Applies To: Cloud-managed Fireboxes
To configure a BOVPN between two cloud-managed Fireboxes in the same WatchGuard Cloud account, you create a shared BOVPN configuration. When you add or update a BOVPN between two cloud-managed Fireboxes, the BOVPN configuration settings automatically deploy for both Fireboxes to download.
To configure a BOVPN between cloud-managed Fireboxes that are not in the same WatchGuard Cloud account, you must configure the BOVPN separately for each Firebox. For more information, see Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint.
When you add a BOVPN between two cloud-managed Fireboxes, you configure:
- VPN Gateways — The external networks the two device use to connect
- Network Resources — The networks that can send and receive traffic through the tunnel
- Virtual IP Address — (optional) Required if you want to add the BOVPN to an SD-WAN action or configure a zero-route BOVPN
All VPN security settings are configured with the same settings automatically so that the devices can establish a connection.
BOVPNs and Routing
In the BOVPN configuration, you specify what network resources are accessible through the BOVPN tunnel. The resources you select for one endpoint become static routes on the other endpoint, with the BOVPN as the gateway. The metric you specify for each resource appears in the routing table. The Firebox uses the routing table to determine whether to send traffic through the BOVPN tunnel.
You cannot specify network resources for both endpoints in the same subnet. This means you cannot route traffic through a BOVPN tunnel between private networks that use the same IP address range.
For a VPN between a Firebox and a locally-managed or third-party VPN endpoint
- The network resources you specify for the remote endpoint specify what traffic the Firebox routes through the tunnel. These become static routes on the cloud-managed Firebox, with the BOVPN as the gateway.
- The network resources you specify for the Firebox are the resources that you want the remote endpoint to route through the VPN tunnel to the Firebox. The resources you specify here do not limit what traffic the Firebox accepts through the VPN tunnel. For the Firebox to receive VPN traffic to these resources, the remote endpoint must be configured to route traffic to these IP addresses through the tunnel.
Virtual IP Addresses
A virtual IP address is an IP address that is not tied to a physical interface. For a BOVPN in WatchGuard Cloud, which is a BOVPN virtual interface, a virtual IP address functions as the gateway (next hop). The virtual IP address is used for Firebox-initiated traffic and response traffic sent directly to the BOVPN virtual interface.
You must configure virtual IP address in these cases:
Before you can add a BOVPN to an SD-WAN action, you must configure the BOVPN with /32 virtual IP addresses for both endpoints. BOVPN link monitoring is implicitly enabled when you configure /32 host IP addresses as the virtual IP address of both endpoints. A BOVPN that does not have link monitoring enabled (does not have valid /32 virtual IP addresses for both endpoints) is not available to select in an SD-WAN action.
For more information about SD-WAN, see Configure SD-WAN.
If you add a zero route BOVPN network resource (0.0.0.0/0), this creates a default route that sends all network traffic (including the traffic to WatchGuard Cloud) through the VPN tunnel. For a cloud-managed Firebox, you must specify virtual IP addresses in the BOVPN configuration so that return traffic uses the VPN tunnel.
If you add a zero route BOVPN network resource, and the remote VPN endpoint cannot route traffic from the cloud-managed Firebox to WatchGuard Cloud, you lose the ability to manage or monitor the Firebox.
BOVPNs and Automatic Deployment
When you add, edit, or remove a BOVPN, WatchGuard Cloud automatically creates a new deployment for both Fireboxes to download. For each Firebox, the automatic deployment contains updated BOVPN settings. To make sure that the automatic deployment contains only BOVPN configuration changes, you cannot save BOVPN changes if either device has other undeployed configuration changes.
Before you add, edit, or remove a BOVPN for two Fireboxes in the same account, make sure that neither Firebox has undeployed changes.
Add a BOVPN Between Cloud-Managed Fireboxes in the Same Account
You can add a BOVPN from the BOVPN page for a specific Firebox, or you can add it from the VPNs page, which is shared configuration page. For more information, see Manage BOVPNs for Cloud-Managed Fireboxes.
To add a BOVPN, from WatchGuard Cloud:
- To open the BOVPN page, use one of these methods:
- To manage BOVPNs for all Fireboxes in the currently selected account, select Configure > VPNs
- To manage BOVPNs for a specific Firebox, on the Device Configuration page, click the Branch Office VPN tile.
- From either BOVPN page, click the Branch Office VPN tile.
The BOVPN page shows currently configured BOVPNs.
- Click Add BOVPN.
The Add BOVPN page opens.
- In the Name text box, type a name for this BOVPN.
- From the Address Family drop-down list, select IPv4 Addresses or IPv6 Addresses.
If you select IPv6 Addresses, the other BOVPN endpoint must be configured to support IPv6.
- Select the option to connect to a WatchGuard cloud-managed Firebox.
With this option, both Endpoint A and Endpoint B sections contain a list of Fireboxes.
- In the Endpoint A section, select a cloud-managed Firebox in your account.
If you added the BOVPN from a Device Configuration page, the Endpoint A list contains only one Firebox.
- In the Endpoint B section, select another cloud-managed Firebox in this account.
The Endpoint B list shows all cloud-managed Fireboxes in the same account.
- Click Next.
The VPN Gateways page shows a list of external networks on each Firebox.
- For each endpoint, select at least one external network the endpoints use to connect.
- For each network you select, specify the IP address or a domain name that resolves to the Firebox external network IP address.
- If you select more than one network for an endpoint, the Order determines which network is primary. To change the network order, click the move handle for a network and drag it higher or lower in the list.
- Click Next.
The Traffic settings page shows the internal and guest networks configured on each device.
- For each endpoint, select internal or guest networks that can send and receive traffic through this tunnel.
- To specify a network resource other than internal or guest networks:
- Click Add Network Resource.
- In the Network Resource text box, type the network IP address and netmask.Tip!
- In the Metric text box, you can edit the metric. The default is 1.
- Click Add.
The network resource is added to the Traffic settings for the endpoint.
- (Optional) For each endpoint, in the Virtual IP Address text box, type an IP address.
We recommend you specify an IP address in a private network IP address range that is not used for routing on either endpoint.
Before you can add this BOVPN to an SD-WAN action, you must specify virtual IP addresses with a /32 netmask. If you configure a zero-route BOVPN, you must specify virtual IP addresses so that return traffic uses the VPN tunnel.
- Click Save.
The BOVPN changes are deployed automatically for both Fireboxes to download. The BOVPN deployment is added to the Deployment History for both Fireboxes.
Edit or Delete a BOVPN
You can edit or delete a BOVPN from the BOVPN page. For information, see Manage BOVPNs for Cloud-Managed Fireboxes.