Define Gateway Endpoints for a BOVPN Gateway

Gateway endpoints are the local and remote gateways that a BOVPN connects. The gateway endpoints configuration tells your Firebox how to identify and communicate with the remote endpoint device when it negotiates the BOVPN. It also tells the device how to identify itself to the remote endpoint when it negotiates the BOVPN. You must configure at least one gateway endpoint pair when you add a BOVPN gateway.

Any external interface can be a gateway endpoint. If the local or remote endpoint has more than one external interface, you can configure multiple gateway endpoint pairs. This enables the device to failover to a secondary connection if the primary is not available. If you configure more than one gateway endpoint pair, make sure that the gateway endpoints are listed in the same order on both endpoint devices. For more information, go to Configure Branch Office VPN (BOVPN) Failover.

In Fireware v12.4 or higher, you can configure a manual branch office VPN between two IPv6 gateways. For more information, go to Configure Manual BOVPN Gateways.

In Fireware v12.2 or higher, you can specify a secondary interface IP address as a gateway endpoint. By default, the primary IP address configured on the external interface you specify is used.

In Fireware v12.1.x or lower, do not use a secondary interface IP address as a gateway endpoint. If you configure a gateway endpoint with a secondary interface IP address, the BOVPN connection might fail if the local Firebox initiates the BOVPN connection. This is because the Firebox initiates the connection with the primary interface IP address. If the remote endpoint initiates the BOVPN connection and specifies the secondary interface IP address, the connection succeeds.

Local Gateway

In the Local Gateway section, you configure external interface and IP address the BOVPN connects to on your Firebox. You also configure the gateway ID.

For the gateway ID, if you have a static IP address, you can select By IP Address. If you have a domain that resolves to the IP address the BOVPN connects to on your Firebox, select By Domain Information.

  1. Create or edit a branch office VPN Gateway. For more information, go to Configure Manual BOVPN Gateways.
  2. From the Gateway page, in the Gateway Endpoint section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box, Local Gateway tab

  1. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Site A Firebox. If you configured the wireless client as an external interface, select the interface WG-Wireless-Client.
  2. (Fireware v12.2 or higher) In the Interface IP Address drop-down list, select Primary Interface IP Address or select a secondary IP address that is already configured on the selected external interface. In Fireware v12.4 or higher, the primary interface options are Primary Interface IPv4 Address or Primary Interface IPv6 Address. Tip!

Screen shot of a secondary IP address configuration

  1. Select an option and specify the gateway ID:
    • By IP address — Type the primary IP address of the Firebox interface.
      In Fireware v12.2 or higher, if you selected a secondary IP address from the Interface IP Address drop-down list, that IP address automatically appears in the By IP Address text box.
      In Fireware v12.4 or higher, you must specify an IP address type that matches the Address Family setting you configured earlier. For example, if you specified IPv6 Addresses, you must specify an IPv6 address in the By IP Address text box.
      In Fireware v12.1.x or lower, do not use a secondary interface IP address as the gateway ID.
    • By Domain Name — Type your domain name. You must specify 63 characters or fewer.
    • By User ID on Domain — Type the user name and domain with the format UserName@DomainName. You must specify 63 characters or fewer.
    • By x500 Name — This option is automatically selected if you specified a certificate as the credential method. In Fireware v12.5.2 or higher, you can specify a certificate with an x500 name up to 255 characters in length. In Fireware v12.5.1 or lower, you must specify 63 characters or fewer.
  1. Create or edit a branch office VPN gateway. For more information, go to Configure Manual BOVPN Gateways.
  2. From the Add Gateway page, in the Gateway Endpoints section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of New Gateway Endpoints Settings dialog box

  1. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Site A Firebox. If you configured the wireless client as an external interface, select the interface WG-Wireless-Client.
  2. (Fireware v12.2 or higher) To specify an IP address, in the Interface IP Address drop-down list, select Primary Interface IP Address or select a secondary IP address that is already configured on the selected external interface. Tip!

