Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SonicWall IPSec tunnels to multiple AWS VPCs

Posted on 2015-01-15
5
Medium Priority
?
1,731 Views
Last Modified: 2015-02-03
We need to create IPSec tunnels to multiple AWS VPCs using single SonicWall NSA 4600 connected to the internet via single ISP.
Is this scenario doable at all?

Thanks
0
Comment
Question by:Vasilax50
  • 2
  • 2
5 Comments
 
LVL 65

Assisted Solution

by:btan
btan earned 1002 total points
ID: 40553510
I would think it is possible if this use case fit your requirements, see this paper which runs through SonicOS configuration for multiple Amazon VPC
To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security
Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway
in particular for dynamic routing
VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route
based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP
configuration.
http://www.sonicwall.com/downloads/Configuring_SonicOS_for_Amazon_VPC_Technote.pdf
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40553826
what OS are they running? do you have a reason not to use an l2tp client connection?
0
 

Author Comment

by:Vasilax50
ID: 40554070
@btan,
This is standard AWS VPN procedure to have 2 redundant  tunnels to the same VPC, in our case we need to connect to multiple VPCs using one NSA

@Aaron Tomosky
i2tp connections are not supported by AWS VPC, we are trying to create site-to-site VPN tunnels, not client to server ...

Thanks
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 498 total points
ID: 40554191
sorry, I thought it was a single virtual instance, not a private network. As to the general question: can you setup multiple ipsec (site2site) tunnels in a sonicwall NSA, I can tell you the answer is yes. I have TZ and NSA models both setup with 5+ site to site tunnels to other sonicwalls as well as palo alto, cisco, etc... However I've never used amazon vpc so I cant really comment on that side of the setup.

The trick with multiple tunnels is to make address objects for your remote networks and bind the vpn to those objects.
0
 
LVL 65

Accepted Solution

by:
btan earned 1002 total points
ID: 40554699
Since VPC now supports static IPSec VPN connections, and NSA can do site to site - in our case to each VPC as a site per se, may be possible from this via VRF below but not that I tried before though.
AWS recommends using VRFs when connecting a single customer gateway to multiple Amazon VPCs because the VPN connection creation logic is designed to ensure unique tunnel IP addresses for each connection within a single VPC, but not necessarily across multiple VPCs.
When implementing multiple VPC connections from a single customer gateway without VRFs, customers must be aware that VPC does not guarantee unique tunnel and Border Gateway Protocol (BGP) peer IP addresses. As a result, it is possible that these addresses automatically generated for one VPC may be duplicated when creating connections to another VPC.
https://aws.amazon.com/articles/5458758371599914

Sidenote - Note (though not really in this use case) from AWS, they stated the access to your VPC resources is limited to a single AWS account and yet to support multiple VPN gateways per VPC. So for this case of multiple VPC, each will need a single gateway (for each VPC), I supposed. Also Virtual Private Gateways cannot be used to establish a direct connection between VPCs.

Just for info on this discussion on routing may still be the redundant tunnel case https://forums.aws.amazon.com/thread.jspa?messageID=534498
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the wake of AWS' S3 outage, we want to discuss the importance of storage and data diversification in the event of a hack, crash, or system disruption. We spoke with Experts Exchange’s COO Gene Richardson for a deeper understanding.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question