Solved

SonicWall IPSec tunnels to multiple AWS VPCs

Posted on 2015-01-15
5
1,561 Views
Last Modified: 2015-02-03
We need to create IPSec tunnels to multiple AWS VPCs using single SonicWall NSA 4600 connected to the internet via single ISP.
Is this scenario doable at all?

Thanks
0
Comment
Question by:Vasilax50
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 334 total points
ID: 40553510
I would think it is possible if this use case fit your requirements, see this paper which runs through SonicOS configuration for multiple Amazon VPC
To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security
Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway
in particular for dynamic routing
VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route
based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP
configuration.
http://www.sonicwall.com/downloads/Configuring_SonicOS_for_Amazon_VPC_Technote.pdf
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40553826
what OS are they running? do you have a reason not to use an l2tp client connection?
0
 

Author Comment

by:Vasilax50
ID: 40554070
@btan,
This is standard AWS VPN procedure to have 2 redundant  tunnels to the same VPC, in our case we need to connect to multiple VPCs using one NSA

@Aaron Tomosky
i2tp connections are not supported by AWS VPC, we are trying to create site-to-site VPN tunnels, not client to server ...

Thanks
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 166 total points
ID: 40554191
sorry, I thought it was a single virtual instance, not a private network. As to the general question: can you setup multiple ipsec (site2site) tunnels in a sonicwall NSA, I can tell you the answer is yes. I have TZ and NSA models both setup with 5+ site to site tunnels to other sonicwalls as well as palo alto, cisco, etc... However I've never used amazon vpc so I cant really comment on that side of the setup.

The trick with multiple tunnels is to make address objects for your remote networks and bind the vpn to those objects.
0
 
LVL 63

Accepted Solution

by:
btan earned 334 total points
ID: 40554699
Since VPC now supports static IPSec VPN connections, and NSA can do site to site - in our case to each VPC as a site per se, may be possible from this via VRF below but not that I tried before though.
AWS recommends using VRFs when connecting a single customer gateway to multiple Amazon VPCs because the VPN connection creation logic is designed to ensure unique tunnel IP addresses for each connection within a single VPC, but not necessarily across multiple VPCs.
When implementing multiple VPC connections from a single customer gateway without VRFs, customers must be aware that VPC does not guarantee unique tunnel and Border Gateway Protocol (BGP) peer IP addresses. As a result, it is possible that these addresses automatically generated for one VPC may be duplicated when creating connections to another VPC.
https://aws.amazon.com/articles/5458758371599914

Sidenote - Note (though not really in this use case) from AWS, they stated the access to your VPC resources is limited to a single AWS account and yet to support multiple VPN gateways per VPC. So for this case of multiple VPC, each will need a single gateway (for each VPC), I supposed. Also Virtual Private Gateways cannot be used to establish a direct connection between VPCs.

Just for info on this discussion on routing may still be the redundant tunnel case https://forums.aws.amazon.com/thread.jspa?messageID=534498
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512-X Active/Standby HA 4 50
Migrate PKI into AWS - lift and shift. 1 95
pfsense upgrade from 2.2.6 to 2.3.3 28 90
Cisco AnyConnect VPN 4 47
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller singl…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question