Configure a BOVPN Virtual Interface

When you configure a BOVPN virtual interface, you configure the BOVPN gateway settings, VPN routes, and other VPN settings. For each BOVPN virtual interface, the Device Name is automatically assigned and is not configurable. The Device Name is used to identify this interface in the Status Report in Firebox System Manager.

  1. Select VPN > BOVPN Virtual Interfaces.
    The list of BOVPN Virtual Interfaces appears.
  2. Click Add.
    The BOVPN Virtual Interface settings appear.

Screen shot of the BOVPN Virtual Interfaces / Add page

  1. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  2. From the Remote Endpoint Type drop-down list, select either Firebox or Cloud VPN or Third-Party Gateway.
  • To connect to another Firebox, or to a third-party endpoint that supports GRE over IPSec, select Firebox.
  • To connect to a cloud VPN gateway such as Microsoft Azure, Amazon AWS, or another third-party endpoint that supports wildcard traffic selectors, select Cloud VPN or Third-Party Gateway. When you select this option, GRE is not used.
  • To connect to a cloud-managed Firebox, select Cloud VPN or Third-Party Gateway.
  1. (Fireware v12.4 or higher) From the Gateway Address Family drop-down list, select IPv4 Addresses or IPv6 Addresses.
  2. In the Credential Method section, select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication procedure this tunnel uses. 

If you select Use Pre-Shared Key

(Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.

Type or paste the shared key. You must use the same shared key on the remote device. A string-based pre-shared key must use only standard ASCII characters and can be up to 79 characters in length. A hex-based pre-shared key can include any combination or amount of hexadecimal characters.

If you select Use IPSec Firebox Certificate

The table below the radio button shows current certificates on the device that include the Extended Key Usage (EKU) identifier known as "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2). You can also select a certificate that does not include an EKU identifier. To see a list of available certificates that do not include an EKU identifier, select Show All Certificates. In Fireware v12.5 or higher, you can select an ECDSA (EC) certificate.

(Fireware v12.6.2 or higher) When you select a certificate for authentication, you can specify a CA certificate for VPN peer verification in the gateway endpoint settings.

  1. In the Gateway Endpoint section, add at least one pair of gateway endpoints.
  2. Click Save.

For more information about certificates, go to Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.

For more information about gateway endpoints, go to Define Gateway Endpoints for a BOVPN Virtual Interface.

  1. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces dialog box appears.
  2. Click Add.
    The New BOVPN Virtual Interface dialog box appears.

Screen shot of the New BOVPN Virtual Interface dialog box, Gateway Settings tab

  1. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  2. From the Remote Endpoint Typedrop-down list, select either Firebox or Cloud VPN or Third-Party Gateway.
  • To connect to another Firebox, or to a third-party endpoint that supports GRE over IPSec, select Firebox.
  • To connect to a cloud VPN gateway such as Microsoft Azure, Amazon AWS, or another third-party endpoint that supports wildcard traffic selectors, select Cloud VPN or Third-Party Gateway. When you select this option, GRE is not used.
  • To connect to a cloud-managed Firebox, select Cloud VPN or Third-Party Gateway.
  1. (Fireware v12.4 or higher) From the Gateway Address Family drop-down list, select IPv4 Addresses or IPv6 Addresses.
  2. In the Credential Method section, select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication procedure this tunnel uses. 

If you select Use Pre-Shared Key

(Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.

Type or paste the shared key. You must use the same shared key on the remote device. A string-based pre-shared key must use only standard ASCII characters and can be up to 79 characters in length. A hex-based pre-shared key can include any combination or amount of hexadecimal characters.

If you select Use IPSec Firebox Certificate

The table below the radio button shows current certificates on the device that include the Extended Key Usage (EKU) identifier known as "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2). You can also select a certificate that does not include an EKU identifier. To see a list of available certificates that do not include an EKU identifier, select Show All Certificates. In Fireware v12.5 or higher, you can select an ECDSA (EC) certificate.

