Contents

BOVPN Virtual Interface for Static Routing to Microsoft Azure

You can configure a VPN connection between your Firebox and Microsoft Azure. For example, you might configure a VPN so that hosts on your local network can securely connect to resources on your Azure virtual network. For VPN connections to Azure, we recommend that you configure a BOVPN virtual interface on the Firebox instead of a BOVPN.

You can configure static or dynamic routing. This topic covers static routing. For information about dynamic routing, see BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure.

Configuration Example

This example shows the configuration settings for a BOVPN virtual interface and static routing between a Firebox at Site A, and a Microsoft Azure virtual network at Site B. For detailed instructions, see Configure a BOVPN virtual interface connection to a Microsoft Azure virtual network in the WatchGuard Knowledge Base.

Firebox Interfaces

For this example, the Firebox at Site A has one external interface and one trusted network.

Azure does not support VPN connections to Fireboxes behind NAT devices. The Firebox must have a public external IP address.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24

Azure Interfaces

For this example, the Microsoft Azure virtual network at Site B has one external virtual interface and one trusted virtual network.

Interface Type Name IP Address
0 External External 198.51.100.2/24
1 Trusted Trusted 10.0.100.1/24

Firebox Configuration

The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:

  • The Remote Endpoint Type is Cloud VPN or Third-Party Gateway endpoint type, which supports wildcard traffic selectors and does not use GRE.
  • The Credential Method is Pre-Shared Key and must use the pre-shared key the two sites agreed upon. Azure supports only the pre-shared key authentication method for site-to-site VPNs.
  • The Gateway Endpoint settings are:
    • Local Gateway203.0.113.2 (the IP address of the external interface on the Site A Firebox)
    • Remote Gateway198.51.100.2 (the IP address of the external interface on the Site B Azure gateway)

Screen shot of new BOVPN virtual interface to Azure

Site A gateway configuration in Fireware Web UI

Screen shot of new BOVPN virtual interface to Microsoft Azure

Site A gateway configuration in Policy Manager

The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:

  • Route to: 10.0.100.0/24

Screen shot of VPN routes

Site A static route configuration in Fireware Web UI

Screen shot of VPN routes

Site A static route configuration in Policy Manager

On the Phase 1 Settings tab, select these settings:

  • Version — IKEv2. Static VPN routes between your Firebox and Azure require IKEv2.
  • Authentication — SHA2-256. Azure does not support SHA2-384 or SHA2-512.
  • Encryption — AES (256-bit) or AES-GCM (256-bit). Azure does not support AES-GCM (128-bit) or AES-GCM (192-bit).
  • Key Group — Diffie-Hellman Group 2. This is the only group Azure supports for Phase 1.

In Fireware v12.0 and higher, the default Key Group setting is Diffie-Hellman Group 14. You must change this setting to Diffie-Hellman Group 2.

Screen shot of Phase 1 settings

Site A Phase 1 settings in Fireware Web UI

Screen shot of Phase 1 settings

Site A Phase 1 settings in Policy Manager

On the Phase 2 Settings tab, select these settings:

Screen shot of Phase 2 settings

Site A Phase 2 settings in Fireware Web UI

Screen shot of Phase 2 settings

Site A Phase 2 settings in Policy Manager

Site B BOVPN Virtual Interface Configuration

On your Microsoft Azure virtual network, the gateway settings are:

  • Remote gateway: 203.0.113.2 (the IP address of the first external interface on the Firebox at Site A )
  • Local gateway: 198.51.100.2 (the IP address of the external interface on the Azure gateway at Site B )
  • VPN route: 10.0.1.0/24 (the IP address of the Site A network)

MTU Settings

For Azure VPN connections, Microsoft requires a maximum TCP MSS of 1350 or MTU of 1400. The Azure VPN gateway drops packets with a total packet size larger than 1400.

If the Azure VPN gateway drops packets from your Firebox, we recommend these Firebox settings:

  • Fireware v12.5 or higher – In the BOVPN virtual interface configuration, specify an MTU of 1400. In Fireware v12.5, you must configure this setting in the CLI. For more information about the MTU setting, see About BOVPN Virtual Interfaces.
  • Fireware v12.4.1 or lower – In the physical interface configuration, specify an MTU of 1400.

As an alternative, you can set the global TCP MSS value to 1350. However, we do not recommend this option because this setting affects other Firebox interfaces and applies only to TCP traffic. For example, this setting does not apply to RDP traffic in most cases because RDP usually uses UDP. If you use RDP to access servers hosted in Azure, Azure will drop packets larger than 1400 bytes even if you specify the recommended TCP MSS value. For more information about the TCP MSS setting, see Define Firebox Global Settings.

For more information about Azure configuration settings, see the documentation provided by Microsoft.

See Also

BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure

Configure a BOVPN Virtual Interface

BOVPN Virtual Interface with Policy-Based Routing

BOVPN Virtual Interface with Dynamic Routing

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search