Configure VPN Routes

For a BOVPN virtual interface, the Firebox uses the routing table to determine whether to send traffic through the VPN tunnel. For a BOVPN virtual interface, you do not explicitly configure the local and remote addresses for each tunnel route. Instead, for each BOVPN virtual interface, you can configure static routes that use this BOVPN virtual interface as a gateway. For each route, you specify a destination and a metric. Static routes that you add to this list also appear in the static routes list for the device.

In Fireware v12.4 or higher, you can configure IPv6 BOVPN virtual interface gateway endpoints. These route types are supported:

6in4 Routes

If you have internal IPv6 networks and external IPv4 networks, you can send traffic between the internal IPv6 networks with 6in4 tunnel routes. You must configure an IPv4 BOVPN virtual interface gateway endpoint and IPv6 tunnel routes. The tunnel routes are 6in4 routes, which means traffic is routed through a GRE tunnel within the IPv4 IPSec tunnel.

6in6 Routes

In Fireware v12.4 or higher, if you have internal IPv6 networks and an external IPv6 networks, you can send traffic between the internal IPv6 networks with 6in6 tunnel routes. You must configure an IPv6 BOVPN virtual interface gateway endpoint and IPv6 tunnel routes. The tunnel routes are 6in6 routes, which means traffic is routed through an IPv6 IPSec tunnel. You can use 6in6 routes only if the internal and external networks are IPv6. If you have an internal IPv6 network and an external IPv4 network, you must configure 6in4 routes.

In Fireware v12.3.1 or lower, IPv6 is not supported for BOVPN virtual interface gateway endpoints. 6in6 tunnel routes are not supported.

4in6 tunnels are not supported. This means you cannot configure a BOVPN virtual interface tunnel to send traffic between IPv4 internal networks if you have IPv6 external networks.

In Fireware Web UI, the static and dynamic routes for a BOVPN virtual interface appear in the route table. To see the routes, select System Status > Routes.

In Firebox System Manager, VPN routes you add appear in the IPv4 Routes or IPv6 Routes sections of the Status Report. Static and dynamic BOVPN virtual interface routes also appear in Firebox System Manager and WatchGuard System Manager. In the FSM Front Panel tab, when you expand the BOVPN virtual interface, the routes for that interface appear in the Route to section.

By default, the Firebox does not remove the static routes from the route table if the VPN is down. You can change this setting in the global VPN settings. For more information, see About Global VPN Settings.

Add VPN Routes

Before you can add VPN routes, you must add or edit a BOVPN virtual interface. For more information, see Configure a BOVPN Virtual Interface.

  1. Edit the BOVPN virtual interface.
  2. Select the VPN Routes tab.

Screen shot of the BOVPN Interface settings, VPN Routes tab

  1. Click Add.
    The VPN Route Settings dialog box appears.

  1. From the Choose Type drop-down list, select an option:
    • Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic to go to only one host.
    • Network IPv4 — Select this option if you have a full IPv4 network behind a router on your local network.
    • Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic to go to only one host.
    • Network IPv6 — Select this option if you have a full IPv6 network behind a router on your local network.
  1. In the Route To text box, type the network address or host address. If you type a network address, use slash notation.
    For more information about slash notation, see About Slash Notation.
  2. In the Metric text box, type or select a metric value for the route. Routes with lower metrics have higher priority.
  3. Click OK.
    The route is added to the BOVPN virtual interface configuration.
  1. Edit the BOVPN virtual interface.
  2. select the VPN Routes tab.

Screen shot of the New BOVPN Virtual Interface dialog box, VPN Routes tab

  1. Click Add.
    The Add Route dialog box appears.

Screen shot of the Add Route dialog box

  1. From the Choose Type drop-down list, select an option:
    • Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic to go to only one host.
    • Network IPv4 — Select this option if you have a full IPv4 network behind a router on your local network.
    • Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic to go to only one host.
    • Network IPv6 — Select this option if you have a full IPv6 network behind a router on your local network.
  2. In the Route To text box, type the network address or host address. If you type a network address, use slash notation.
    For more information about slash notation, see About Slash Notation.
  3. In the Metric text box, type or select a metric value for the route. Routes with lower metrics have higher priority.
  4. Click OK.
    The route is added to the BOVPN virtual interface configuration.

On the VPN Routes tab, you can also add BOVPN virtual interface IP addresses. These are required if you want to configure dynamic routing to use the BOVPN virtual interface. For more information, see Configure BOVPN Virtual Interface IP Addresses.

See Also

Add a Static Route