Screen shot of a secondary IP address configuration

  1. Select an option and specify the gateway ID:
    • By IP address — Type or select the primary IP address of the Firebox interface.
      In Fireware v12.2 or higher, if you selected a secondary IP address from the Interface IP Address drop-down list, that IP address automatically appears in the By IP Address text box.
      In Fireware v12.4 or higher, you must specify an IP address type that matches the Address Family setting you configured earlier. For example, if you specified IPv6 Addresses, you must specify an IPv6 address in the By IP Address text box.
      In Fireware v12.1.x or lower, do not use a secondary interface IP address as the gateway ID.
    • By Domain Information — Click Configure and select the method of domain configuration. Select By Domain Name or By User ID on Domain.
      • By Domain Name — Type your domain name and click OK. In Fireware v12.5.2 or higher, you can specify up to 255 characters. In Fireware v12.5.1 or lower, you must specify 63 characters or fewer.
      • By User ID on Domain — Type the user name and domain with the format UserName@DomainName and click OK. In Fireware v12.5.2 or higher, you can specify up to 255 characters. In Fireware v12.5.1 or lower, you must specify 63 characters or fewer.

Remote Gateway

You can configure the gateway IP address and gateway ID for the remote endpoint device that the BOVPN connects to. The gateway IP address can be either a static IP address or a dynamic IP address. The gateway ID can be By Domain Name, By User ID on Domain, or By x500 Name. The administrator of the remote gateway device selects which gateway ID type to use.

If the remote VPN endpoint gets an external IP address from DHCP or PPPoE, set the ID type of the remote gateway to Domain Name. Set the peer name to the fully qualified domain name of the remote VPN endpoint. The Firebox uses the IP address and domain name to find the VPN endpoint. Make sure the DNS server the device uses can identify the name.

  1. In the Gateway Endpoint Settings dialog box, select the Remote Gateway tab.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. Select the remote gateway IP address type:
    • Static IP address — Select this option if the remote device has a static IP address. Type or select the IP address.
      In Fireware v12.4 or higher, you must specify an IP address type that matches the Address Family setting you configured earlier. For example, if you specified IPv6 Addresses, you must specify an IPv6 address in the Static IP address text box.
    • Dynamic IP address — Select this option if the remote device has a dynamic IP address.
  2. Select an option and specify the remote gateway ID:
    • By IP address — Type the IP address.
      In Fireware v12.4 or higher, you must specify an IP address type that matches the Address Family setting you configured earlier. For example, if you specified IPv6 Addresses, you must specify an IPv6 address in the By IP address text box.
    • By Domain Name — Type the domain name. In Fireware v12.5.2 or higher, you can specify up to 255 characters. In Fireware v12.5.1 or lower, you must specify 63 characters or fewer.
    • By User ID on Domain — Type the user ID and domain. In Fireware v12.5.2 or higher, you can specify up to 255 characters. In Fireware v12.5.1 or lower, you must specify 63 characters or fewer.
    • By x500 Name — Type the x500 name. In Fireware v12.5.2 or higher, you can specify up to 255 characters. In Fireware v12.5.1 or lower, you must specify 63 characters or fewer.

    For an IPv4 gateway endpoint, if the domain name of the remote endpoint can be resolved, select the Attempt to resolve domain check box.
    When this option is selected, the device automatically does a DNS query to find the IP address associated with the domain name for the remote endpoint. Connections do not proceed until the domain name can be resolved. Select this check box for configurations that depend on a dynamic DNS server to maintain a mapping between a dynamic IP address and a domain name.

  3. Click OK.
    The gateway pair you defined appears in the list of gateway endpoints.
  4. To configure Phase 1 settings for this gateway, follow the steps in Configure IPSec VPN Phase 1 Settings.
  1. Select the remote gateway IP address type:
    • Static IP address — Select this option if the remote device has a static IP address. Type or select the IP address.
      In Fireware v12.4 or higher, you must specify an IP address type that matches the Address Family setting you configured earlier. For example, if you specified IPv6 Addresses, you must specify an IPv6 address in the Static IP address text box.
    • Dynamic IP address — Select this option if the remote device has a dynamic IP address.
  2. Select an option and specify the gateway ID:
    • By IP address — Type the IP address or select it from the drop-down list.
      In Fireware v12.4 or higher, you must specify an IP address type that matches the Address Family setting you configured earlier. For example, if you specified IPv6 Addresses, you must specify an IPv6 address in the By IP address text box.
    • By Domain Information
      1. Click Configure and select the method of domain configuration: Domain Name, User ID @ Domain, or X500 Name.
      2. Type the name, user ID and domain, or x500 name. In Fireware v12.5.2 or higher, you can specify up to 255 characters. In Fireware v12.5.1 or lower, you must specify 63 characters or fewer.
      3. For an IPv4 gateway endpoint, if the domain name of the remote endpoint can be resolved, select the Attempt to resolve check box.
        When this option is selected, the device automatically does a DNS query to find the IP address associated with the domain name for the remote endpoint. Connections do not proceed until the domain name can be resolved. Select this check box for configurations that depend on a dynamic DNS server to maintain a mapping between a dynamic IP address and a domain name.
      4. Click OK.

