If you want to use the BOVPN virtual interface in your dynamic routing configuration, you must assign virtual interface IP addresses to the local and peer XTM device. These addresses are used as the endpoints of the GRE tunnel that encapsulates traffic for this BOVPN virtual interface. There are two IP addresses you configure:
On each Firebox or XTM device, the Local IP address for the BOVPN virtual interface must match the Peer IP address configured for the BOVPN virtual interface on the Firebox or XTM device at the other end of the tunnel.
We recommend that you select IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. The private network ranges are:
You can use the same local virtual interface IP address for more than one BOVPN virtual interface. This would be appropriate, for example, on the hub device in a hub/spoke VPN configuration that uses dynamic routing.
To use the same local virtual IP address for more than one BOVPN virtual interface the device must use Fireware XTM v11.9.3 or higher.
If you enable a BOVPN virtual interface for a FireCluster, make sure that the IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.
To assign virtual interface IP addresses:
When you configure dynamic routing for a BOVPN virtual interface, use the virtual interface IP addresses rather than the device name.
About Dynamic Routing