Configure a Branch Office VPN for Failover from a Leased Line

You can configure your Firebox to use the IPSec branch office VPN tunnel for failover if another route (such as a private leased line) becomes unavailable.


For VPN failover to operate correctly, the configuration must meet these requirements:

  • Each site must have a router connected to the leased line between the two sites.
  • At each site, the router that connects to the leased line must connect to a Firebox trusted or optional interface. The interface it connects to must be different than the interface used for the branch office VPN tunnel.
  • The two routers connected to the leased line must be configured to use dynamic routing (OSPF, BGP, or RIP).
  • Dynamic routing must also be enabled on the Fireboxes at both sites.
  • The Enable the use of non-default (static or dynamic) routes to determine if IPSec is used Global VPN setting must be enabled on the Fireboxes at both sites.

To use this feature for automatic failover from a leased line, you must use dynamic routing.

With this configuration, Internet traffic is handled by the Firebox based on the regular firewall policies. This configuration does not create any limitations on the use of multi-WAN in your device configuration.

Configuration Overview

The general steps to configure failover from a leased line to a branch office VPN are:

  1. Configure dynamic routing and add the associated RIP, OSPF, or BGP policy at each site to create the route over the leased line.
    For more information, see About Dynamic Routing.
  2. Configure the branch office VPN to connect the two sites.
  3. Configure Global VPN settings to enable the failover feature at each site.
    In the global VPN settings, select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box.

For two examples with detailed configuration steps, see:

For an example configuration file, see:

How Failover to the Branch Office VPN Operates

When you enable dynamic routing, the Firebox automatically updates the routing table based on the status of the connection. If the connection to the leased line router fails, the Firebox dynamically removes that route from the routing table. You can see the routing table on the Status Report tab in Firebox System Manager.

The Firebox at each office site sends traffic to the other office over the trusted interface connected to the private leased line, if a dynamic route to that site is present. If a dynamic route is not present in the routing table, the Firebox at each site sends traffic over the encrypted IPSec BOVPN tunnel on the external interface. When the dynamic route over the leased line is restored, the devices automatically send traffic over the private leased line again.

See Also

Manual BOVPN Configuration Examples