Create second tunnel for sonicwall VPN to AWS. Sonicwall TZ / 600 firmware 6.5.0.2-8n

Greetings Experts,

I can't seem to figure out how to add the second backup tunnel for AWS on my Sonicwall.  All the directions I'm finding  just show how to create the first tunnel, which I did and the VPN is running.  
In the config file you get two sets of information with different wan IP's.  The Lan Gateways are the same.  
I went to create a second VPN on the Sonicwall with the second AWS gateway IP, but I can't due to the Lan networks being the same.  When I go to create a new network, with the same lan network it says they overlap and won't let me do it.  

I'm guessing I'm just missing something easy, but I'm new to sonicwall and this firmware is new as well.

Any help would be most appreciated.

Kacey
Kacey FernSystem EngineerAsked:
Who is Participating?
 
Kacey FernSystem EngineerAuthor Commented:
I ended up calling AWS support.

Here is the procedure.

1.      Create the Address Object for AWS internal network
2.      Create vpn:
a.       Tunnel Interface
b.      Ike using preshare
c.      Ipsec primary gateway = primary gateway they give you
d.      Local ike id = your local firewall wan
e.      Peer ike id = primary gateway they give you
f.      Under proposal use Main mode and follow directions from config
g.      Under advanced click – enable keep alive and bound vpn policy to wan (X1)
h.      Enable
3.      Create a network interface: (vpn tunnel interface)
a.      Zone = vpn, vpn policy = vpn you just created
b.      Ip:  put in ip from config under Tunnel Interface configuration (This is NOT the same as gateway ip)
c.      Under advanced: click enable flow reporting and Enable Asymmetric Route support.  
d.      Also enable fragmented packet handling
4.      Go to Network – routing and create a new route
a.      Source: Any
b.      Destination: AWS Internal Network object you created
c.      Interface is the one you just created
5.      VPN should now be up
6.      Do the exact thing for the second VPN, once you enable it after step 2 the first vpn might stop passing traffic.  It will come back up once you finish.
7.      When you create the second route, you can use the same Network object for the AWS internal network.
8.      Go back to vpn and renegotiate both tunnels.  Everything should come up within a minute or two.  The AWS console had a bit of latency.
0
 
arnoldCommented:
Please clarify your need, a second tunnel either has to originate from another IP that your sonicwall has or has to be destined to another IP on the AWS side.

You can not have

The AWS setup needs to have two tunnels as well.

SonicwallIP -> AWS IP1
SonicWallIP -> AWS IP2


Without an example of your configuration it is hard to say what the issue is that you are running into.

if you order the VPNs i a different order, changing that the one to AWS IP2 is first, does it establish the vpn.?
0
 
Kacey FernSystem EngineerAuthor Commented:
Hi Arnold, Thanks for the quick reply.

We have two IP’s from AWS, I’m using the one Wan IP on my sonicwall.

Look at this link, My config file looks exactly the same, just different IPs of course.
https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/sonicwall-static.html

See how they put two tunnels in the picture at the top.  See how the vpn config shows two AWS gateways.  Then the instructions never mention the second AWS Gateway.  Meaning they use 72.21.209.193, but don’t use 72.21.209.225.

It seems like they want me to build a separate VPN for each Tunnel, but when I do I get an overlap error when I connect it to the AWS internal network, due to the network being the same in tunnel 1 and tunnel 2
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
arnoldCommented:
Are you matching your configuration
gateway primary 72.21.209.193
gateway primary 72.21.209.225

Note they change the gateway primary and peer-id to match.

The overlap error deals with bring up the second,

i.e. tunnel 1 establishes, tunnel 2 fails?
so long as tunnel 1 is established tunnel 2 fails.
Change tunnel 1's passphrase to make sure it fails to establish, does the 2nd now come up/establish?


if it does, your failover VPN tunnel configuration works, i.e. should the first fail to establish, the second one will be brought up.
Fix tunnel one and you are set.
I think that is what you are after, or was your expectation that both VPN tunnels will come up when configured?
0
 
Kacey FernSystem EngineerAuthor Commented:
Config is exactly the same.
Yes I use the same ip for the gateway and peer id
As soon as I enable the second tunnel I get:
Error: Enable VPN Policy: Address object AWS_Oregon_2 overlaps in Tunnel.1 policy

Yes, tunnel one is up and everything is good.  I bring up the second and get the above error, and service is NOT disrupted.  For Tunnel 2, VPN enable check mark is gone if I refresh.

My expectation is that if tunnel 1 goes down, tunnel one automatically comes up.  That’s how it worked for my Juniper firewall, which I just decommissioned.  Not sure how the vpn will know to come up, if I can’t enable it.

I can’t risk knocking the vpn down right now due to work. I’ll try to bring tunnel 1 down tonight and see what happens.  The only reason I haven’t tried that yet is because we had a vpn outage on Thursday or Friday, and the second vpn didn’t kick in.  Unless both AWS gateways were down, which is possible, just unlikely.
0
 
arnoldCommented:
The same rule, interesting traffic, tunnel 1 fails, the tunnel 2 meeting the same criteria will be attempted.

test it, introduce an error into tunnel one, such as the wrong passphrase. do not change lan/lan network.s....

see what happens.

this will test the condition when AWS IP1 runs into an issue, will the VPN tunnel to AWS IP2 come up?
0
 
Kacey FernSystem EngineerAuthor Commented:
Will do, I'll report back tonight / early tomorrow.  Thanks again.
0
 
Kacey FernSystem EngineerAuthor Commented:
Sorry for the delay,  

1. I took the first vpn down and initiated the second one, which works.  Ping stopped to internal aws server while vpn was down, I initiated the second vpn and ping worked.  So we know both vpn tunnels work.
2. As mentioned before, I can't enable second tunnel while first tunnel is enabled, get the overlap error.
3. Changed the secret key and tunnel 1 came down, tunnel 2 did NOT come up.
0
 
arnoldCommented:
Look to see if you can group the two VPN tunnels as a single resource.
Look at the example you posted, each tunnel has its own unique reference,, using a virtual source. Interface.
0
 
Kacey FernSystem EngineerAuthor Commented:
Will have to figure that out, have only used for VPN software client.  It asks for one secret key.  I'll do some googling over the weekend.
0
 
arnoldCommented:
look at the example
vpn policy tunnel-interface vpn-44a8938f-1
vpn policy tunnel-interface vpn-44a8938f-2

see if you distinguish the VPN policies in your configuration not only the peer-id, but by reference..
0
 
Kacey FernSystem EngineerAuthor Commented:
Called Support and got the correct instructions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.