11/16/2023
Description
This article details how to configure a Site-to-Site VPN between AWS and SonicWall using Tunnel interface and Applying a Route map to influence the incoming and outgoing traffic.
Below is the Schema used for the VPN tunnel configuration between SonicWall and AWS.
- Configuring the VPN Policy
- Configuring the Tunnel Interface
- Configuring the BGP routing
- Configuring the Route-map
| IP Addresses used in this article | ||
| Site A (NSA 6650) | AWS | |
| WAN IP | X1: 10.20.1.2X2: 10.30.1.2 | 10.6.220.6510.6.210.2 |
| Tunnel IP | 192.168.5.1192.168.6.1 | 192.168.5.2192.168.6.2 |
| Local Network | 172.16.32.0/24 | 172.16.31.0/24 |
| Peer Network(VPN) | 172.16.31.0/24 | 172.16.32.0/24 |
| BGP AS NUMBER | AS 65530 | AS 65532//65531 |
Cause
A route map can utilize access-lists, prefix-lists, as-path access lists, and community lists to create an effective route policy.
Resolution
STEP 1: Go to Manage | VPN | Base Settings and click on Add. The VPN Policy window is displayed.
General tab:
Policy type: Tunnel Interface
Auth method: IKE using Preshared Secret
Local/Peer IKE ID: IPv4 Address
Note: When configuring a Numbered Tunnel Interface VPN, do not select “Allow Advance Routing” in the VPN Policy Advance tab. This option is use for Unnumbered Tunnel Interface with Advance Routing only.
NOTE: The Proposals tab must be identical on the Tunnel Interface VPNs for both appliances and should Bind with X1 and X2.
STEP 2: Configuring the Tunnel Interface.
Go to Manage | Network | Interfaces, under Add Interface field, select VPN Tunnel Interface to create the VPN tunnel interfaces on both appliances.
STEP 3: Configure BGP using CLI.
Config terminal
config# routing / Enter to Routing Module
(config-routing)# bgp / Enter to BGP module
ARS BGP> configure terminal / Enter configure mode
ARS BGP(config)> router bgp 65530/ Set up AS number on SonicWALL
ARS BGP(config-router)> neighbor 192.168.5.2 remote-as 65532 / Configure neighbor connection
ARS BGP(config-router)> neighbor 192.168.6.2 remote-as 65531 / Configure neighbor connection
ARS BGP(config-router)> neighbor 192.168.5.2 soft-reconfiguration inbound
ARS BGP(config-router)> neighbor 192.168.6.2 soft-reconfiguration inbound
ARS BGP(config-router)> network 172.16.32.0/24/ Advertise your network
STEP 4: Configure BGP using CLI and Sending the outgoing traffic via Tunnel 1 and receiving the incoming traffic via Tunnel 1.
ARS BGP(config-router)> neighbor 192.168.5.2 route-map to31 in
ARS BGP(config-router)> neighbor 192.168.6.2 route-map to32 out
ip prefix-list 1 to31 permit 172.16.31.0/24
ip prefix-list 1 to32 permit 172.16.32.0/24
!
route-map to31 permit 10
match ip address prefix-list to31
set Local-preference 200
!
route-map to32 permit 10
match ip address prefix-list to32
set as-path prepend 1000 1000 1000 1000
Related Articles
- Decryption Policy and Setting up the Decryption Policy Table in SONICOSX 7
- Signatures database not downloaded for App control, IPS, GAV.