Related Topics
Configure BOVPN Virtual Interface IP Addresses
If you want to use a BOVPN virtual interface in your dynamic routing configuration, you must configure virtual interface IP addresses. For a BOVPN between two Fireboxes, these addresses define the endpoints of the GRE tunnel that encapsulates traffic through this BOVPN virtual interface.
For a BOVPN virtual interface to another Firebox, you specify two IP virtual interface IP addresses:
- Local IP address — The IP address to use for the local end of the tunnel. It must match the Peer IP address configured on the Firebox at the other end of the tunnel.
- Peer IP address or netmask — The IP address to use for the remote end of the tunnel. The Peer IP address must match the Local IP address configured on the Firebox at the other end of the tunnel. If it it is a netmask, it must match the netmask configured on the third-party endpoint at the other end of the tunnel.
You configure these settings differently for a BOVPN between a Firebox and a third-party VPN peer. For more information, see Virtual Interface IP Addresses for a VPN to a Third-Party Endpoint.
We recommend that you select IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. The private network ranges are:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
You can use the same local virtual interface IP address for more than one BOVPN virtual interface. This would be appropriate, for example, on the hub device in a hub/spoke VPN configuration that uses dynamic routing.
To use the same local virtual IP address for more than one BOVPN virtual interface the Firebox must use Fireware XTM v11.9.3 or higher.
If you enable a BOVPN virtual interface for a FireCluster, make sure that the IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.
- Add or edit a BOVPN virtual interface. For more information, see Configure a BOVPN Virtual Interface.
- Select the VPN Routes tab.
- In the Interface section, select the Assign virtual interface IP addresses check box.
- In the Local IP address text box, type the IP address to use for the local end of the tunnel.
This address must match the Peer IP address configured for this BOVPN virtual interface on the peer Firebox. - In the Peer IP address text box, type the IP address to use for the remote end of the tunnel.
This address must match the Local IP address for this BOVPN virtual interface on the peer Firebox.
- Add or edit a BOVPN virtual interface. For more information, see Configure a BOVPN Virtual Interface.
- Select the VPN Routes tab.
- In the Interface section, select the Assign virtual interface IP addresses check box.
- In the Local IP address text box, type the IP address to use for the local end of the tunnel.
This address must match the Peer IP address configured for this BOVPN virtual interface on the peer Firebox. - In the Peer IP address text box, type the IP address to use for the remote end of the tunnel.
This address must match the Local IP address for this BOVPN virtual interface on the peer Firebox.
When you configure dynamic routing for a BOVPN virtual interface, use the virtual interface IP addresses rather than the device name.