BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS)

You can configure a VPN connection between your Firebox and Amazon Web Services (AWS). For example, you might configure a VPN so that hosts on your local network can securely connect to resources on your Amazon Virtual Private Cloud (VPC).

For VPN connections to AWS, we recommend that you configure a BOVPN virtual interface on the Firebox instead of a BOVPN. You can use static or dynamic routing.

In this example, we show a VPN configuration with:

  • Static routing
  • One Firebox external physical interface
  • One Firebox BOVPN virtual interface with two gateway endpoints
  • One AWS gateway with two IP addresses for failover

AWS Configuration

An AWS VPN configuration includes one virtual private gateway with two external IP addresses for redundancy. AWS automatically determines which IP address is the primary IP address.

Failover between the external IP addresses is enabled by default. If the primary AWS external IP address is unavailable, VPN traffic automatically fails over to the other AWS external IP address.

For detailed instructions about how to configure the AWS VPN settings, go to the Amazon Virtual Private Cloud User Guide.

Before You Configure the Firebox

Before you configure the Firebox, download the configuration file from your AWS account:

  1. Log in to the AWS Management Console at
  2. Click to expand All Services.
  3. In the Networking & Content Delivery section, click VPC.
  4. From the navigation menu, in the Virtual Private Network section, click Site-to-Site VPN Connections.
  5. Click the connection name.
  6. Click Download Configuration.
  7. From the Vendor drop-down list, select WatchGuard, Inc.
  8. From the Software drop-down list, select Fireware OS 11.12.2 +.
  9. Click Download.
    A .txt file downloads to your desktop.
  10. Open the .txt file in a text editor.

The .txt configuration file contains the pre-shared keys, gateway IP addresses for AWS Tunnel 1 and Tunnel 2, and routes to the trusted (private) network of your AWS VPC.

You can also find the IP addresses in your AWS configuration:

  • For the gateway IP addresses, select Virtual Private Network > Site-to-Site VPN Connections > [name].
  • For the routes, select Virtual Private Cloud > Subnets or Virtual Private Cloud > Route Tables.

For this example, the AWS configuration uses these IP addresses:

  • Customer Gateway Address203.0.113.2 (external interface on the Firebox )
  • VPN Connections:
    • Tunnel 1 — (first IP address of the AWS virtual private gateway)
    • Tunnel 2192.0.2.2 (second IP address of the AWS virtual private gateway)
  • Static Route10.0.1.0/24 (trusted network of the Firebox)

Configure the Firebox

For this example, the Firebox has one external interface and one trusted network:

Interface Type Name IP Address
0 External External
1 Trusted Trusted

Add a BOVPN Virtual Interface

To configure a redundant gateway that uses both AWS external IP addresses, you must configure one BOVPN virtual interface that includes two gateway endpoints. Make sure to specify different pre-shared keys for each gateway endpoint on your Firebox.

Configure the VPN Routes

Next, add a route to the trusted (private) network of your AWS VPC.

Configure the Phase 1 and Phase 2 Settings

Finally, you must configure the Phase 1 and Phase 2 settings.

During VPN negotiations, AWS identifies the authentication and encryption algorithm settings from the Firebox. If AWS supports the settings, AWS automatically uses the same settings. AWS supports specific proposals. You cannot edit the AWS configuration to specify different proposals.

Related Topics

BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS)