Apply BGP Route Map for Numbered VPN Tunnel Interface Between AWS and SonicWall



This article details how to configure a Site-to-Site VPN between AWS and SonicWall using Tunnel interface and Applying a Route map to influence the incoming and outgoing traffic.

 Below is the Schema used for the VPN  tunnel configuration between SonicWall and AWS.

  • Configuring the VPN Policy 
  • Configuring the Tunnel Interface 
  • Configuring the BGP routing
  • Configuring the Route-map
IP Addresses used in this article  
 Site A (NSA 6650)AWS
Tunnel IP192.168.5.1192.168.6.1192.168.5.2192.168.6.2
Local Network172.16.32.0/24172.16.31.0/24
Peer Network(VPN)
BGP AS NUMBERAS  65530AS 65532//65531


A route map can utilize access-lists, prefix-lists, as-path access lists, and community lists to create an effective route policy.


STEP 1: Go to Manage | VPN | Base Settings and click on Add. The VPN Policy window is displayed.

General tab:

Policy type: Tunnel Interface

Auth method: IKE using Preshared Secret

Local/Peer IKE ID: IPv4 Address

Note: When configuring a Numbered Tunnel Interface VPN, do not select “Allow Advance Routing” in the VPN Policy Advance tab. This option is use for Unnumbered Tunnel Interface with Advance Routing only.


 NOTE: The Proposals tab must be identical on the Tunnel Interface VPNs for both appliances and should Bind with X1 and X2.

STEP 2: Configuring the Tunnel Interface.

Go to Manage | Network | Interfaces, under Add Interface field, select VPN Tunnel Interface to create the VPN tunnel interfaces on both appliances.


STEP 3: Configure BGP using CLI.

Config terminal

config#  routing  / Enter to Routing Module

(config-routing)#  bgp / Enter to BGP module

ARS BGP> configure terminal / Enter configure mode

ARS BGP(config)> router bgp 65530/ Set up AS number on SonicWALL

ARS BGP(config-router)> neighbor remote-as 65532 / Configure neighbor connection

ARS BGP(config-router)> neighbor remote-as 65531 / Configure neighbor connection

ARS BGP(config-router)> neighbor soft-reconfiguration inbound

ARS BGP(config-router)> neighbor soft-reconfiguration inbound

ARS BGP(config-router)> network Advertise your network

STEP 4: Configure BGP using CLI and Sending the  outgoing traffic via Tunnel  1 and receiving  the incoming traffic via Tunnel 1.

ARS BGP(config-router)> neighbor route-map to31 in

ARS BGP(config-router)> neighbor route-map to32 out

ip prefix-list 1 to31 permit 

ip prefix-list 1 to32 permit 


route-map to31 permit 10

match ip address prefix-list to31

set Local-preference 200


route-map to32 permit 10

match ip address prefix-list to32

set as-path prepend 1000 1000 1000 1000

Related Articles


Source :