Contents

Define Gateway Endpoints for a BOVPN Virtual Interface

Gateway endpoints are the local and remote gateways that are connected by a BOVPN. The gateway endpoints configuration enables your Firebox to specify how to identify and communicate with the remote endpoint device when it negotiates the BOVPN. It also enables the device to specify how to identify itself to the remote endpoint when it negotiates the BOVPN. You must configure at least one gateway endpoint pair when you add a BOVPN virtual interface.

You can configure multiple gateway endpoints for VPN failover. For more information, see Configure VPN Failover.

You can specify different pre-shared keys for each gateway endpoint of a virtual interface. For an example of a configuration with different pre-shared keys, see BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS).

In Fireware v12.2 or higher, you can specify a secondary interface IP address as a gateway endpoint. By default, the primary IP address configured on the external interface you specify is used.

In Fireware v12.1.1 or lower, do not use a secondary interface IP address as a gateway endpoint.

Local Gateway

In the Local Gateway settings, you configure the gateway ID and the interface the BOVPN connects to on your Firebox. You can configure a BOVPN virtual interface to use any internal or external interface as the local gateway.

For the gateway ID, if you have a static IP address you can select By IP Address. If you have a domain that resolves to the IP address the BOVPN connects to on your Firebox, select By Domain Information.

Remote Gateway

You can configure the gateway IP address and gateway ID for the remote endpoint device that the BOVPN connects to. The gateway IP address can be either a static IP address or a dynamic IP address. The gateway ID can be By Domain Name, By User ID on Domain, or By x500 Name. The administrator of the remote gateway device selects which gateway ID type to use.

If the remote VPN endpoint gets an external IP address from DHCP or PPPoE, set the ID type of the remote gateway to Domain Name. Set the peer name to the fully qualified domain name of the remote VPN endpoint. The Firebox uses the IP address and domain name to find the VPN endpoint. Make sure the DNS server the device uses can identify the name.

Advanced Settings

You can configure these options on the Advanced Settings tab:

Different pre-shared key

You can specify different pre-shared keys for each gateway endpoint. You might select this option if you configure a VPN between a Firebox and third-party endpoint, and the third-party endpoint requires each gateway endpoint to have a different pre-shared key.

DF Bit

The Don't Fragment (DF) bit is a flag in the header of a packet. You can select Copy, Set, or Clear to control whether the Firebox uses the original DF bit setting in the packet header:


The DF bit setting in Fireware Web UI


The DF bit setting in Policy Manager

  • Copy — This option applies the DF bit setting of the original frame to the IPSec encrypted packet.
    If a frame does not have the DF bits set, the Firebox does not set the DF bits and fragments the packet if needed. If a frame is set to not be fragmented, the Firebox encapsulates the entire frame and sets the DF bits of the encrypted packet to match the original frame.
  • Set — This option instructs the Firebox to not fragment the frame regardless of the original bit setting.
    If a user must make IPSec connections to a Firebox from behind a different Firebox, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can make IPSec connections to their network with IPSec. For your local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.
  • Clear — This option breaks the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.

In Fireware v.12.2 or lower, you can only configure the DF Bit setting in the external interface settings.

In Fireware v12.2.1 or higher, you can configure the DF Bit setting in the BOVPN gateway endpoint settings. This setting takes effect immediately. The DF Bit setting specified for the gateway endpoint overrides the DF Bit setting specified for the external interface.

If you do not specify a DF Bit setting for the gateway endpoint, the gateway endpoint uses the DF Bit setting specified in the external interface settings. For more information about the DF Bit setting in the external interface settings, see

PMTU

The Path Maximum Transmission Unit (PMTU) setting controls the length of time that the Firebox lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a lower MTU setting on the Internet.

In Fireware v12.2.1 or higher, you can configure PMTU settings in the BOVPN gateway endpoint settings. The PMTU settings specified for the gateway endpoint override the PMTU settings specified for the external interface. If you do not specify PMTU settings for a gateway endpoint, the gateway endpoint uses the PMTU settings specified in the external interface settings.

We recommend that you keep the default setting. This can protect you from a router on the Internet with a very low MTU setting.


The PMTU bit setting in Fireware Web UI


The PMTU bit setting in Policy Manager

See Also

Configure Manual BOVPN Gateways

Configure Manual BOVPN Tunnels

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search