BOVPN Virtual Interface for Static Routing to Microsoft Azure
You can configure static or dynamic routing. This topic covers static routing. For information about dynamic routing, see BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure.
This example shows the configuration settings for a BOVPN virtual interface and static routing between a Firebox at Site A, and a Microsoft Azure virtual network at Site B. For detailed instructions, see Configure a BOVPN virtual interface connection to a Microsoft Azure virtual network in the WatchGuard Knowledge Base.
For this example, the Firebox at Site A has one external interface and one trusted network.
Azure does not support VPN connections to Fireboxes behind NAT devices. The Firebox must have a public external IP address.
For this example, the Microsoft Azure virtual network at Site B has one external virtual interface and one trusted virtual network.
The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:
- The Remote Endpoint Type is Cloud VPN or Third-Party Gateway endpoint type, which supports wildcard traffic selectors and does not use GRE.
- The Credential Method is Pre-Shared Key and must use the pre-shared key the two sites agreed upon. Azure supports only the pre-shared key authentication method for site-to-site VPNs.
- The Gateway Endpoint settings are:
- Local Gateway: 203.0.113.2 (the IP address of the external interface on the Site A Firebox)
- Remote Gateway: 198.51.100.2 (the IP address of the external interface on the Site B Azure gateway)
The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:
- Route to: 10.0.100.0/24
On the Phase 1 Settings tab, select these settings:
- Version — IKEv2. Static VPN routes between your Firebox and Azure require IKEv2.
- Authentication — SHA2-256. Azure does not support SHA2-384 or SHA2-512.
- Encryption — AES (256-bit).
- Key Group — Diffie-Hellman Group 2. This is the only group Azure supports for Phase 1.
In Fireware v12.0 and higher, the default Key Group setting is Diffie-Hellman Group 14. You must change this setting to Diffie-Hellman Group 2.
On the Phase 2 Settings tab, select these settings:
- Perfect Forward Secrecy — Yes
- Diffie-Hellman — Azure supports groups 1, 2, 5, 14,15, 19, and 20 for Phase 2. Tip!
- IPSec proposal — ESP-AES256-SHA256 or ESP-AES256-GCM. Azure does not support AES128-GCM or AES192-GCM.
Site B BOVPN Virtual Interface Configuration
On your Microsoft Azure virtual network, the gateway settings are:
- Remote gateway: 203.0.113.2 (the IP address of the first external interface on the Firebox at Site A )
- Local gateway: 198.51.100.2 (the IP address of the external interface on the Azure gateway at Site B )
- VPN route: 10.0.1.0/24 (the IP address of the Site A network)
For Azure VPN connections, Microsoft requires a maximum TCP MSS of 1350 or MTU of 1400. The Azure VPN gateway drops packets with a total packet size larger than 1400.
If the Azure VPN gateway drops packets from your Firebox, we recommend these Firebox settings:
- Fireware v12.5 or higher — In the BOVPN virtual interface configuration, specify an MTU of 1400. For more information about the MTU setting, see Configure a Maximum Transmission Unit (MTU) Value.
- Fireware v12.4.1 or lower — In the physical interface configuration, specify an MTU of 1400.
As an alternative, you can set the global TCP MSS value to 1350. However, we do not recommend this option because this setting affects other Firebox interfaces and applies only to TCP traffic. For example, this setting does not apply to RDP traffic in most cases because RDP usually uses UDP. If you use RDP to access servers hosted in Azure, Azure will drop packets larger than 1400 bytes even if you specify the recommended TCP MSS value. For more information about the TCP MSS setting, see Define Firebox Global Settings.
For more information about Azure configuration settings, see the documentation provided by Microsoft.