Configure a BOVPN Virtual Interface

Some of the features described in this section are only available to participants in the WatchGuard Beta program. If a feature described in this section is not available in your version of Fireware, it is a beta-only feature.

When you configure a BOVPN virtual interface, you configure the BOVPN gateway settings, VPN routes, and other VPN settings. For each BOVPN virtual interface, the Device Name is automatically assigned and is not configurable. The Device Name is used to identify this interface in the Status Report in Firebox System Manager.

For more information about certificates, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.

For more information about gateway endpoints, see Define Gateway Endpoints for a BOVPN Virtual Interface.

The Gateway Settings tab also contains these settings.

Use Modem for failover

If you have a modem interface configured on your Firebox, you can select this check box to configure the branch office VPN to fail over to a modem if all external interfaces cannot connect. You cannot select this check box if the local gateway endpoint uses a modem interface.

In Policy Manager in Fireware v12.0.2 and lower, this check box does not appear if modem failover is not enabled. In Fireware Web UI in Fireware v12.0.2 and lower, you cannot select this check box if modem failover is not enabled. For more information, see Configure VPN Modem Failover.

You cannot use a modem for failover from a BOVPN virtual interface if any local gateway endpoint uses an interface that is not an external interface.

Start Phase 1 tunnel when it is inactive

When selected, this option causes the Firebox to automatically restart the tunnel if it is not active. This check box is selected by default for XTM 2, 3, and 5 Series devices, and in the Fireware Web UI. Clear this check box if you do not want the Firebox to automatically start the tunnel.

If you clear this check box, the Firebox still automatically restarts the tunnel when it is inactive if any policy uses policy-based routing to route outbound traffic to this BOVPN virtual interface.

Add this tunnel to the BOVPN-Allow policies

When selected, this option adds the tunnel to the BOVPN-Allow.in and the BOVPN-Allow.out policies. These policies allow all traffic that matches the routes for this tunnel.

To restrict traffic through the tunnel, clear this check box and create custom policies for types of traffic that you want to allow through the tunnel. To create custom policies in Policy Manager, use the BOVPN Policy wizard, as described in Define Custom Tunnel Policies.

Other Tabs (VPN Routes, Phases 1 and 2, Multicast)

The other tabs to configure these settings for the BOVPN virtual interface:

  • Select the VPN Routes tab to add routes that you want to use this VPN virtual interface and to configure virtual interface IP addresses for use in dynamic routing. In Fireware v12.6 or higher, you can specify a maximum transmission unit (MTU) in Fireware Web UI and Policy Manager. For more information, see Configure VPN Routes and Configure a Maximum Transmission Unit (MTU) Value.
  • Select the Phase 1 Settings tab to configure the Phase 1 settings for this BOVPN virtual interface. These settings are exactly the same as the Phase 1 settings you can configure for a BOVPN gateway. For more information, see Configure IPSec VPN Phase 1 Settings.
  • Select the Phase 2 Settings tab to configure the Phase 2 settings for this BOVPN virtual interface. These settings are exactly the same as the Phase 1 settings you can configure for a BOVPN tunnel. For more information, see Configure Phase 2 Settings.
  • Select the Multicast Settings tab to enable multicast routing over the tunnel. For more information, see Configure BOVPN Virtual Interface Multicast Settings.

Run the BOVPN Virtual Interface Configuration Report

After you add a gateway, you can run a report to see a summary of all settings for the BOVPN virtual interface. This report can be useful if you need to troubleshoot the VPN. It can also make it easier to compare the configured settings with the settings of the remote VPN endpoint device.

To run the report, from the VPN > BOVPN Virtual Interfaces page:

  1. Select a configured BOVPN virtual interface.
  2. Click Report.

For more information about this report, see Use the BOVPN Configuration Reports.

See Also

About BOVPN Virtual Interfaces

BOVPN Virtual Interface Examples

BOVPN Virtual Interface for Dynamic Routing to Cisco

BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure

BOVPN Virtual Interface for Static Routing to Microsoft Azure

BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS)

BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS)

Configure a Maximum Transmission Unit (MTU) Value