Configure BOVPN Virtual Interface IP Addresses

If you want to use a BOVPN virtual interface in your dynamic routing configuration, you must configure virtual interface IP addresses.

We also recommend that you configure virtual IP addresses if either endpoint is behind a NAT device. This configuration makes sure the tunnel route uses the virtual IP addresses instead of the gateway endpoint IP addresses.

For a BOVPN between two Fireboxes, virtual IP addresses define the endpoints of the GRE tunnel that encapsulates traffic through this BOVPN virtual interface.

For a BOVPN virtual interface to another Firebox, you specify two IP virtual interface IP addresses:

  • Local IP address — The IP address to use for the local end of the tunnel. It must match the Peer IP address configured on the Firebox at the other end of the tunnel.
  • Peer IP address or netmask — The IP address to use for the remote end of the tunnel. The Peer IP address must match the Local IP address configured on the Firebox at the other end of the tunnel. If it is a netmask, it must match the netmask configured on the third-party endpoint at the other end of the tunnel.

You configure these settings differently for a BOVPN between a Firebox and a third-party VPN peer. For more information, see Virtual Interface IP Addresses for a VPN to a Third-Party Endpoint.

We recommend that you select IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. In Fireware v12.4 or higher, you can specify private IPv6 address ranges. For information about private IPv4 and IPv6 address ranges, see RFC6890.

In Fireware v12.4 or higher, you must specify a Address Family in the BOVPN virtual interface configuration. The options are IPv4 Addresses or IPv6 Addresses. When you configure virtual interface IP addresses, you must specify IP addresses that match the Address Family setting. For example, if you specified the IPv6 Address Family, you must specify IPv6 virtual interface addresses.

You can use the same local virtual interface IP address for more than one BOVPN virtual interface. This would be appropriate, for example, on the hub device in a hub/spoke VPN configuration that uses dynamic routing.

If you enable a BOVPN virtual interface for a FireCluster, make sure that the virtual interface IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.

When you configure dynamic routing for a BOVPN virtual interface, use the virtual interface IP addresses rather than the device name.

See Also

About Dynamic Routing