Contents

BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure

You can configure a VPN connection between your Firebox and Microsoft Azure. For example, you might configure a VPN so that hosts on your local network can securely connect to resources on your Azure virtual network. For VPN connections to Azure, we recommend that you configure a BOVPN virtual interface on the Firebox instead of a BOVPN.

You can configure static or dynamic routing. This topic covers dynamic routing. For information about static routing, see BOVPN Virtual Interface for Static Routing to Microsoft Azure.

Azure supports the BGP dynamic routing protocol. OSPF is not supported.

To configure dynamic routing with BGP between a Firebox and Microsoft Azure, you must understand Microsoft PowerShell, a command line tool and scripting environment.

Configuration Example

This example shows the configuration settings for a BOVPN virtual interface and dynamic routing with BGP between a Firebox and a Microsoft Azure virtual network.

The BOVPN virtual interface on the Firebox is configured with one gateway endpoint. A BOVPN virtual interface configured with multiple gateway endpoints is not supported for connections to Azure.

Firebox Interfaces

For this example, the Firebox has one external interface and one trusted network.

Azure does not support VPN connections to Fireboxes behind NAT devices. The Firebox must have a public external IP address.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24

Azure Interfaces

For this example, the Microsoft Azure virtual network has one external virtual interface and one trusted virtual network.

Interface Type Name IP Address
0 External External 198.51.100.2/24
1 Trusted Trusted 10.0.100.1/24

Firebox Configuration

In the BOVPN virtual interface configuration, on the Gateway Settings tab, specify these settings:

  • The Remote Endpoint Type is Cloud VPN or Third-Party Gateway.
  • The Credential Method is Pre-Shared Key and must use the pre-shared key the two sites agreed upon. Azure supports only the pre-shared key authentication method for site-to-site VPNs.
  • The Gateway Endpoint settings are:
    • Local Gateway203.0.113.2 (the IP address of the external interface on the Firebox)
    • Remote Gateway198.51.100.2 (the IP address of the external interface on the Azure gateway)

Screen shot of new BOVPN virtual interface to Azure

Firebox gateway configuration in Fireware Web UI

 

Screen shot of new BOVPN virtual interface to Microsoft Azure

Firebox gateway configuration in Policy Manager

On the VPN Routes tab of the BOVPN virtual interface configuration, specify these settings:

  • Local IP address100.100.100.1
    You can specify any IP address that does not conflict with an IP address that is already on your network.
  • Peer IP address or netmask172.20.2.254
    Specify the Azure virtual interface IP address, not the netmask. The Azure virtual interface IP address is defined by Azure.

Screen shot of virtual IP address configuration

Firebox virtual IP address configuration in Fireware Web UI

Screen shot of virtual IP addresses

Firebox virtual IP address configuration in Policy Manager

On the Phase 1 Settings tab, select these settings:

  • Version — IKEv2. Static VPN routes between your Firebox and Azure require IKEv2.
  • Authentication — SHA2-256
  • Encryption — AES (256-bit)
  • Key Group — Diffie-Hellman Group 2. This is the only group Azure supports for Phase 1.

In Fireware v12.0 and higher, the default Key Group setting is Diffie-Hellman Group 14. You must change this setting to Diffie-Hellman Group 2.

Screen shot of Phase 1 settings

Site A Phase 1 settings in Fireware Web UI

Screen shot of the Phase 1 settings

Site A Phase 1 settings in Policy Manager

On the Phase 2 Settings tab, select these settings:

Screen shot of Phase 1 settings

Site A Phase 2 settings in Fireware Web UI

Screen shot of Phase 2 settings

Site A Phase 2 settings in Policy Manager

The Azure BGP ASN and the virtual IP address (known as the bgpPeeringAddress in Azure) are defined by Azure and cannot be changed. You can use Microsoft PowerShell to see the Azure BGP ASN and bgpPeeringAddress. The Firebox BGP dynamic routing configuration has these commands:

!
! The local BGP ASN is 10001
!
router bgp 10001
!
! to Azure VPC
!
!
! The Azure (remote) BGP ASN is 65515 and its VIF IP (bgpPeeringAddress) is 172.20.2.254.
! These are the two parameters you must get from the Azure side.
!
neighbor 172.20.2.254 remote-as 65515
neighbor 172.20.2.254 activate
neighbor 172.20.2.254 ebgp-multihop
!
! To advertise the local networks
!
network 10.0.1.0/24

Screen shot of BGP settings

The configured BGP settings in Fireware Web UI

Screen shot of Dynamic Routing Setup page

The configured BGP settings in Policy Manager

If you configure more than one trusted network on your Firebox, and you want Azure to learn the route to an additional trusted network, run an additional network command. For example:

network 10.0.1.0/24

network 10.0.2.0/24

Azure BOVPN Virtual Interface Configuration

On your Microsoft Azure virtual network, the gateway settings are:

  • Remote gateway — 203.0.113.2 (the IP address of the external interface on the Firebox)
  • Local gateway198.51.100.2 (the IP address of the external interface on the Azure gateway)
  • BGP ASN10001 (the BGP ASN of the Firebox)
  • Virtual IP address100.100.100.1 (the virtual IP address of the Firebox)

You must use Microsoft PowerShell to configure BGP settings on your Microsoft Azure virtual network. For more information about PowerShell, see the documentation provided by Microsoft.

MTU Settings

For Azure VPN connections, Microsoft requires a maximum TCP MSS of 1350 or MTU of 1400. The Azure VPN gateway drops packets with a total packet size larger than 1400.

If the Azure VPN gateway drops packets from your Firebox, we recommend these Firebox settings:

  • Fireware v12.5 or higher – In the BOVPN virtual interface configuration, specify an MTU of 1400. In Fireware v12.5, you must configure this setting in the CLI. For more information about the MTU setting, see About BOVPN Virtual Interfaces.
  • Fireware v12.4.1 or lower – In the physical interface configuration, specify an MTU of 1400.

As an alternative, you can set the global TCP MSS value to 1350. However, we do not recommend this option because this setting affects other Firebox interfaces and applies only to TCP traffic. For example, this setting does not apply to RDP traffic in most cases because RDP usually uses UDP. If you use RDP to access servers hosted in Azure, Azure will drop packets larger than 1400 bytes even if you specify the recommended TCP MSS value. For more information about the TCP MSS setting, see Define Firebox Global Settings.

For more information about Azure configuration settings, see the documentation provided by Microsoft.

See Also

BOVPN Virtual Interface for Static Routing to Microsoft Azure

Virtual Interface IP Addresses for a VPN to a Third-Party Endpoint

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search