Related Topics
Define Gateway Endpoints for a BOVPN Virtual Interface
Gateway Endpoints are the local and remote gateways that are connected by a BOVPN. The gateway endpoints configuration enables your Firebox to specify how to identify and communicate with the remote endpoint device when it negotiates the BOVPN. It also enables the device to specify how to identify itself to the remote endpoint when it negotiates the BOVPN. You must configure at least one gateway endpoint pair when you add a BOVPN virtual interface.
You can configure multiple gateway endpoints for VPN failover. For more information, see Configure VPN Failover.
In Fireware v11.12.2 and higher, you can specify different pre-shared keys for each gateway endpoint of a virtual interface. For an example of a configuration with different pre-shared keys, see BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS).
Local Gateway
In the Local Gateway settings, you configure the gateway ID and the interface the BOVPN connects to on your Firebox. You can configure a BOVPN virtual interface to use any internal or external interface as the local gateway.
Do not use a secondary interface IP address as a gateway endpoint.
For the gateway ID, if you have a static IP address you can select By IP Address. If you have a domain that resolves to the IP address the BOVPN connects to on your Firebox, select By Domain Information.
- Select VPN > BOVPN Virtual Interface.
- Click Add.
- In the Gateway Endpoint section, click Add.
The New Gateway Endpoints Settings dialog box appears.
- Select the device physical or logical interface that has the IP address or domain you specified as the gateway ID. Tip!To use a trusted, optional, or custom interface as a local gateway endpoint for a BOVPN virtual interface, the Firebox must use Fireware v11.9.4 or higher.
- To select a physical or wireless interface, from the Physical drop-down list, select a configured physical or wireless interface.
- To select a VLAN, Bridge, Link Aggregation or PPPoE interface:
- Select Other.
- Click Select.
The Select the interface for the local gateway dialog box appears.
- From the list of interfaces, select the interface.
- To filter the interface list, from the Zone and Name drop-down lists, select an option.
Or, type an interface name in the Name text box.
- Select an option and specify the gateway ID:
- By IP address — Type the IP address of the Firebox interface. Do not specify a secondary interface IP address as the gateway ID.
- By Domain Name — Type your domain name.
- By User ID on Domain — Type the user name and domain with the UserName@DomainName format .
- By x500 Name — Type the x500 name.
- Select VPN > BOVPN Virtual Interfaces.
The New BOVPN Virtual Interface dialog box appears. - In the Gateway Endpoints section, click Add.
The New Gateway Endpoints Settings dialog box appears.
- Select the device physical or logical interface that has the IP address or domain you specified as the gateway ID. Tip!To use a trusted, optional, or custom interface as a local gateway endpoint for a BOVPN virtual interface, the Firebox must use Fireware v11.9.4 or higher.
- To select a physical or wireless interface, from the Physical drop-down list, select a configured physical or wireless interface.
- To select a VLAN, Bridge, Link Aggregation or PPPoE interface:
- Select Other.
- Click Select.
The Configure Local Interface for Gateway Endpoint dialog box appears.
- From the list of interfaces, select the interface.
- To filter the interface list, from the Zone and Name drop-down lists, select an option.
Or, type an interface name in the Name text box.
- Select an option and specify the gateway ID:
- By IP address — Type or select the IP address of the Firebox interface.
Do not specify a secondary interface IP address as the gateway ID. - By Domain Information— Click Configure and select the domain configuration method:
- By Domain Name — Type your domain name and click OK.
- By User ID on Domain — Type the user name and domain with the UserName@DomainName format and click OK.
- By IP address — Type or select the IP address of the Firebox interface.
Remote Gateway
You can configure the gateway IP address and gateway ID for the remote endpoint device that the BOVPN connects to. The gateway IP address can be either a static IP address or a dynamic IP address. The gateway ID can be By Domain Name, By User ID on Domain, or By x500 Name. The administrator of the remote gateway device selects which gateway ID type to use.
If the remote VPN endpoint gets an external IP address from DHCP or PPPoE, set the ID type of the remote gateway to Domain Name. Set the peer name to the fully qualified domain name of the remote VPN endpoint. The Firebox uses the IP address and domain name to find the VPN endpoint. Make sure the DNS server the device uses can identify the name.
- In the Gateway Endpoint Settings dialog box, select the Remote Gateway tab.
- Select the remote gateway IP address type:
- Static IP address — Select this option if the remote device has a static IP address. Type or select the IP address.
- Dynamic IP address — Select this option if the remote device has a dynamic IP address.
- Select an option and specify the remote gateway ID:
- By IP address — Type the IP address.
- By Domain Name — Type the domain name.
- By User ID on Domain — Type the user ID and domain.
- By x500 Name — Type the x500 name.
- If the domain name of the remote endpoint can be resolved, select the Attempt to resolve domain check box.
When this option is selected, the device automatically does a DNS query to find the IP address associated with the domain name for the remote endpoint. Connections do not proceed until the domain name can be resolved. Select this check box for configurations that depend on a dynamic DNS server to maintain a mapping between a dynamic IP address and a domain name.
- Click OK.
The gateway pair you defined appears in the list of gateway endpoints. - To configure Phase 1 settings for this gateway, follow the steps in Configure IPSec VPN Phase 1 Settings.
- Select the remote gateway IP address type:
- Static IP address — Select this option if the remote device has a static IP address. Type or select the IP address.
- Dynamic IP address — Select this option if the remote device has a dynamic IP address.
- Select an option and specify the gateway ID:
- By IP address — Type the IP address or select it from the drop-down list.
- By Domain Information
- Click Configure and select the method of domain configuration: Domain Name, User ID @ Domain, or X500 Name .
- Type the name, user ID and domain, or x500 name.
- If the domain name of the remote endpoint can be resolved, select the Attempt to resolve check box.
When this option is selected, the device automatically does a DNS query to find the IP address associated with the domain name for the remote endpoint. Connections do not proceed until the domain name can be resolved. Select this check box for configurations that depend on a dynamic DNS server to maintain a mapping between a dynamic IP address and a domain name. - Click OK.
- Click OK to close the New Gateway Endpoints Settings dialog box.
The gateway pair you defined appears in the list of gateway endpoints. - To use Phase 1 settings other than the default values, follow the steps in Configure IPSec VPN Phase 1 Settings. Otherwise, click OK.