Cradlepoint to Sonicwall Redundant Tunnel
Current Setup -
Home Office - Stacked NSA2700s with a single 500x500 DIA from Charter
Mobile Units - 30x Cradlepoint IBR1700
Setup- Site-to-Site IPSEC tunnel from Each IBR1700 back to the Head Office. We operate in the tunnel-all mode because of specific security policies our field traffic must come from our public at the home office.
Home Office - We've added a backup 100x100 DIA from Horizon
The Goal - is to add redundant VPN tunnels from each mobile, so if the charter fails, Horizon will become active, etc etc
The issue - when using standard Site-to-Site IPSEC tunnels, the NSA's error with overlapping subnets is defined on the destination policy of the tunnel.
Is it possible to route based tunnels from the Cradlepoint to each IP of the NSA2700's? What would be your best practice in this scenario?
Standard Site to Site Policy Based VPN's do not allow the configuration of redundant tunnels to the same remote internal networks using 2 different IPSec Gateways. It does allow a 'secondary IPsec gateway' as a backup peer (with Horizon) when the VPN negotiation fails to get a response from the 'primary IPsec gateway' (with Charter). But this is not true redundancy with 2 parallel VPN tunnels but 1 VPN tunnel only when the other fails.
In your case Route Based VPN using unnumbered/numbered Tunnel Interface (TI) is the best option so as to have both the VPN Tunnels up at the same time without the destination address overlap and then the desired VPN tunnel can be used over the other using lower route metric on the former and higher one on the latter.
The below KB article will help you to configure a Route Based VPN with a Tunnel Interface and then add static route with metric to the destination network. You can thus create 2 VPN's to the Cradlepoint one via the Charter and other via the Horizon and then make the static route via the Charter Tunnel with lower metric (higher precedence) and then the route via Horizon Tunnel with higher metric (lower precedence) so the traffic will pass through the former and in the event of VPN over Charter is down then the Horizon VPN is used.
If the above doesn't answer your question, please feel free to contact our Technical Support at https://www.sonicwall.com/support/contact-support/ to speak to a Technical Support Engineer who can assist you over the Phone to address your issue.