Use a Branch Office VPN for Failover from a Leased Line (BGP)

This topic provides an example of how to configure failover from a leased line that uses BGP to a branch office VPN. For an overview of how failover to a branch office VPN works, go to Configure a Branch Office VPN for Failover from a Leased Line.

In this example, an organization has a private leased line that connects Fireboxes at two office locations. The leased line is connected to a trusted Firebox interface at each site. The network administrator wants to configure a branch office VPN connection between the two offices, which can be used for failover if the leased line connection becomes unavailable.

This diagram shows the configuration settings that apply to each site for this example.

Network failover diagram

Example Network Configuration

For this example, the two offices use these IP addresses.

  Main Office Firebox Regional Office Firebox
External interface IP address 203.0.113.2/24 198.51.100.2/24
Default Gateway IP address 203.0.113.1 198.51.100.1
IP address of the trusted interface connected to the trusted network 10.0.1.1/24 10.50.1.1/24

Trusted network IP address

10.0.1.0/24 10.50.1.0/24
IP address of the trusted interface connected to the leased line 192.168.100.1/30 192.168.100.2/30

Configure Dynamic Routing at the Main Office

To use the branch office VPN connection for failover, you must enable dynamic routing on the Firebox at each site. You can use any supported dynamic routing protocol (RIP v1, RIP v2, OSPF, or BGP v4). For this example, we use BGP.

To configure dynamic routing on the main office Firebox, from Fireware Web UI or Policy Manager:

  1. Select Network > Dynamic Routing.
    The Dynamic Routing Setup page appears.
  2. Select the Enable Dynamic Routing check box.
  3. Select the BGP tab.
  4. Select the Enable check box.
  5. In the BGP tab text box, paste the text of your routing daemon configuration file.

For the main office, the BGP routing daemon configuration file contains this text: 

router bgp 65535
network 10.0.1.0/24
neighbor 192.168.100.2 remote-as 65535

Configure Dynamic Routing at the Regional Office

To enable dynamic routing with BGP on the Firebox at the regional office, repeat the steps in the previous section.

For the regional office, the BGP routing daemon configuration file contains this text: 

router bgp 65535
network 10.50.1.0/24
neighbor 192.168.100.1 remote-as 65535

Configure the VPN at the Main Office

For this example we use the default Phase 1 and Phase 2 settings.

At the Main Office, Configure the VPN Gateway to the Regional Office

At the Main Office, Configure the VPN Tunnel to the Regional Office

After you configure the VPN gateway on the main office Firebox, configure the VPN tunnel to the regional office.

At the Main Office, Configure Global VPN Settings to Enable Failover

Configure the VPN at the Regional Office

Configure the VPN at the regional office with settings that correspond to the settings at the main office.

At the Regional Office, Configure the VPN Gateway to the Main Office

At the Regional Office Configure the VPN Tunnel to the Main Office

At the Regional Office, Configure Global VPN Settings to Enable Failover

For more information about how to configure BGP, go to Configure IPv4 and IPv6 Routing with BGP.

Related Topics

Configure a Branch Office VPN for Failover from a Leased Line

Use a Branch Office VPN for Failover from a Leased Line (OSPF)