Solved

SonicWall IPSec tunnels to multiple AWS VPCs

Posted on 2015-01-15
5
1,453 Views
Last Modified: 2015-02-03
We need to create IPSec tunnels to multiple AWS VPCs using single SonicWall NSA 4600 connected to the internet via single ISP.
Is this scenario doable at all?

Thanks
0
Comment
Question by:Vasilax50
  • 2
  • 2
5 Comments
 
LVL 62

Assisted Solution

by:btan
btan earned 334 total points
ID: 40553510
I would think it is possible if this use case fit your requirements, see this paper which runs through SonicOS configuration for multiple Amazon VPC
To connect a firewall to your AWS VPC, a matching VPN policy must be configured on the Dell SonicWALL Security
Appliance. A tunnel interface is created by configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway
in particular for dynamic routing
VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route
based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP
configuration.
http://www.sonicwall.com/downloads/Configuring_SonicOS_for_Amazon_VPC_Technote.pdf
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40553826
what OS are they running? do you have a reason not to use an l2tp client connection?
0
 

Author Comment

by:Vasilax50
ID: 40554070
@btan,
This is standard AWS VPN procedure to have 2 redundant  tunnels to the same VPC, in our case we need to connect to multiple VPCs using one NSA

@Aaron Tomosky
i2tp connections are not supported by AWS VPC, we are trying to create site-to-site VPN tunnels, not client to server ...

Thanks
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 166 total points
ID: 40554191
sorry, I thought it was a single virtual instance, not a private network. As to the general question: can you setup multiple ipsec (site2site) tunnels in a sonicwall NSA, I can tell you the answer is yes. I have TZ and NSA models both setup with 5+ site to site tunnels to other sonicwalls as well as palo alto, cisco, etc... However I've never used amazon vpc so I cant really comment on that side of the setup.

The trick with multiple tunnels is to make address objects for your remote networks and bind the vpn to those objects.
0
 
LVL 62

Accepted Solution

by:
btan earned 334 total points
ID: 40554699
Since VPC now supports static IPSec VPN connections, and NSA can do site to site - in our case to each VPC as a site per se, may be possible from this via VRF below but not that I tried before though.
AWS recommends using VRFs when connecting a single customer gateway to multiple Amazon VPCs because the VPN connection creation logic is designed to ensure unique tunnel IP addresses for each connection within a single VPC, but not necessarily across multiple VPCs.
When implementing multiple VPC connections from a single customer gateway without VRFs, customers must be aware that VPC does not guarantee unique tunnel and Border Gateway Protocol (BGP) peer IP addresses. As a result, it is possible that these addresses automatically generated for one VPC may be duplicated when creating connections to another VPC.
https://aws.amazon.com/articles/5458758371599914

Sidenote - Note (though not really in this use case) from AWS, they stated the access to your VPC resources is limited to a single AWS account and yet to support multiple VPN gateways per VPC. So for this case of multiple VPC, each will need a single gateway (for each VPC), I supposed. Also Virtual Private Gateways cannot be used to establish a direct connection between VPCs.

Just for info on this discussion on routing may still be the redundant tunnel case https://forums.aws.amazon.com/thread.jspa?messageID=534498
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Defaulting a Branch Juniper SRX240 5 31
AWS- KeepAlived notify script not working 23 43
HSRP not working on N7K-c7018 3 43
AWS - HAProxy- KeepAlived 5 15
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Steps to create a PostgreSQL RDS instance in the Amazon cloud. We will cover some of the default settings and show how to connect to the instance once it is up and running.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now