Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Site-To-Site VPN From TZ600 to AWS

I am currently using a TZ600 to connect to my aws vpn tunnel. I am currently using a tunnel interface.

Everything seems to be working fine for the first hour and then the connection drops.

From the logs it looks like the IKE SA lifetime expired. For some reason the initiator try's to connect again but can only get to phase 1. The way to get it running again is to pretty much enable and disable the vpn on the sonicwall and then it works for an hour again. After that it drops. I also have stay alive enabled.

I am on the latest firmware 6.5.4.7-83n. If anyone has any ideas what might be causing this it would be great.

Category: Entry Level Firewalls
Reply
Tagged:

Answers

  • Hello @bobby_d ,

    Kindly set the phase 1 and phase 2 lifetimes on the SonicWall as set on the AWS end. Most probably the new keys are generated sooner on AWS end and not on the firewall due to mismatch in lifetime.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • bobby_dbobby_d Newbie ✭

    Thank you. Let me test that out and see what the default is on AWS side.

  • bobby_dbobby_d Newbie ✭

    So i checked and aws is set for 3600 for phase 1 and phase 2. That is what i had it set for on the sonicwall.

    I changed the sonicwall to 1800 for phase 1 and 2. It worked good for the first hour and a half the it dropped cause IKE SA lifetime expired. It looks like it came back up 30 seconds later. So it looks like I am making progress. Any other ideas I can try.

  • Hello @bobby_d,

    3600 and 1800 are very low lifetimes at least for phase 1 set ups. I would suggest to use the default value 28800 on both ends. Also, please make sure that either the SonicWall or AWS is the initiator and not both.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @bobby_d ,

    If you're experiencing idle timeouts due to low traffic on a VPN tunnel:

    Be sure that there's constant bidirectional traffic between your local network and your VPC. If necessary, create a host that sends ICMP requests to an instance in your VPC every 5 seconds.

    Check the SonicWALL VPN policy idle timeout settings. When there's no traffic through a VPN tunnel for the duration of your SonicWALL specific VPN idle time, the IPsec session terminates.

    For More Information please see the AWS KB;


  • bobby_dbobby_d Newbie ✭

    Thanks I think it is working now. I set phase 1 to 28800 and set phase 2 to 3600. This seems to be working.

  • bobby_dbobby_d Newbie ✭

    Right now no traffic is going through it. I am just testing this out. I left keep alive on on the tunnel. It seems to be working now since i changed the phase 1 and phase 2 timeouts.

  • MarkDMarkD Newbie ✭

    Export the AWS VPN config file - check the lifetime timers match on your configuration this is one we have.

    IKE version       : IKEv1 

     - Lifetime         : 28800 seconds

     - Phase 1 Negotiation Mode : main

     - Diffie-Hellman      : Group 2

    IPSEC

     - Lifetime         : 3600 seconds

     - Mode           : tunnel

     - Perfect Forward Secrecy : Diffie-Hellman Group 2

    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We

    recommend configuring DPD on your endpoint as follows:

     - DPD Interval       : 10

     - DPD Retries       : 3

Sign In or Register to comment.