BOVPN - Gateway and Tunnel vs Virtual Interface - Which one to use and when?
I attended a Watchguard training course, and was told to always use Gateway and Tunnel instead of Virtual Interface when setting up a BOVPN.
Since then I have been searching documentation to find pros and cons of either method.
I can't find is any documentation to suggest one is better than the other, or to suggest using one method in favour of the other in any particular set of circumstances.
Anyone here prefer one method over another for any reason, or can suggest I use one method instead of another?
I have a mixture of remote sites, some use Watchguard , and some use third party devices.
Thank you.
0
Sign In to comment.
Comments
Gateway/Tunnel is more compatible. You can set up an IKEv1 tunnel to just about anything with that. They also give you more control over what routes are built (Source and destination network vice just destination route.)
BOVPN Virtual Interfaces (or BOVPN VIFs for short) are a little more flexible, but require the device be on up to date firmware (older pre-XTM fireboxes don't support them) and some of the smaller/older XTM devices will struggle to send traffic over them quickly. It's also generally easier to use dynamic routing via Virtual Interfaces.
Which one you connect to is going to be a function of what the device/service on the opposite end supports. They effectively do the same thing, and on modern hardware (the devices that are being sold now) there isn't any appreciable performance impact between the two of them.
-James Carson
WatchGuard Customer Support
Thank you for your answer.
We have a mixture of Watchguard and third party devices, all of which seem to work well with the virtual interface method.
I can remember one WatchGuard training session where it was actually the other way around (always use a Virtual Interface where possible).
The reasoning for that came down to being able to use them for SD-WAN actions/failover (eg. failover of a VPN tunnel).
I'm not sure if this is totally correct, but if you have a large number of tunnel routes in your gateway/tunnel VPN configurations, licensing can play a part too for the number of concurrent active tunnels, whereas for a BOVPN virtual interface, each interface is a single tunnel route, regardless of how many VPN routes use it.
(https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/vpn_licensing_c.html)
I noticed this as I was setting up a VPN tunnel on a FireboxV MED which has a 600 BOVPN tunnel limit on the license - turns out with all the routes I'd configured for the setup I was dealing with it actually got close to the 600 tunnel route limit if I had used the gateway/tunnel option, whereas a single BOVPN virtual interface handled this after talking to the remote network admin.
Gateway/Tunnel = policy based tunnel
BOVPN Virtual Interfaces = routed based tunnel
A variation would be, for example. the other side cannot use a routed based tunnel = Sophos UTM