Configure BOVPN Virtual Interface IP Addresses

BOVPN virtual interface IP addresses help identify and route traffic over the BOVPN. Virtual interface IP addresses are required when you use dynamic routing and are recommended for many other use cases.

We recommend you configure BOVPN virtual interface IP addresses in these cases:

  • To use BOVPN virtual interfaces with dynamic routing
  • A virtual IP address ensures traffic is sourced correctly when it is generated by the Firebox. This configuration makes sure the tunnel route uses the virtual IP addresses instead of the gateway endpoint IP addresses.
  • To make sure replies to Firebox-generated traffic use the VPN tunnel. For example, if you enter a zero-route BOVPN network resource, virtual IP addresses make sure you can continue to manage and monitor the Firebox. You must enter a /32 virtual IP address for each endpoint so that replies to Firebox-generated traffic use the VPN tunnel. Examples of Firebox-generated traffic include DNS and DHCP traffic, Dimension, syslog, SNMP, NTP, authentication (Active Directory, LDAP, and RADIUS), and other connections established by the Firebox to resources through the tunnel.
  • If you add a zero route BOVPN network resource (0.0.0.0/0), this creates a default route that sends all network traffic through the VPN tunnel. You must enter virtual IP addresses in the BOVPN configuration so that return traffic uses the VPN tunnel.
  • To add a BOVPN to an SD-WAN action, you must configure the BOVPN with /32 virtual IP addresses for both endpoints. BOVPN link monitoring is implicitly enabled when you configure /32 host IP addresses as the virtual IP address of both endpoints. A BOVPN that does not have link monitoring enabled (does not have valid /32 virtual IP addresses for both endpoints) is not available to select in an SD-WAN action.
  • To prevent Firebox IP spoofing checks from blocking BOVPN virtual interface traffic in Fireware v12.9 and higher. If you do not have BOVPN virtual interface IP addresses configured, the traffic appears to come from the public IP of the remote endpoint, and the Firebox might detect it as a spoofing attack.

In Fireware v12.9 and higher, Firebox spoofing check behavior is changed and the Firebox now drops traffic sourced from a second External interface as a spoofing attack. These spoofing checks also apply to BOVPN Virtual Interfaces. If you do not have BOVPN virtual interface IP addresses configured, the traffic appears to come from the public IP of the remote endpoint. For more information about this change in spoofing check behavior, go to the WatchGuard Knowledge Base.

For a BOVPN between two Fireboxes, virtual IP addresses define the endpoints of the GRE tunnel that encapsulates traffic through this BOVPN virtual interface.

For a BOVPN virtual interface to another Firebox, you specify two IP virtual interface IP addresses:

  • Local IP address — The IP address to use for the local end of the tunnel. It must match the Peer IP address configured on the Firebox at the other end of the tunnel.
  • Peer IP address or netmask — The IP address to use for the remote end of the tunnel. The Peer IP address must match the Local IP address configured on the Firebox at the other end of the tunnel. If it is a netmask, it must match the netmask configured on the third-party endpoint at the other end of the tunnel.

You configure these settings differently for a BOVPN between a Firebox and a third-party VPN peer. For more information, go to Virtual Interface IP Addresses for a VPN to a Third-Party Endpoint.

We recommend that you select IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. In Fireware v12.4 or higher, you can specify private IPv6 address ranges. For information about private IPv4 and IPv6 address ranges, go to RFC8190.

In Fireware v12.4 or higher, you must specify an Address Family in the BOVPN virtual interface configuration. The options are IPv4 Addresses or IPv6 Addresses. When you configure virtual interface IP addresses, you must specify IP addresses that match the Address Family setting. For example, if you specified the IPv6 Address Family, you must specify IPv6 virtual interface addresses.

You can use the same local virtual interface IP address for more than one BOVPN virtual interface. This would be appropriate, for example, on the hub device in a hub/spoke VPN configuration that uses dynamic routing.

If you enable a BOVPN virtual interface for a FireCluster, make sure that the virtual interface IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.

When you configure dynamic routing for a BOVPN virtual interface, use the virtual interface IP addresses rather than the device name.

Related Topics

About Dynamic Routing