Configure VPN Routes
For a BOVPN virtual interface, the Firebox uses the routing table to determine whether to send traffic through the VPN tunnel. For a BOVPN virtual interface, you do not explicitly configure the local and remote addresses for each tunnel route. Instead, for each BOVPN virtual interface, you can configure static routes that use this BOVPN virtual interface as a gateway. For each route, you specify a destination and a metric. Static routes that you add to this list also appear in the static routes list for the device.
6in4 Routes
If you have internal IPv6 networks and external IPv4 networks, you can send traffic between the internal IPv6 networks with 6in4 tunnel routes. You must configure an IPv4 BOVPN virtual interface gateway endpoint and IPv6 tunnel routes. The tunnel routes are 6in4 routes, which means traffic is routed through a GRE tunnel within the IPv4 IPSec tunnel.
6in6 Routes
In Fireware v12.4 or higher, if you have internal IPv6 networks and an external IPv6 networks, you can send traffic between the internal IPv6 networks with 6in6 tunnel routes. You must configure an IPv6 BOVPN virtual interface gateway endpoint and IPv6 tunnel routes. The tunnel routes are 6in6 routes, which means traffic is routed through an IPv6 IPSec tunnel. You can use 6in6 routes only if the internal and external networks are IPv6. If you have an internal IPv6 network and an external IPv4 network, you must configure 6in4 routes.
In Fireware v12.3.1 or lower, IPv6 is not supported for BOVPN virtual interface gateway endpoints. 6in6 tunnel routes are not supported.
4in6 tunnels are not supported. This means you cannot configure a BOVPN virtual interface tunnel to send traffic between IPv4 internal networks if you have IPv6 external networks.
In Fireware Web UI, the static and dynamic routes for a BOVPN virtual interface appear in the route table. To see the routes, select System Status > Routes.
In Firebox System Manager, VPN routes you add appear in the IPv4 Routes or IPv6 Routes sections of the Status Report. Static and dynamic BOVPN virtual interface routes also appear in Firebox System Manager and WatchGuard System Manager. In the FSM Front Panel tab, when you expand the BOVPN virtual interface, the routes for that interface appear in the Route to section.
By default, the Firebox does not remove the static routes from the route table if the VPN is down. You can change this setting in the global VPN settings. For more information, go to About Global VPN Settings.
Add VPN Routes
Before you can add VPN routes, you must add or edit a BOVPN virtual interface. For more information, go to Configure a BOVPN Virtual Interface.
In Fireware v12.9 or higher, the Distance setting replaces the Metric setting. If you configured a static route in previous Fireware versions, metric values automatically convert to distance values when you upgrade. A metric value less than 1 converts to a distance value of 1. A metric value greater than 255 converts to a distance value of 255.
- Edit the BOVPN virtual interface.
- Select the VPN Routes tab.
- Click Add.
The VPN Route Settings dialog box appears.
- From the Choose Type drop-down list, select an option:
- Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic to go to only one host.
- Network IPv4 — Select this option if you have a full IPv4 network behind a router on your local network.
- Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic to go to only one host.
- Network IPv6 — Select this option if you have a full IPv6 network behind a router on your local network.
- In the Route To text box, type the network address or host address. If you type a network address, use slash notation.
For more information about slash notation, go to About Slash Notation. - In the Distance text box, type or select a value between 1 and 254 for the route for the route. Routes with lower distance values have higher priority. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
- Click OK.
The route is added to the BOVPN virtual interface configuration.
- Edit the BOVPN virtual interface.
- select the VPN Routes tab.
- Click Add.
The Add Route dialog box appears.
- From the Choose Type drop-down list, select an option:
- Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic to go to only one host.
- Network IPv4 — Select this option if you have a full IPv4 network behind a router on your local network.
- Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic to go to only one host.
- Network IPv6 — Select this option if you have a full IPv6 network behind a router on your local network.
- In the Route To text box, type the network address or host address. If you type a network address, use slash notation.
For more information about slash notation, go to About Slash Notation. - In the Metric or Distance text box, type or select a distance value between 1 and 255 for the route. Routes with lower distance values have higher priority. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
- Click OK.
The route is added to the BOVPN virtual interface configuration.
On the VPN Routes tab, you can also add BOVPN virtual interface IP addresses.
BOVPN virtual interface IP addresses help identify and route traffic over the BOVPN. Virtual interface IP addresses are required when you use dynamic routing with the virtual interface and is recommended for many other use cases, such as correctly routing Firebox-generated traffic through the VPN.
For more information, go to Configure BOVPN Virtual Interface IP Addresses.