BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure
You can configure static or dynamic routing. This topic covers dynamic routing. For information about static routing, see BOVPN Virtual Interface for Static Routing to Microsoft Azure.
Azure supports the BGP dynamic routing protocol. OSPF is not supported.
To configure dynamic routing with BGP between a Firebox and Microsoft Azure, you must understand Microsoft PowerShell, a command line tool and scripting environment.
This example shows the configuration settings for a BOVPN virtual interface and dynamic routing with BGP between a Firebox and a Microsoft Azure virtual network.
The BOVPN virtual interface on the Firebox is configured with one gateway endpoint. A BOVPN virtual interface configured with multiple gateway endpoints is not supported for connections to Azure.
For this example, the Firebox has one external interface and one trusted network.
Azure does not support VPN connections to Fireboxes behind NAT devices. The Firebox must have a public external IP address.
For this example, the Microsoft Azure virtual network has one external virtual interface and one trusted virtual network.
In the BOVPN virtual interface configuration, on the Gateway Settings tab, specify these settings:
- The Remote Endpoint Type is Cloud VPN or Third-Party Gateway.
- The Credential Method is Pre-Shared Key and must use the pre-shared key the two sites agreed upon. Azure supports only the pre-shared key authentication method for site-to-site VPNs.
- The Gateway Endpoint settings are:
- Local Gateway — 203.0.113.2 (the IP address of the external interface on the Firebox)
- Remote Gateway — 198.51.100.2 (the IP address of the external interface on the Azure gateway)
On the VPN Routes tab of the BOVPN virtual interface configuration, specify these settings:
- Local IP address — 100.100.100.1
You can specify any IP address that does not conflict with an IP address that is already on your network.
- Peer IP address or netmask — 172.20.2.254
Specify the Azure virtual interface IP address, not the netmask. The Azure virtual interface IP address is defined by Azure.
On the Phase 1 Settings tab, select these settings:
- Version — IKEv2. Static VPN routes between your Firebox and Azure require IKEv2.
- Authentication — SHA2-256
- Encryption — AES (256-bit)
- Key Group — Diffie-Hellman Group 2. This is the only group Azure supports for Phase 1.
In Fireware v12.0 and higher, the default Key Group setting is Diffie-Hellman Group 14. You must change this setting to Diffie-Hellman Group 2.
On the Phase 2 Settings tab, select these settings:
- Perfect Forward Secrecy — Yes
- Diffie-Hellman — Azure supports groups 1, 2, 5, 14,15, 19, and 20 for Phase 2. Tip!The default Firebox setting is Diffie-Hellman group 14.
- IPSec proposal — ESP-AES256-SHA256 or ESP-AES256-GCM. Azure does not support AES128-GCM or AES192-GCM.
The Azure BGP ASN and the virtual IP address (known as the bgpPeeringAddress in Azure) are defined by Azure and cannot be changed. You can use Microsoft PowerShell to see the Azure BGP ASN and bgpPeeringAddress. The Firebox BGP dynamic routing configuration has these commands:
! The local BGP ASN is 10001
router bgp 10001
! to Azure VPC
! The Azure (remote) BGP ASN is 65515 and its VIF IP (bgpPeeringAddress) is 172.20.2.254.
! These are the two parameters you must get from the Azure side.
neighbor 172.20.2.254 remote-as 65515
neighbor 172.20.2.254 activate
neighbor 172.20.2.254 ebgp-multihop
! To advertise the local networks
If you configure more than one trusted network on your Firebox, and you want Azure to learn the route to an additional trusted network, run an additional network command. For example:
Azure BOVPN Virtual Interface Configuration
On your Microsoft Azure virtual network, the gateway settings are:
- Remote gateway — 203.0.113.2 (the IP address of the external interface on the Firebox)
- Local gateway — 198.51.100.2 (the IP address of the external interface on the Azure gateway)
- BGP ASN — 10001 (the BGP ASN of the Firebox)
- Virtual IP address — 100.100.100.1 (the virtual IP address of the Firebox)
You must use Microsoft PowerShell to configure BGP settings on your Microsoft Azure virtual network. For more information about PowerShell, see the documentation provided by Microsoft.
For Azure VPN connections, Microsoft requires a maximum TCP MSS of 1350 or MTU of 1400. The Azure VPN gateway drops packets with a total packet size larger than 1400.
If the Azure VPN gateway drops packets from your Firebox, we recommend these Firebox settings:
- Fireware v12.5 or higher – In the BOVPN virtual interface configuration, specify an MTU of 1400. In Fireware v12.5, you must configure this setting in the CLI. For more information about the MTU setting, see About BOVPN Virtual Interfaces.
- Fireware v12.4.1 or lower – In the physical interface configuration, specify an MTU of 1400.
As an alternative, you can set the global TCP MSS value to 1350. However, we do not recommend this option because this setting affects other Firebox interfaces and applies only to TCP traffic. For example, this setting does not apply to RDP traffic in most cases because RDP usually uses UDP. If you use RDP to access servers hosted in Azure, Azure will drop packets larger than 1400 bytes even if you specify the recommended TCP MSS value. For more information about the TCP MSS setting, see Define Firebox Global Settings.
For more information about Azure configuration settings, see the documentation provided by Microsoft.