BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS)

You can configure a VPN connection between your Firebox and Amazon Web Services (AWS). For example, you might configure a VPN so that hosts on your local network can securely connect to resources on your Amazon Virtual Private Cloud (VPC).

For VPN connections to AWS, we recommend that you configure a BOVPN virtual interface on the Firebox. You can use static or dynamic routing.

In this example, we show a VPN configuration with:

  • Static routing
  • One Firebox BOVPN virtual interface with two gateway endpoints
  • Two AWS virtual interfaces with failover

AWS Configuration

An AWS VPN configuration includes one virtual private gateway with two external IP addresses for redundancy. AWS automatically determines which IP address is the primary IP address.

Failover between the external IP addresses is enabled by default. If the primary AWS external IP address is unavailable, VPN traffic automatically fails over to the other AWS external IP address.

For detailed instructions about how to configure the AWS VPN settings, see the Amazon Virtual Private Cloud User Guide.

Before You Configure the Firebox

Before you configure the Firebox, download the configuration file from your AWS account:

  1. Log in to the AWS Management Console at
  2. In the Networking & Content Delivery section, select VPC.
  3. From the navigation menu, in the Virtual Private Network section, select Site-to-Site VPN Connections.
  4. Click the connection name.
  5. Click Download Configuration.
  6. From the Vendor drop-down list, select WatchGuard, Inc.
  7. From the Software drop-down list, select Fireware OS 11.12.2 +.
  8. Click Download.
    A .txt file downloads to your desktop.
  9. Open the .txt file in a text editor.

Open the configuration file to get the pre-shared keys, gateway IP addresses for AWS Tunnel 1 and Tunnel 2, and routes to the trusted (private) network of your AWS VPC.

You can also get these IP addresses in your AWS configuration:

  • For the gateway IP addresses, select Virtual Private Network > Site-to-Site VPN Connections > [name].
  • For the routes, select Virtual Private Cloud > Subnets or Virtual Private Cloud > Route Tables.

For this example, the AWS configuration uses these IP addresses:

  • Customer Gateway Address203.0.113.2 (external interface on the Firebox )
  • VPN Connections:
    • Tunnel 1 — (first IP address of the AWS virtual private gateway)
    • Tunnel 2192.0.2.2 (second IP address of the AWS virtual private gateway)
  • Static Route10.0.1.0/24 (trusted network of the Firebox)

Configure the Firebox

For this example, the Firebox has one external interface and one trusted network:

Interface Type Name IP Address
0 External External
1 Trusted Trusted

To configure a redundant gateway that uses both AWS external IP addresses, you must configure one BOVPN virtual interface that includes two gateway endpoints.

You must specify different pre-shared keys for each gateway endpoint on your Firebox.

Add a BOVPN Virtual Interface

Add the Gateway Endpoints

Configure the VPN Routes

Next, configure the VPN routes. These are the routes to the trusted (private) network of your AWS VPC.

Configure the Phase 1 and Phase 2 Settings

During VPN negotiations, AWS identifies the authentication and encryption algorithm settings from the Firebox. If AWS supports the settings, AWS automatically uses the same settings. AWS supports specific proposals. You cannot edit the AWS configuration to specify different proposals.

See Also

BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS)

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search