Microsoft now supports WatchGuard’s firewalls with the 11.12 firmware (fireware) for dynamic or route-based VPN.
There are two kinds of VPN gateway in Azure:
- Static / policy-based: 1:1 connections, don’t support point-to-site VPN, or VNet-to-VNet VPN, website-to-VNet VPN, and really only good for the simplest of designs.
- Dynamic / route-based: Multiple simultaneous connections, supports all of Azure’s VPN features, and enables complicated designs.
I always prefer route-based VPNs, because they don’t restrict what I can do in Azure. Up to recently, though, that caused a complication for me at work. My employer distributes WatchGuard’s Firebox (XTM) unified threat management firewall devices, and those devices were restricted to policy-based VPN. Good news!
- WatchGuard released 11.12 of their software (which works on all devices) and this added policy-based (aka Dynamic) VPN support.
- Microsoft just listed WatchGuard’s devices as being supported by Azure for route-based VPN.
You can find WatchGuard’s instructions for configuring a route-based VPN here.
FYI, the notable devices that still don’t have route-based support are:
- Cisco ASA (!!!)
- Barracuda NextGen Firewall X-series
- Brocade Vyatta 5400 vRouter
- Citrix NetScaler MPX, SDX, VPX
I guess you can get fired for buying Cisco after all!
It looks like Cisco has added support for route-based IPSec VPNs on the latest release of ASA platform.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/vpn/asdm-77-vpn-config/vpn-vti.pdf
I plan to upgrade our ASA 5516 and try it out with a dynamic Azure VPN shortly.