Contents

BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure

You can configure a VPN connection between your Firebox and Microsoft Azure. For example, you might configure a VPN so that hosts on your local network can securely connect to resources on your Azure virtual network. For VPN connections to Azure, we recommend that you configure a BOVPN virtual interface on the Firebox instead of a BOVPN.

You can configure static or dynamic routing. This topic covers dynamic routing. For information about static routing, see BOVPN Virtual Interface for Static Routing to Microsoft Azure.

In this example, we show a VPN configuration with:

  • Dynamic BGP routing. Azure supports the BGP dynamic routing protocol. OSPF is not supported.
  • One Firebox external physical interface
  • One Firebox BOVPN virtual interface with one gateway endpoint. A BOVPN virtual interface configured with multiple gateway endpoints is not supported for connections to Azure.
  • One Azure gateway

To configure dynamic routing with BGP between a Firebox and Microsoft Azure, you must understand Microsoft PowerShell, a command line tool and scripting environment.

Configure Azure

To configure your Azure virtual network:

  1. Connect to the Azure Management Portal at https://portal.azure.com.
  2. Review the Microsoft documentation: Get started with Azure and Azure VPN Gateway Documentation.

In our example, we use these Microsoft Azure virtual network settings:

  • Remote gateway — 203.0.113.2 (the IP address of the external interface on the Firebox). Azure does not support VPN connections to Fireboxes behind NAT devices. The Firebox must have a public external IP address.
  • Local gateway198.51.100.2 (the IP address of the external interface on the Azure gateway)
  • BGP ASN10001 (the BGP ASN of the Firebox)
    You must use Microsoft PowerShell to configure BGP settings on your Microsoft Azure virtual network. For more information about PowerShell, see the documentation provided by Microsoft.
  • Virtual IP address100.100.100.1 (the virtual IP address of the Firebox)
  • VPN type — Policy-based
  • Shared key — The key automatically generated by Azure. Azure supports only the pre-shared key authentication method for site-to-site VPNs.

For the most recent list of protocols and algorithms supported by Microsoft for VPNs, see About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections on the Microsoft website.

MTU Settings

For Azure VPN connections, Microsoft requires a maximum TCP MSS of 1350 or MTU of 1400. The Azure VPN gateway drops packets with a total packet size larger than 1400.

If the Azure VPN gateway drops packets from your Firebox, we recommend these Firebox settings:

  • Fireware v12.5 or higher – In the BOVPN virtual interface configuration, specify an MTU of 1400. In Fireware v12.5, you must configure this setting in the CLI. For more information about the MTU setting, see About BOVPN Virtual Interfaces.
  • Fireware v12.4.1 or lower – In the physical interface configuration, specify an MTU of 1400.

As an alternative, you can set the global TCP MSS value to 1350. However, we do not recommend this option because this setting affects other Firebox interfaces and applies only to TCP traffic. For example, this setting does not apply to RDP traffic in most cases because RDP usually uses UDP. If you use RDP to access servers hosted in Azure, Azure will drop packets larger than 1400 bytes even if you specify the recommended TCP MSS value. For more information about the TCP MSS setting, see Define Firebox Global Settings.

Configure the Firebox

For this example, the Firebox has one external interface and one trusted network.

Azure does not support VPN connections to Fireboxes behind NAT devices. The Firebox must have a public external IP address.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24

To configure the Firebox, you must configure:

Test the VPN Connection

To test the configuration, ping a local Azure resource from the local network behind your Firebox. Make sure that your Firebox and Azure virtual network are configured to allow ICMP traffic.

For more information about Azure configuration settings, see the documentation provided by Microsoft.

See Also

BOVPN Virtual Interface for Static Routing to Microsoft Azure

Virtual Interface IP Addresses for a VPN to a Third-Party Endpoint

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search