Solved

SonicWall IPSec tunnels to multiple AWS VPCs

Posted on 2015-01-15
5
1,398 Views
Last Modified: 2015-02-03
We need to create IPSec tunnels to multiple AWS VPCs using single SonicWall NSA 4600 connected to the internet via single ISP.
Is this scenario doable at all?

Thanks
0
Comment
Question by:Vasilax50
  • 2
  • 2
5 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 334 total points
Comment Utility
I would think it is possible if this use case fit your requirements, see this paper which runs through SonicOS configuration for multiple Amazon VPC
To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security
Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway
in particular for dynamic routing
VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route
based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP
configuration.
http://www.sonicwall.com/downloads/Configuring_SonicOS_for_Amazon_VPC_Technote.pdf
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
what OS are they running? do you have a reason not to use an l2tp client connection?
0
 

Author Comment

by:Vasilax50
Comment Utility
@btan,
This is standard AWS VPN procedure to have 2 redundant  tunnels to the same VPC, in our case we need to connect to multiple VPCs using one NSA

@Aaron Tomosky
i2tp connections are not supported by AWS VPC, we are trying to create site-to-site VPN tunnels, not client to server ...

Thanks
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 166 total points
Comment Utility
sorry, I thought it was a single virtual instance, not a private network. As to the general question: can you setup multiple ipsec (site2site) tunnels in a sonicwall NSA, I can tell you the answer is yes. I have TZ and NSA models both setup with 5+ site to site tunnels to other sonicwalls as well as palo alto, cisco, etc... However I've never used amazon vpc so I cant really comment on that side of the setup.

The trick with multiple tunnels is to make address objects for your remote networks and bind the vpn to those objects.
0
 
LVL 61

Accepted Solution

by:
btan earned 334 total points
Comment Utility
Since VPC now supports static IPSec VPN connections, and NSA can do site to site - in our case to each VPC as a site per se, may be possible from this via VRF below but not that I tried before though.
AWS recommends using VRFs when connecting a single customer gateway to multiple Amazon VPCs because the VPN connection creation logic is designed to ensure unique tunnel IP addresses for each connection within a single VPC, but not necessarily across multiple VPCs.
When implementing multiple VPC connections from a single customer gateway without VRFs, customers must be aware that VPC does not guarantee unique tunnel and Border Gateway Protocol (BGP) peer IP addresses. As a result, it is possible that these addresses automatically generated for one VPC may be duplicated when creating connections to another VPC.
https://aws.amazon.com/articles/5458758371599914

Sidenote - Note (though not really in this use case) from AWS, they stated the access to your VPC resources is limited to a single AWS account and yet to support multiple VPN gateways per VPC. So for this case of multiple VPC, each will need a single gateway (for each VPC), I supposed. Also Virtual Private Gateways cannot be used to establish a direct connection between VPCs.

Just for info on this discussion on routing may still be the redundant tunnel case https://forums.aws.amazon.com/thread.jspa?messageID=534498
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Join & Write a Comment

This article provides a guide on how to optimise your costs within your AWS infrastructure when using some of the common services such as EC2, EBS, S3, Glacier, CloudFront, EIP & ELB.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Steps to create a PostgreSQL RDS instance in the Amazon cloud. We will cover some of the default settings and show how to connect to the instance once it is up and running.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now