Related Topics
BOVPN Virtual Interface for Static Routing to Microsoft Azure
In Fireware v11.12 and higher, you can configure a BOVPN virtual interface to connect your Firebox to a Microsoft Azure virtual network. This configuration uses an endpoint type that supports wildcard traffic selectors, and establishes an IPSec tunnel without the GRE tunneling protocol.
You can configure static or dynamic routing to Microsoft Azure. For information about dynamic routing to Azure, see BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure.
Example Scenario
This example shows the configuration settings for a BOVPN virtual interface and static routing between a Firebox at Site A, and a Microsoft Azure virtual network at Site B. For detailed instructions, see Configure a route-based VPN connection to a Microsoft Azure virtual network (Fireware v11.12 and higher) in the WatchGuard Knowledge Base.
Site A Firebox
For this example, the Firebox at Site A has one external interface and one trusted network.
| Interface | Type | Name | IP Address |
|---|---|---|---|
| 0 | External | External | 203.0.113.2/24 |
| 1 | Trusted | Trusted | 10.0.1.1/24 |
Site B (Microsoft Azure)
For this example, the Microsoft Azure virtual network at Site B has one external virtual interface and one trusted virtual network.
| Interface | Type | Name | IP Address |
|---|---|---|---|
| 0 | External | External | 198.51.100.2/24 |
| 1 | Trusted | Trusted | 10.0.100.1/24 |
Site A BOVPN Virtual Interface Configuration
The Gateway Settings tab of the BOVPN virtual interface configuration uses these settings:
- In Fireware v11.12 or higher, a Remote Endpoint Type drop-down list appears that contains two choices: Firebox, and Cloud VPN or Third-Party Gateway. For this example, select the Cloud VPN or Third-Party Gateway endpoint type, which supports wildcard traffic selectors and does not use GRE.
- The Credential Method uses the pre-shared key the two sites agreed upon.
- The Gateway Endpoint settings are:
- Local Gateway: 203.0.113.2 (the IP address of the external interface on the Site A Firebox)
- Remote Gateway: 198.51.100.2 (the IP address of the external interface on the Site B Azure gateway)
Site A gateway configuration in Fireware Web UI
Site A gateway configuration in Policy Manager
The VPN Routes tab of the BOVPN virtual interface configuration uses these settings:
- Route to: 10.0.100.0/24
Site A static route configuration in Fireware Web UI
Site A static route configuration in Policy Manager
On the Phase 1 Settings tab, select these settings:
- Version — IKEv2. Static VPN routes between your Firebox and Azure require IKEv2.
- Authentication — SHA2-256
- Encryption — AES (256-bit)
- Key Group — Diffie-Hellman Group 2. Azure only supports Group 2.
In Fireware v12.0 and higher, the default Key Group setting is Diffie-Hellman Group 14. You must change this setting to Diffie-Hellman Group 2.
Site A Phase 1 settings in Fireware Web UI
Site A Phase 1 settings in Policy Manager
On the Phase 2 Settings tab, select these settings:
- Perfect Forward Secrecy — No. Perfect Forward Secrecy (PFS) is not currently supported for VPN connections between Firebox devices and Azure.
- IPSec proposal — ESP-AES256-SHA256
Site A Phase 2 settings in Fireware Web UI
Site A Phase 2 settings in Policy Manager
Site B BOVPN Virtual Interface Configuration
On your Microsoft Azure virtual network, the gateway settings are:
- Remote gateway: 203.0.113.2 (the IP address of the first external interface on the Firebox at Site A )
- Local gateway: 198.51.100.2 (the IP address of the external interface on the Azure gateway at Site B )
- VPN route: 10.0.1.0/24 (the IP address of the Site A network)
See Also
BOVPN Virtual Interface for Dynamic Routing to Microsoft Azure
Configure a BOVPN Virtual Interface