(Fireware v12.6.2 or higher) When you select a certificate for authentication, you can specify a CA certificate for VPN peer verification in the gateway endpoint settings.

For more information, go to Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.

  1. In the Gateway Endpoints section, add at least one pair of gateway endpoints. For more information, go to Define Gateway Endpoints for a BOVPN Virtual Interface.
  2. Click OK.

The Gateway Settings tab also contains these settings.

Use Modem for failover

If you have a modem interface configured on your Firebox, you can select this check box to configure the branch office VPN to fail over to a modem if all external interfaces cannot connect. You cannot select this check box if the local gateway endpoint uses a modem interface.

In Policy Manager in Fireware v12.0.2 and lower, this check box does not appear if modem failover is not enabled. In Fireware Web UI in Fireware v12.0.2 and lower, you cannot select this check box if modem failover is not enabled. For more information, go to Configure VPN Modem Failover.

You cannot use a modem for failover from a BOVPN virtual interface if any local gateway endpoint uses an interface that is not an external interface.

Start Phase 1 tunnel when it is inactive

When selected, this option causes the Firebox to automatically restart the tunnel if it is not active. This check box is selected by default in Fireware Web UI. Clear this check box if you do not want the Firebox to automatically start the tunnel.

If you clear this check box, the Firebox still automatically restarts the tunnel when it is inactive if any policy uses policy-based routing to route outbound traffic to this BOVPN virtual interface.

Add this tunnel to the BOVPN-Allow policies

When selected, this option adds the tunnel to the BOVPN-Allow.in and the BOVPN-Allow.out policies. These policies allow all traffic that matches the routes for this tunnel.

To restrict traffic through the tunnel, clear this check box and create custom policies for types of traffic that you want to allow through the tunnel. To create custom policies in Policy Manager, use the BOVPN Policy wizard, as described in Define Custom Tunnel Policies.

Other Tabs (VPN Routes, Phases 1 and 2, Multicast)

The other tabs to configure these settings for the BOVPN virtual interface:

  • Select the VPN Routes tab to add routes that you want to use this VPN virtual interface and to configure virtual interface IP addresses for use in dynamic routing. In Fireware v12.5.4 or higher, you can specify a maximum transmission unit (MTU) in Fireware Web UI and Policy Manager. For more information, go to Configure VPN Routes and Configure a Maximum Transmission Unit (MTU) Value.
  • Select the Phase 1 Settings tab to configure the Phase 1 settings for this BOVPN virtual interface. These settings are exactly the same as the Phase 1 settings you can configure for a BOVPN gateway. For more information, go to Configure IPSec VPN Phase 1 Settings.
  • Select the Phase 2 Settings tab to configure the Phase 2 settings for this BOVPN virtual interface. These settings are exactly the same as the Phase 2 settings you can configure for a BOVPN tunnel. For more information, go to Configure Phase 2 Settings.
  • Select the Multicast Settings tab to enable multicast routing over the tunnel. For more information, go to Configure BOVPN Virtual Interface Multicast Settings.

Run the BOVPN Virtual Interface Configuration Report

After you add a gateway, you can run a report to see a summary of all settings for the BOVPN virtual interface. This report can be useful if you need to troubleshoot the VPN. It can also make it easier to compare the configured settings with the settings of the remote VPN endpoint device.

To run the report, from the VPN > BOVPN Virtual Interfaces page:

  1. Select a configured BOVPN virtual interface.
  2. Click Report.

For more information about this report, go to Use the BOVPN Configuration Reports.

Related Topics

About BOVPN Virtual Interfaces

BOVPN Virtual Interface Examples

BOVPN Virtual Interface for Dynamic Routing to Cisco

BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure

BOVPN Virtual Interface for Static Routing to Microsoft Azure

BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS)

BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS)

Configure a Maximum Transmission Unit (MTU) Value