Use a Branch Office VPN for Failover from a Leased Line (BGP)

This topic provides an example of how to configure failover from a leased line that uses BGP to a branch office VPN. For an overview of how failover to a branch office VPN works, go to Configure a Branch Office VPN for Failover from a Leased Line.

In this example, an organization has a private leased line that connects Fireboxes at two office locations. The leased line is connected to a trusted Firebox interface at each site. The network administrator wants to configure a branch office VPN connection between the two offices, which can be used for failover if the leased line connection becomes unavailable.

This diagram shows the configuration settings that apply to each site for this example.

Network failover diagram

Example Network Configuration

For this example, the two offices use these IP addresses.

  Main Office Firebox Regional Office Firebox
External interface IP address 203.0.113.2/24 198.51.100.2/24
Default Gateway IP address 203.0.113.1 198.51.100.1
IP address of the trusted interface connected to the trusted network 10.0.1.1/24 10.50.1.1/24

Trusted network IP address

 10.0.1.0/24 10.50.1.0/24
IP address of the trusted interface connected to the leased line 192.168.100.1/30 192.168.100.2/30

Configure Dynamic Routing at the Main Office

To use the branch office VPN connection for failover, you must enable dynamic routing on the Firebox at each site. You can use any supported dynamic routing protocol (RIP v1, RIP v2, OSPF, or BGP v4). For this example, we use BGP.

To configure dynamic routing on the main office Firebox, from Fireware Web UI or Policy Manager:

  1. Select Network > Dynamic Routing.
    The Dynamic Routing Setup page appears.
  2. Select the Enable Dynamic Routing check box.
  3. Select the BGP tab.
  4. Select the Enable check box.
  5. In the BGP tab text box, paste the text of your routing daemon configuration file.

For the main office, the BGP routing daemon configuration file contains this text: 

router bgp 65535
network 10.0.1.0/24
neighbor 192.168.100.2 remote-as 65535

Configure Dynamic Routing at the Regional Office

To enable dynamic routing with BGP on the Firebox at the regional office, repeat the steps in the previous section.

For the regional office, the BGP routing daemon configuration file contains this text: 

router bgp 65535
network 10.50.1.0/24
neighbor 192.168.100.1 remote-as 65535

Configure the VPN at the Main Office

For this example we use the default Phase 1 and Phase 2 settings.

At the Main Office, Configure the VPN Gateway to the Regional Office

  1. Select VPN > Branch Office VPN.
  2. Adjacent to the Gateways list, click Add.
    The New Gateway dialog box appears.The Gateway settings page appears.
  3. In the Gateway Name text box, type a name to identify the gateway.

    For this example, type MO-RO-GWY.
  4. Select Use Pre-Shared Key. Type a shared key to use on both devices.
  5. In the Gateway Endpoints section, click Add.
    The Gateway Endpoint Settings dialog box appears

Screen shot of the Gateway Endpoint Settings dialog box, Local Gateway tab

  1. From the External Interface drop-down list, select the external interface.
  2. Select By IP Address. In the adjacent text box, type the external interface IP address for the Firebox at the main office, 203.0.113.2.
  3. Select the Remote Gateway tab.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. In the Remote Gateway section, for the remote gateway IP address, type the external interface IP address for the Firebox at the regional office, 198.51.100.2.
  2. In the Remote Gateway section, for the gateway ID, type the external interface IP address for the Firebox at the regional office, 198.51.100.2.
  3. Click OK.
    The Gateway Endpoints you added appear in the New Gateway dialog box.
  4. Click Save.
  1. Select VPN > Branch Office Gateways.
  2. Click Add.
    The New Gateway dialog box appears.The Gateway settings page appears.
  3. In the Gateway Name text box, type a name to identify the gateway.
    For this example, type MO-RO-GWY.
  4. Select Use Pre-Shared Key. Type a shared key to use on both devices.
  5. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints dialog box appears.

Screen shot of the New Gateway Endpoint Settings MO-BO-GWY dialog box

  1. In the Local Gateway section, select By IP Address.
  2. In the IP Address text box, type the external interface IP address for the Firebox at the main office, 203.0.113.2.
  3. In the Remote Gateway section, select Static IP address.
  4. In the adjacent IP Address text box, type the external interface IP address for the Firebox at the regional office, 198.51.100.2.
  5. For the gateway ID, select By IP Address. Type the external interface IP address for the Firebox at the regional office, 198.51.100.2.
  6. Click OK.
    The Gateway Endpoints you added appear in the New Gateway dialog box.
  7. Click OK.

At the Main Office, Configure the VPN Tunnel to the Regional Office

After you configure the VPN gateway on the main office Firebox, configure the VPN tunnel to the regional office.

  1. Select VPN > Branch Office VPN.
  2. In the Tunnels section, click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a name for the tunnel.
  4. From the Gateway drop-down list, select the gateway you added.
    For this example, select MO-RO-GWY.
  5. Click Add.

