Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SonicWall IPSec tunnels to multiple AWS VPCs

Posted on 2015-01-15
5
1,517 Views
Last Modified: 2015-02-03
We need to create IPSec tunnels to multiple AWS VPCs using single SonicWall NSA 4600 connected to the internet via single ISP.
Is this scenario doable at all?

Thanks
0
Comment
Question by:Vasilax50
  • 2
  • 2
5 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 334 total points
ID: 40553510
I would think it is possible if this use case fit your requirements, see this paper which runs through SonicOS configuration for multiple Amazon VPC
To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security
Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway
in particular for dynamic routing
VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route
based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP
configuration.
http://www.sonicwall.com/downloads/Configuring_SonicOS_for_Amazon_VPC_Technote.pdf
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40553826
what OS are they running? do you have a reason not to use an l2tp client connection?
0
 

Author Comment

by:Vasilax50
ID: 40554070
@btan,
This is standard AWS VPN procedure to have 2 redundant  tunnels to the same VPC, in our case we need to connect to multiple VPCs using one NSA

@Aaron Tomosky
i2tp connections are not supported by AWS VPC, we are trying to create site-to-site VPN tunnels, not client to server ...

Thanks
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 166 total points
ID: 40554191
sorry, I thought it was a single virtual instance, not a private network. As to the general question: can you setup multiple ipsec (site2site) tunnels in a sonicwall NSA, I can tell you the answer is yes. I have TZ and NSA models both setup with 5+ site to site tunnels to other sonicwalls as well as palo alto, cisco, etc... However I've never used amazon vpc so I cant really comment on that side of the setup.

The trick with multiple tunnels is to make address objects for your remote networks and bind the vpn to those objects.
0
 
LVL 63

Accepted Solution

by:
btan earned 334 total points
ID: 40554699
Since VPC now supports static IPSec VPN connections, and NSA can do site to site - in our case to each VPC as a site per se, may be possible from this via VRF below but not that I tried before though.
AWS recommends using VRFs when connecting a single customer gateway to multiple Amazon VPCs because the VPN connection creation logic is designed to ensure unique tunnel IP addresses for each connection within a single VPC, but not necessarily across multiple VPCs.
When implementing multiple VPC connections from a single customer gateway without VRFs, customers must be aware that VPC does not guarantee unique tunnel and Border Gateway Protocol (BGP) peer IP addresses. As a result, it is possible that these addresses automatically generated for one VPC may be duplicated when creating connections to another VPC.
https://aws.amazon.com/articles/5458758371599914

Sidenote - Note (though not really in this use case) from AWS, they stated the access to your VPC resources is limited to a single AWS account and yet to support multiple VPN gateways per VPC. So for this case of multiple VPC, each will need a single gateway (for each VPC), I supposed. Also Virtual Private Gateways cannot be used to establish a direct connection between VPCs.

Just for info on this discussion on routing may still be the redundant tunnel case https://forums.aws.amazon.com/thread.jspa?messageID=534498
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a guide on how to optimise your costs within your AWS infrastructure when using some of the common services such as EC2, EBS, S3, Glacier, CloudFront, EIP & ELB.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Steps to create a PostgreSQL RDS instance in the Amazon cloud. We will cover some of the default settings and show how to connect to the instance once it is up and running.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question