Related Topics
BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure
In Fireware v11.12 and higher, you can configure a BOVPN virtual interface to connect your Firebox to a Microsoft Azure virtual network, and configure dynamic routing. This configuration specifies an endpoint type that supports wildcard traffic selectors, and establishes an IPSec tunnel without the GRE tunneling protocol. Azure supports the BGP dynamic routing protocol. OSPF is not supported.
To configure dynamic routing with BGP between a Firebox and Microsoft Azure, you must understand Microsoft PowerShell, a command line tool and scripting environment.
Configuration Example
This example shows the configuration settings for a BOVPN virtual interface and dynamic routing with BGP between a Firebox and a Microsoft Azure virtual network.
Firebox Interfaces
For this example, the Firebox has one external interface and one trusted network.
| Interface | Type | Name | IP Address |
|---|---|---|---|
| 0 | External | External | 203.0.113.2/24 |
| 1 | Trusted | Trusted | 10.0.1.1/24 |
Azure Interfaces
For this example, the Microsoft Azure virtual network has one external virtual interface and one trusted virtual network.
| Interface | Type | Name | IP Address |
|---|---|---|---|
| 0 | External | External | 198.51.100.2/24 |
| 1 | Trusted | Trusted | 10.0.100.1/24 |
Firebox Configuration
For this example, the Firebox and Azure use a pre-shared key.
Because dynamic routing between your Firebox and Azure requires IKEv2, on your Firebox, you must change the Phase 1 settings from IKEv1 (the default setting) to IKEv2.
On the Gateway Settings tab of the BOVPN virtual interface configuration for the Firebox, specify these settings:
- From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
- The Credential Method must include the pre-shared key the two sites agreed upon.
- The Gateway Endpoint settings are:
- Local Gateway — 203.0.113.2 (the IP address of the external interface on the Firebox) Tip!You must use IPv4 addresses for the local and remote gateways.
- Remote Gateway — 198.51.100.2 (the IP address of the external interface on the Azure gateway)
Firebox gateway configuration in Fireware Web UI
Firebox gateway configuration in Policy Manager
On the VPN Routes tab of the BOVPN virtual interface configuration, specify these settings:
- Local IP address — 100.100.100.1
You can specify any IP address that does not conflict with an IP address that is already on your network. - Peer IP address or netmask — 172.20.2.254
Specify the Azure virtual interface IP address, not the netmask. The Azure virtual interface IP address is defined by Azure.
Firebox virtual IP address configuration in Fireware Web UI
Firebox virtual IP address configuration in Policy Manager
On the Phase 1 Settings tab, select these settings:
- Version — IKEv2. Static VPN routes between your Firebox and Azure require IKEv2.
- Authentication — SHA2-256
- Encryption — AES (256-bit)
- Key Group — Diffie-Hellman Group 2. Azure only supports Group 2.
In Fireware v12.0 and higher, the default Key Group setting is Diffie-Hellman Group 14. You must change this setting to Diffie-Hellman Group 2.
Site A Phase 1 settings in Fireware Web UI
Site A Phase 1 settings in Policy Manager
On the Phase 2 Settings tab, select these settings:
- Perfect Forward Secrecy — No. Perfect Forward Secrecy (PFS) is not currently supported for VPN connections between Firebox devices and Azure.
- IPSec proposal — ESP-AES256-SHA256
Site A Phase 2 settings in Fireware Web UI
Site A Phase 2 settings in Policy Manager
The Azure BGP ASN and the virtual IP address (known as the bgpPeeringAddress in Azure) are defined by Azure and cannot be changed. You can use Microsoft PowerShell to see the Azure BGP ASN and bgpPeeringAddress. The Firebox BGP dynamic routing configuration has these commands:
!
! The local BGP ASN is 10001
!
router bgp 10001
!
! to Azure VPC
!
!
! The Azure (remote) BGP ASN is 65515 and its VIF IP (bgpPeeringAddress) is 172.20.2.254.
! These are the two parameters you must get from the Azure side.
!
neighbor 172.20.2.254 remote-as 65515
neighbor 172.20.2.254 activate
neighbor 172.20.2.254 ebgp-multihop
!
! To advertise the local networks
!
network 10.0.1.0/24
The configured BGP settings in Fireware Web UI
The configured BGP settings in Policy Manager
If you configure more than one trusted network on your Firebox, and you want Azure to learn the route to an additional trusted network, run an additional network command. For example:
network 10.0.1.0/24
network 10.0.2.0/24
Azure BOVPN Virtual Interface Configuration
On your Microsoft Azure virtual network, the gateway settings are:
- Remote gateway — 203.0.113.2 (the IP address of the external interface on the Firebox)
- Local gateway — 198.51.100.2 (the IP address of the external interface on the Azure gateway)
- BGP ASN — 10001 (the BGP ASN of the Firebox)
- Virtual IP address — 100.100.100.1 (the virtual IP address of the Firebox)
You must use Microsoft PowerShell to configure BGP settings on your Microsoft Azure virtual network. For more information about PowerShell, see the documentation provided by Microsoft.
See Also
BOVPN Virtual Interface for Static Routing to Microsoft Azure
Virtual Interface IP Addresses for a VPN to a Third-Party Endpoint