BOVPN Virtual Interface Configuration Scenarios

When you configure a branch office VPN as a virtual interface, the XTM device routes a packet through the tunnel based on the outgoing interface for the packet. The BOVPN virtual interface is in the routing table, and the decision about whether to send traffic through the VPN tunnel is affected by static and dynamic routes, and by policy-based routing. This provides a lot of flexibility in how you can configure the XTM device to use a BOVPN tunnel.

Because a BOVPN virtual interface is treated as an interface in the configuration, it provides many flexible configuration and routing options. Here are three configuration scenarios that show some of the ways you can configure an XTM device to use a BOVPN virtual interface to achieve different objectives.

Metric-based VPN Failover and Failback

Diagram showing an MPLS and BOVPN connection between two sites


For two sites that are connected with an MPLS link, enable traffic to automatically failover and failback to a secondary branch office VPN connection over an IP network.

Configuration Summary

How it works

With this configuration, there are two routes between the two sites, one over the MPLS network, and another static route through the BOVPN virtual interface. When two routes are available, the final decision about which path a packet takes is based on which route has higher priority (a lower metric) than the other. Because the BOVPN virtual interface route has a high metric, the XTM device uses the primary route through the MPLS link, when it is available. If the MPLS link is not available, the primary route is either removed from the routing table, or is assigned a higher metric than the route for the secondary BOVPN virtual interface. The XTM device then uses the route for the secondary BOVPN virtual interface, because it has the lowest route metric. When the MPLS route becomes available again, the XTM device automatically fails back to use that route, because it has a lower metric.

You could use a similar configuration to enable automatic failover and failback between two BOVPN virtual interfaces. To do this, create two BOVPN virtual interfaces, with a static route for each, and set the metric for the preferred BOVPN route lower than the metric for the backup BOVPN route.

For an example of this type of configuration, see BOVPN Virtual Interface with Metric-Based Failover.

BOVPN Virtual Interface with Dynamic Routing

Diagram of a BOVPN connection between two sites, each with multiple local networks


Enable two sites to dynamically exchange information about multiple local networks through a secure VPN tunnel. This avoids the need to manually add and maintain explicitly configured routes between all the private networks at each site.

Configuration summary

How it works

The BOVPN virtual interface establishes a connection between the two sites. Each site propagates routes for the local networks, based on the dynamic routing configuration. The dynamic routing protocol enables each of the gateways to automatically learn the routes to the local networks behind the gateway at the other end of the BOVPN tunnel. Depending on which dynamic routing protocol you use, the routes are preferred either based on Interface Cost, Local Preference or both.

For an example of this type of configuration, see BOVPN Virtual Interface with Dynamic Routing.

BOVPN Virtual Interface with Policy-Based Routing

Diagram of two sites connected by two BOVPN links, one high latency, one low latency


One site (Site A) has a single external interface, and two branch office VPN gateways to another site (Site B) that has two external interfaces. The two network connections at Site B have different quality or cost. The objective is to send latency-sensitive traffic, such as VoIP through the tunnel over the network with the lowest latency, and send all other traffic, such as FTP, through the other tunnel route.

Configuration Summary

How it Works:

The two BOVPN virtual interfaces each establish a connection between the two sites. The source and destination addresses are determined by the policy, in this example the SIP policy. Although the routes are not defined in the BOVPN virtual interface settings, the SIP policy uses policy-based routing (PBR) to redirect traffic through the tunnel that has the lower latency connection. This encrypts the packets and sends the traffic through the tunnel. Note that this configuration does not provide failover to the other tunnel, since you cannot configure PBR failover from a BOVPN virtual interface to another BOVPN virtual interface.

See Also

About Data Loss Prevention

About Dynamic Routing

Configure Policy-Based Routing

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base