Fireware v12.5 or higher).
- Specify a maximum transmission unit (MTU) (Fireware v12.5 or higher).
- Specify a hex-based pre-shared key (Fireware v12.5.4 or higher).
- Specify a root or intermediate CA certificate for VPN peer verification (Fireware v12.6.2 or higher)
In Fireware v12.2.1 or lower, you can configure policy-based routing to use a BOVPN virtual interface. You cannot configure policy-based routing for failover from a BOVPN virtual interface or to a BOVPN virtual interface. In Fireware v12.3 or higher, SD-WAN replaces policy-based routing.
You can configure both BOVPN gateways and tunnels, and BOVPN virtual interfaces on your Firebox. You can configure each BOVPN gateway endpoint pair in a branch office VPN gateway or within a BOVPN virtual interface, but not both at the same time.
A BOVPN virtual interface provides greater scalability for organizations that have dynamic networks. This is because you do not need to change the BOVPN tunnel route configuration when network changes are made on one or both sides of the BOVPN tunnel. This is especially valuable if you have local networks behind the Fireboxes that were learned through routers, and you want these networks to be accessible through the BOVPN.
A BOVPN virtual interface supports multicast routing, but does not support broadcast routing.