Kacey Fern
asked on
Create second tunnel for sonicwall VPN to AWS. Sonicwall TZ / 600 firmware 6.5.0.2-8n
Greetings Experts,
I can't seem to figure out how to add the second backup tunnel for AWS on my Sonicwall. All the directions I'm finding just show how to create the first tunnel, which I did and the VPN is running.
In the config file you get two sets of information with different wan IP's. The Lan Gateways are the same.
I went to create a second VPN on the Sonicwall with the second AWS gateway IP, but I can't due to the Lan networks being the same. When I go to create a new network, with the same lan network it says they overlap and won't let me do it.
I'm guessing I'm just missing something easy, but I'm new to sonicwall and this firmware is new as well.
Any help would be most appreciated.
Kacey
I can't seem to figure out how to add the second backup tunnel for AWS on my Sonicwall. All the directions I'm finding just show how to create the first tunnel, which I did and the VPN is running.
In the config file you get two sets of information with different wan IP's. The Lan Gateways are the same.
I went to create a second VPN on the Sonicwall with the second AWS gateway IP, but I can't due to the Lan networks being the same. When I go to create a new network, with the same lan network it says they overlap and won't let me do it.
I'm guessing I'm just missing something easy, but I'm new to sonicwall and this firmware is new as well.
Any help would be most appreciated.
Kacey
ASKER
Hi Arnold, Thanks for the quick reply.
We have two IP’s from AWS, I’m using the one Wan IP on my sonicwall.
Look at this link, My config file looks exactly the same, just different IPs of course.
https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/sonicwall-static.html
See how they put two tunnels in the picture at the top. See how the vpn config shows two AWS gateways. Then the instructions never mention the second AWS Gateway. Meaning they use 72.21.209.193, but don’t use 72.21.209.225.
It seems like they want me to build a separate VPN for each Tunnel, but when I do I get an overlap error when I connect it to the AWS internal network, due to the network being the same in tunnel 1 and tunnel 2
We have two IP’s from AWS, I’m using the one Wan IP on my sonicwall.
Look at this link, My config file looks exactly the same, just different IPs of course.
https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/sonicwall-static.html
See how they put two tunnels in the picture at the top. See how the vpn config shows two AWS gateways. Then the instructions never mention the second AWS Gateway. Meaning they use 72.21.209.193, but don’t use 72.21.209.225.
It seems like they want me to build a separate VPN for each Tunnel, but when I do I get an overlap error when I connect it to the AWS internal network, due to the network being the same in tunnel 1 and tunnel 2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Config is exactly the same.
Yes I use the same ip for the gateway and peer id
As soon as I enable the second tunnel I get:
Error: Enable VPN Policy: Address object AWS_Oregon_2 overlaps in Tunnel.1 policy
Yes, tunnel one is up and everything is good. I bring up the second and get the above error, and service is NOT disrupted. For Tunnel 2, VPN enable check mark is gone if I refresh.
My expectation is that if tunnel 1 goes down, tunnel one automatically comes up. That’s how it worked for my Juniper firewall, which I just decommissioned. Not sure how the vpn will know to come up, if I can’t enable it.
I can’t risk knocking the vpn down right now due to work. I’ll try to bring tunnel 1 down tonight and see what happens. The only reason I haven’t tried that yet is because we had a vpn outage on Thursday or Friday, and the second vpn didn’t kick in. Unless both AWS gateways were down, which is possible, just unlikely.
Yes I use the same ip for the gateway and peer id
As soon as I enable the second tunnel I get:
Error: Enable VPN Policy: Address object AWS_Oregon_2 overlaps in Tunnel.1 policy
Yes, tunnel one is up and everything is good. I bring up the second and get the above error, and service is NOT disrupted. For Tunnel 2, VPN enable check mark is gone if I refresh.
My expectation is that if tunnel 1 goes down, tunnel one automatically comes up. That’s how it worked for my Juniper firewall, which I just decommissioned. Not sure how the vpn will know to come up, if I can’t enable it.
I can’t risk knocking the vpn down right now due to work. I’ll try to bring tunnel 1 down tonight and see what happens. The only reason I haven’t tried that yet is because we had a vpn outage on Thursday or Friday, and the second vpn didn’t kick in. Unless both AWS gateways were down, which is possible, just unlikely.
The same rule, interesting traffic, tunnel 1 fails, the tunnel 2 meeting the same criteria will be attempted.
test it, introduce an error into tunnel one, such as the wrong passphrase. do not change lan/lan network.s....
see what happens.
this will test the condition when AWS IP1 runs into an issue, will the VPN tunnel to AWS IP2 come up?
test it, introduce an error into tunnel one, such as the wrong passphrase. do not change lan/lan network.s....
see what happens.
this will test the condition when AWS IP1 runs into an issue, will the VPN tunnel to AWS IP2 come up?
ASKER
Will do, I'll report back tonight / early tomorrow. Thanks again.
ASKER
Sorry for the delay,
1. I took the first vpn down and initiated the second one, which works. Ping stopped to internal aws server while vpn was down, I initiated the second vpn and ping worked. So we know both vpn tunnels work.
2. As mentioned before, I can't enable second tunnel while first tunnel is enabled, get the overlap error.
3. Changed the secret key and tunnel 1 came down, tunnel 2 did NOT come up.
1. I took the first vpn down and initiated the second one, which works. Ping stopped to internal aws server while vpn was down, I initiated the second vpn and ping worked. So we know both vpn tunnels work.
2. As mentioned before, I can't enable second tunnel while first tunnel is enabled, get the overlap error.
3. Changed the secret key and tunnel 1 came down, tunnel 2 did NOT come up.
Look to see if you can group the two VPN tunnels as a single resource.
Look at the example you posted, each tunnel has its own unique reference,, using a virtual source. Interface.
Look at the example you posted, each tunnel has its own unique reference,, using a virtual source. Interface.
ASKER
Will have to figure that out, have only used for VPN software client. It asks for one secret key. I'll do some googling over the weekend.
look at the example
vpn policy tunnel-interface vpn-44a8938f-1
vpn policy tunnel-interface vpn-44a8938f-2
see if you distinguish the VPN policies in your configuration not only the peer-id, but by reference..
vpn policy tunnel-interface vpn-44a8938f-1
vpn policy tunnel-interface vpn-44a8938f-2
see if you distinguish the VPN policies in your configuration not only the peer-id, but by reference..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Called Support and got the correct instructions.
You can not have
The AWS setup needs to have two tunnels as well.
SonicwallIP -> AWS IP1
SonicWallIP -> AWS IP2
Without an example of your configuration it is hard to say what the issue is that you are running into.
if you order the VPNs i a different order, changing that the one to AWS IP2 is first, does it establish the vpn.?