    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings page

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the IP address of the trusted network at the main office, 10.0.1.0/24.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the IP address of the trusted network at the regional office, 10.50.1.0/24.
  5. Click OK.

    The tunnel route appears in the New Tunnel dialog box.
  1. Select VPN > Branch Office Tunnels.
  2. Click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a name for the tunnel.
  4. From the Gateway drop-down list, select the gateway you added.
    For this example, select MO-RO-GWY.
  5. Click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local text box, type the IP address of the trusted network at the main office, 10.0.1.0/24.
  2. In the Remote text box, type the IP address of the trusted network at the regional office, 10.50.1.0/24.
  3. Click OK.
    The tunnel route appears in the New Tunnel dialog box.

At the Main Office, Configure Global VPN Settings to Enable Failover

  1. Select VPN > Global  Settings.
    The Global VPN Settings dialog box appears.

Screen shot of the Global VPN Settings page

  1. Select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box.
  2. Click Save.
  1. Select VPN > VPN Settings.
    The VPN Settings dialog box appears.

Screen shot of the IPSec Settings section of the VPN Settings dialog box

  1. Select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box.
  2. Click OK.
  3. Save the configuration to the device.

Configure the VPN at the Regional Office

Configure the VPN at the regional office with settings that correspond to the settings at the main office.

At the Regional Office, Configure the VPN Gateway to the Main Office

  1. Select VPN > Branch Office VPN.
  2. In the Gateways section, click Add.
    The New Gateway dialog box appears.
  3. In the Gateway Name text box, type a name to identify the gateway.

    For this example, type RO-MO-GWY.
  4. Select Use Pre-Shared Key. Type a shared key to use on both devices.
  5. In the Gateway Endpoints section, click Add.

    The New Gateway Endpoints dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box, Local Gateway tab

  1. From the External Interface drop-down list, select the external interface.
  2. Select By IP Address.
  3. In the adjacent text box, type the external interface IP address for the Firebox at the regional office, 198.51.100.2.
  4. Select the Remote Gateway tab.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. Select Static IP Address.
  2. In the adjacent text box, type the type the external interface IP address for the Firebox at the main office, 203.0.113.2.
  3. For the gateway ID, select By IP Address.
  4. In the adjacent text box, type the external interface IP address for the Firebox at the main office, 203.0.113.2.
  5. Click OK.
    The Gateway Endpoints you added appear in the New Gateway dialog box.
  6. Click Save.
  1. Select VPN > Branch Office Gateways.
  2. Click Add.

    The New Gateway dialog box appears.
  3. In the Gateway Name text box, type a name to identify the gateway.
    For this example, type RO-MO-GWY.
  4. Select Use Pre-Shared Key. Type a shared key to use on both devices.
  5. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints dialog box appears.

Screen shot of the New Gateway Endpoints Settings RO-MO-GWY dialog box

  1. From the External Interface drop-down list, select the external interface.
  2. In the adjacent text box, type the interface IP address for the Firebox at the regional office, 198.51.100.2.
  3. In the Remote Gateway section, select Static IP Address.
  4. In the adjacent text box, type the external interface IP address for the Firebox at the main office, 203.0.113.2.
  5. For the gateway ID, type the external interface IP address for the Firebox at the main office, 203.0.113.2.
  6. Click OK.
    The Gateway Endpoints you added appear in the New Gateway dialog box.
  7. Click OK.

At the Regional Office Configure the VPN Tunnel to the Main Office

  1. Select VPN > Branch Office VPN.
  2. In the Tunnels section, click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a name for the tunnel.
  4. From the Gateway drop-down list, select the gateway you added.
    For this example, select RO-MO-GWY.
  5. Click Add.

    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings page

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the IP address of the trusted network at the regional office, 10.50.1.0/24.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the IP address of the trusted network at the main office, 10.0.1.0/24.
  5. Click OK.

    The tunnel route appears in the New Tunnel dialog box.
  1. Select VPN > Branch Office Tunnels.
  2. Click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a name for the tunnel.
  4. From the Gateway drop-down list, select the gateway you added.
    For this example, select RO-MO-GWY.
  5. Click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local text box, type the IP address of the trusted network at the regional office, 10.50.1.0/24.
  2. In the Remote text box, type the IP address of the trusted network at the main office, 10.0.1.0/24.
  3. Click OK.
    The tunnel route appears in the New Tunnel dialog box.

At the Regional Office, Configure Global VPN Settings to Enable Failover

  1. Select VPN > Global  Settings.
    The Global VPN Settings dialog box appears.

Screen shot of the Global VPN Settings page

  1. Select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box.
  2. Click Save.
  1. Select VPN > VPN Settings.
    The VPN Settings dialog box appears.

Screen shot of the IPSec Settings section of the VPN Settings dialog box

  1. Select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box.
  2. Click OK.
  3. Save the configuration to the device.

For more information about how to configure BGP, go to Configure IPv4 and IPv6 Routing with BGP.

Related Topics

Configure a Branch Office VPN for Failover from a Leased Line

Use a Branch Office VPN for Failover from a Leased Line (OSPF)