site to site vpn issue
I having a problem to setup a site 2 site VPN with my test network in AWS.
We have a VPC 172.31.0.0/16 and a subnet 172.31.16.0/20, in this subnet have a single server 172.31.16.222 ( this server has one public IP)
Our on-prem LAN is 10.0.0.0/8 and subnet 10.0.0.0/24 and we have a NSa 3650 in front .
IN aws create a customer gw with public IP of our Sonicwall and also create a Virtual Private Gateway and attached it to my above VPC.
After that create a site to site VPN on AWS site, and download the file for the sonicwall and use this for configuring the site to site on our Sonicwall.
On the Sonicwall create a Address object for VPN zone and network 172.31.0.0/16 and use this one to create the site to site vpn.
Now there is no connection establish between the sonicwall and aws. in the aws document that we download we see 2 public ip and 2 inside IPs for the aws side, the inside IPs are 169.254.128.64/30 and 169.254.129.68/30.
We have just create one tunnel instead of two tunnels, and as I mentioned no connection will establish.
I think you need to set up numbered tunnel interface VPN. Please take a look at the KB below.
Kindly use the 169.254.128.64/30 and 169.254.129.68/30 addresses on the VPN tunnel interface.
Technical Support Advisor, Premier Services
Can you provide screenshots, or more detailed description, of the Sonicwall tunnel config? While you have provided good information it is incomplete.
Thanks for your reply,
This document mention vpn connection between 2 Sonicwall, can we also use it to setup site 2 site connection to aws cloud services?
I shared that KB to show how tunnel interface VPNs need to be configured. We also support AWS integration with DonicWall now. So, you could use the following method too.
Technical Support Advisor, Premier Services
Thank you for you update,
We did follow the document that we have downloaded from aws side and configure a single tunnel, but still no connection to aws.
I think it dont works becuse the document says
config(SerialNumber)# tunnel-interface vpn T1
(add-interface[T1])# policy vpn-074f91b9e92c27536-0
(add-interface[T1])# ip-assignment VPN static
(add-VPN-static)# ip 169.254.128.66 netmask 255.255.255.252
But before doing this, I would like to know if creating this VPN interface will have any effect on our othere existing site to site VPN connections that we have on this production Nsa3650?
Hi @mrshahin, You don't need to set up VPN Tunnel Interfaces, on the AWS txt file you will have proper Public IP addresses usually one for each policy for AWS not just the 169 ones, use the real ones, be careful to also note that sometimes the Shared Secrets provided do end with characters like a full stop so be sure to included this.
just set up a site to site VPN one for each AWS real Public IP, set the VPN as type Tunnel Interface, set up the Propsals, then Choose the outgoing WAN Interface to use in the advanced tab.
then set up the routes in the Routing section on the SonicWall,(source your network, Destination AWS network, and choose the Interface as (VPN name) one for each VPN policy, or use one using Multi path if prefered and put them all in one, make sure if you are setting up to use different WAN Interfaces on the SonicWall to each Amazon Public IP for Failover that you enable the Enable Asyncronous routing on the WAN Interfaces
Hi @preston, Thank you for your reply,
We have already setup a VPN with proper Public IP of aws as type Tunnel Interface.
you are right my Shared Secrets start wit a dot (.) that was a bit strange to me but anyway I did try with both dot and without dot
These are what I setup:
If I understand you correctly no need to create a VPN interface and just create a routing with these settings, is this correct?
Hi @mrshahin, yes just create the VPN Policy as type Tunnel Interface, then create the routes as you are doing just make sure to give the failover one a different metric so if the Primary is 1 set the backup to 5, you can also include the backup one in the same routing policy if you choose the multipath options by putting the Primary one at the top and the Backup below.
just to check you are not using the VPN Tunnel Interfaces in the Network/Interfaces as these aren't needed
@preston Thanks again for the update,
Do we need to create both VPNs? I mean we are going to first run some tests and later we will create the second vpn as well.3
@mrshahin , you might find you need both tunnels up for it to work correctly as I've seen with AWS they route the traffic via both tunnels
Thank you for your reply, I did just create 2 Firewall access rules, one from LAN to aws and other one from aws to lan and after that create a Route as my last screenshot, but my route is just gray!!
Any idea why the this route is grayout?
Hi @preston Thank you very much, I followed your document and now the tunnel has been active and I can ping and rdp to my EC2 in aws.
Thank you and really appreciate your help.
@mrshahin , no problem glad to help