Screen shot of Configure Domain for Gateway ID dialog box

  1. Click OK to close the New Gateway Endpoints Settings dialog box.
    The gateway pair you defined appears in the list of gateway endpoints.
  2. To use Phase 1 settings other than the default values, follow the steps in Configure IPSec VPN Phase 1 Settings. Otherwise, click OK.

Advanced Settings

You can configure these options on the Advanced Settings tab:

CA Certificate

(Fireware v12.6.2 or higher) This option appears if you select a certificate for authentication. When you enable this option, you must select a root or intermediate CA certificate from the CA Certificate drop-down list. The Firebox uses that CA certificate to verify the certificate received from VPN peer. The certificate from the VPN peer must be part of the certificate chain that includes the specified root or intermediate CA certificate. If the peer certificate is not part of the chain, the Firebox rejects Phase 1 tunnel negotiations.

Screenshot of the CA Certificate setting in Fireware Web UI

Different pre-shared key

You can specify different pre-shared keys for each gateway endpoint. You might select this option if you configure a VPN between a Firebox and third-party endpoint, and the third-party endpoint requires each gateway endpoint to have a different pre-shared key.

(Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.

DF Bit

The Don't Fragment (DF) bit is a flag in the header of a packet. You can select Copy, Set, or Clear to control whether the Firebox uses the original DF bit setting in the packet header:

Screenshot of the DF bit setting in Fireware Web UI
The DF bit setting in Fireware Web UI

Screenshot of the DF bit setting in Policy Manager
The DF bit setting in Policy Manager

  • Copy — This option applies the DF bit setting of the original frame to the IPSec encrypted packet.
    If a frame does not have the DF bits set, the Firebox does not set the DF bits and fragments the packet if needed. If a frame is set to not be fragmented, the Firebox encapsulates the entire frame and sets the DF bits of the encrypted packet to match the original frame.
  • Set — This option instructs the Firebox to not fragment the frame regardless of the original bit setting.
    If a user must make IPSec connections to a Firebox from behind a different Firebox, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can make IPSec connections to their network with IPSec. For your local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.
  • Clear — This option breaks the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.

In Fireware v12.2 or lower, you can only configure the DF Bit setting in the external interface settings.

In Fireware v12.2.1 or higher, you can configure the DF Bit setting in the BOVPN gateway endpoint settings. This setting takes effect immediately. The DF Bit setting specified for the gateway endpoint overrides the DF Bit setting specified for the external interface.

If you do not specify a DF Bit setting for the gateway endpoint, the gateway endpoint uses the DF Bit setting specified in the external interface settings. For more information about the DF Bit setting in the external interface settings, go to Define Gateway Endpoints for a BOVPN Gateway.

PMTU

The Path Maximum Transmission Unit (PMTU) setting controls the length of time that the Firebox lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a lower MTU setting on the Internet.

In Fireware v12.2.1 or higher, you can configure PMTU settings in the BOVPN gateway endpoint settings. The PMTU settings specified for the gateway endpoint override the PMTU settings specified for the external interface. If you do not specify PMTU settings for a gateway endpoint, the gateway endpoint uses the PMTU settings specified in the external interface settings.

We recommend that you keep the default setting. This can protect you from a router on the Internet with a very low MTU setting.

Screenshot of the PMTU bit setting in Fireware Web UI
The PMTU bit setting in Fireware Web UI

Screenshot of the PMTU bit setting in Policy Manager
The PMTU bit setting in Policy Manager

Related Topics

Configure Manual BOVPN Gateways

Configure Manual BOVPN Tunnels