Configure a BOVPN Virtual Interface

When you configure a BOVPN virtual interface, you configure the BOVPN gateway settings, VPN routes, and other VPN settings. For each BOVPN virtual interface, the Device Name is automatically assigned and is not configurable. The Device Name is used to identify this interface in the Status Report in Firebox System Manager.

To use a trusted, optional, or custom interface as a local gateway endpoint for a BOVPN virtual interface, the device must use Fireware XTM v11.9.4 or higher.

To add a BOVPN Virtual Interface:

  1. Select VPN > BOVPN Virtual Interfaces.
    The list of BOVPN Virtual Interfaces appears.
  2. Click Add.
    The New BOVPN Virtual Interface dialog box appears.

Screen shot of the BOVPN Virtual Interfaces / Add page

  1. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  2. In the Credential Method section, select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication procedure this tunnel uses. 

If you select Use Pre-Shared Key

Type or paste the shared key. You must use the same shared key on the remote device. This shared key must use only standard ASCII characters.

If you select Use IPSec Firebox Certificate

The table below the radio button shows current certificates on the XTM device. Select the certificate to use for the gateway.

For more information, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.

  1. In the Gateway Endpoint section, add at least one pair of gateway endpoints. For more information, see Define Gateway Endpoints for a BOVPN Virtual Interface.

Gateway Settings tab also contains these settings.

Use Modem for failover

If you have enabled modem failover, select this check box to configure the branch office VPN to fail over to a modem if all external interfaces cannot connect. You cannot select this check box if modem failover is not enabled. For more information, see Configure VPN Modem Failover.

You cannot use a modem for failover from a BOVPN virtual interface if any local gateway endpoint uses an interface that is not an external interface.

Start Phase 1 tunnel when it is inactive

When selected, this option causes the XTM device to automatically restart the tunnel if it is not active. This check box is selected by default for XTM 2, 3, and 5 Series models. Clear this check box if you do not want the XTM device to automatically start the tunnel.

If you clear this check box, the Firebox or XTM device still automatically restarts the tunnel when it is inactive if any policy uses policy-based routing to route outbound traffic to this BOVPN virtual interface.

Add this tunnel to the BOVPN-Allow policies

When selected, this option adds the tunnel to the BOVPN-Allow.in and the BOVPN-Allow.out policies. These policies allow all traffic that matches the routes for this tunnel.

To restrict traffic through the tunnel, clear this check box and create custom policies for types of traffic that you want to allow through the tunnel.

The other tabs to configure these settings for the BOVPN virtual interface:

See Also

About BOVPN Virtual Interfaces

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base