Multicast Routing Through a BOVPN Tunnel

In this example we configure the BOVPN tunnel to enable multicast routing from a device at Site A to the trusted network at Site B. The multicast sender determines the multicast group IP address to send to. Listener applications can then join the multicast group to receive traffic sent to that multicast group IP address.

For the example, we assume the BOVPN tunnel between the two devices has already been configured.

For information about how to configure the tunnel in Fireware Web UI, go to Set up a VPN Between Two Fireware Devices (Web UI).

For information about how to configure the tunnel in Policy Manager, go to Set up a VPN Between Two Fireware Devices (WSM).

For more information about helper IP addresses, go to Enable Multicast Routing Through a Branch Office VPN Tunnel.

Example Settings

These settings correspond to the settings shown in the screen shots used throughout this example.

SITE A (Firebox with Fireware 11.x or higher) 

Trusted network IP address: 10.0.50.0/24

Existing tunnel: Tunnel_to_SiteB

Existing tunnel route: 10.0.50.0/24 <==> 192.168.100.0/24

SITE B (Firebox with Fireware 11.x or higher)

Trusted network IP address: 192.168.100.0/24

Existing tunnel: Tunnel_to_SiteA

Existing tunnel route: 192.168.100.0/24 <==> 10.0.50.0/24

Multicast device at Site A

Multicast device network IP address: 10.0.50.3

Multicast group IP address: 232.43.211.234

Configure Multicast Routing for the BOVPN Tunnel at Site A

Enable and configure multicast routing for the BOVPN tunnel at Site A.

  1. Select VPN > Branch Office VPN.
  2. Select Tunnel_to_SiteB. Click Edit.
    The Edit Tunnel dialog box appears.
  3. Select the Multicast Settings tab.

Screen shot of the Tunnel settings page - Multicast tab - Site A

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP text box, type the IP address of the originator of the traffic.

    For this example, type 10.0.50.3.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.

    For this example, type 232.43.211.234.
  4. Select Enable device to send multicast traffic.
  5. From the Input Interface drop-down list, select the interface from which the multicast traffic originates.

    For this example, the input interface is set to 1 (Trusted).
  6. Select the Addresses tab.

    The Helper Addresses settings appear at the bottom of the Addresses tab.

Screen shot of the Tunnel settings page - Addresses tab - Site A

  1. In the Helper Addresses, section, type IP addresses for each end of the multicast tunnel. Use any two unused IP addresses, one for the local network and one for the remote network. You can set Local IP and Remote IP to any unused IP addresses. We recommend you use private IP addresses that are not used on any local network or on any remote network the Firebox connects to.
    For this example:
  • Set the Local IP in the Site A configuration to 172.16.0.1.
  • Set the Remote IP in the Site A tunnel configuration to 172.16.0.2.
  1. Save the configuration to the Firebox.
  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Select Tunnel_to_SiteB. Click Edit.
    The Edit Tunnel dialog box appears.
  3. Select the Multicast Settings tab.

Screen shot of the Edit Tunnel dialog box - Multicast Settings tab

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP text box, type the IP address of the originator of the traffic.
    For this example, type 10.0.50.3.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
    For this example, type 232.43.211.234.
  4. Select Enable device to send multicast traffic.
  5. From the Input Interface drop-down list, select the interface from which the multicast traffic originates.
    For this example, the input interface is set to 1 (Trusted).
  6. Select the Addresses tab.
    The Helper Addresses settings appear at the bottom of the Addresses tab.

Screen shot of the Edit Tunnel dialog box, Addresses tab

  1. Click the tunnel route to select it. In the Helper Addresses, section, type IP addresses for each end of the multicast tunnel. Use any two unused IP addresses, one for the local network and one for the remote network. You can set Local IP and Remote IP to any unused IP addresses. We recommend you use private IP addresses that are not used on any local network or on any remote network the Firebox connects to.
    For this example:
  • Set the Local IP in the Site A configuration to 172.16.0.1.
  • Set the Remote IP in the Site A tunnel configuration to 172.16.0.2.
  1. Save the configuration to the Firebox.

If you enable broadcast or multicast routing in more than one BOVPN tunnel, make sure that you use a different pair of helper IP addresses for each tunnel.

Configure Multicast Routing for the BOVPN Tunnel at Site B

Enable and configure multicast routing for the BOVPN tunnel at Site B.

  1. Select VPN > Branch Office VPN.
  2. Select Tunnel_to_SiteA. Click Edit.
    The Edit Tunnel dialog box appears.
  3. Select the Multicast Settings tab.

Screen shot of the Tunnel settings page, Multicast tab - Site B

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP field, type the IP address of the originator of the traffic.

    For this example, type 10.0.50.3.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
    For this example, type 232.43.211.234.
  4. Select Enable device to receive multicast traffic.
  5. In the Output Interface list, select each interface to receive the multicast traffic.
    For this example, select the check box for 1 (Trusted).
  6. Select the Addresses tab.
    The Helper Addresses settings appear at the bottom of the Addresses tab.

Screen shot of the Tunnel settings page - Addresses tab - Site B

  1. In the Helper Addresses, section type IP addresses for each end of the multicast tunnel. These must be the same addresses you entered for the tunnel configuration in Site A, except that the order is reversed.
    For this example:
  • Set the Local IP to 172.16.0.2
  • Set the Remote IP to 172.16.0.1
  1. Save the configuration to the Firebox.
  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Select Tunnel_to_SiteA. Click Edit.
    The Edit Tunnel dialog box appears.
  3. Select the Multicast Settings tab.

Screen shot of the Edit Tunnel dialog box, Multicast Settings tab

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP field, type the IP address of the originator of the traffic.

    For this example, type 10.0.50.3.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
    For this example, type 232.43.211.234.
  4. Select Enable device to receive multicast traffic.
  5. In the Output Interface list, select each interface to receive the multicast traffic.
    For this example, select the check box for 1 (Trusted).
  6. Select the Addresses tab.
    The Helper Addresses settings appear at the bottom of the Addresses tab.

Screen shot of the Edit Tunnel dialog box - Addresses tab for Site B

  1. Click the tunnel route to select it. In the Helper Addresses, section type IP addresses for each end of the multicast tunnel. These must be the same addresses you entered for the tunnel configuration in Site A, except that the order is reversed.
    For this example:
  • Set the Local IP to 172.16.0.2
  • Set the Remote IP to 172.16.0.1
  1. Save the configuration to the Firebox.