Configure Manual BOVPN Gateways
A branch office VPN (BOVPN) gateway is a connection point for one or more tunnels. To create a tunnel, you must set up gateways on both the local and remote endpoint devices. To configure these gateways, you must specify:
- Credential method — Either pre-shared keys or an IPSec Firebox certificate.
For information about how to use certificates for BOVPN authentication, go to Certificates for Branch Office VPN (BOVPN) Tunnel Authentication. - Location of local and remote gateway endpoints, either by IP address or domain information.
- Settings for Phase 1 of the Internet Key Exchange (IKE) negotiation. This phase defines the security association, or the protocols and settings that the gateway endpoints will use to communicate and protect data that is passed in the negotiation.
IPv6 BOVPN
In Fireware v12.4 or higher, you can configure a BOVPN between two IPv6 gateways. An IPv4 tunnel is not required.
Before you configure a gateway, you must enable IPv6 for the external interface that the gateway uses. When you enable IPv6 for the interface, you must configure a static IPv6 address or select the DHCPv6 client option. For more information, go to Configure IPv6 for an External Interface.
When you add a gateway, you must specify an Address Family. The options are IPv4 Addresses or IPv6 Addresses. In the gateway and tunnel settings, the IP addresses you specify must be from the same family. For example, if you specify the IPv6 Addresses family, you can only specify IPv6 addresses in the gateway and tunnel settings.
These options are not supported for IPv6 BOVPNs:
- Multicast
- Modem failover
- NAT and direction
- Broadcast routing
- Attempt to resolve domain setting
Add a Gateway
Configure the gateways for each BOVPN endpoint.
- Select VPN > Branch Office VPN.
The Branch Office VPN configuration page appears.
- To add a gateway, in the Gateways section, click Add.
The Gateway settings page appears.
- In the Gateway Name text box, type a name to identify the gateway for this Firebox.
- (Fireware v12.4 or higher) From the Address Family drop-down list, select IPv4 Addresses or IPv6 Addresses.
- Select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication method for this tunnel.
Use Pre-Shared Key
(Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.
Type or paste the shared key. You must use the same shared key on the remote device. A string-based pre-shared key must use only standard ASCII characters and can be up to 79 characters in length. A hex-based pre-shared key can include any combination or amount of hexadecimal characters.
Use IPSec Firebox Certificate
The current certificates on the Firebox appear in the certificates list. This includes the IP security IKE intermediate Extended Key Usage (EKU) identifier (OID 1.3.6.1.5.5.8.2.2). You can also select a certificate that does not include an EKU identifier.
To see a list of available certificates that do not include an EKU identifier, select the Show All Certificates check box.
(Fireware v12.6.2 or higher) When you select a certificate for authentication, you can specify a CA certificate for VPN peer verification in the gateway endpoint settings.
For more information, go to Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.
You can now define the gateway endpoints. For more information, go to Define Gateway Endpoints for a BOVPN Gateway.
- Select VPN > Branch Office Gateways.
The Gateways dialog box appears.
- To add a gateway, click Add.
The New Gateway dialog box appears.
- In the Gateway Name text box, type a name to identify the gateway for this Firebox.
- (Fireware v12.4 or higher) From the Address Family drop-down list, select IPv4 Addresses or IPv6 Addresses.
- From the New Gateway dialog box, select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication method for this tunnel.
Use Pre-Shared Key
(Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.
Type or paste the shared key. You must use the same shared key on the remote device. A string-based pre-shared key must use only standard ASCII characters and can be up to 79 characters in length. A hex-based pre-shared key can include any combination or amount of hexadecimal characters.
Use IPSec Firebox Certificate
The current certificates on the Firebox appear in the certificates list. This includes the IP security IKE intermediate Extended Key Usage (EKU) identifier (OID 1.3.6.1.5.5.8.2.2). You can also select a certificate that does not include an EKU identifier.
To see a list of available certificates that do not include an EKU identifier, select the Show All Certificates check box.
(Fireware v12.6.2 or higher) When you select a certificate for authentication, you can specify a CA certificate for VPN peer verification in the gateway endpoint settings.
For more information, go to Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.
You can now define the gateway endpoints and configure phase 1 settings. For more information, go to:
Run the BOVPN Gateway Configuration Report
After you add a gateway, you can run a report to see a summary of all gateway settings. This report can be useful if you need to troubleshoot the VPN. It can also make it easier to compare the configured settings with the settings of the remote VPN endpoint device.
To run the report from Fireware Web UI or Policy Manager:
- In the Gateways dialog box, select a configured gateway.
- Click Report.
- To add details about tunnels that use this gateway, select the Show Tunnel Details check box.
For more information about this report, go to Use the BOVPN Configuration Reports.