Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


Cradlepoint to Sonicwall Redundant Tunnel

Current Setup -

Home Office - Stacked NSA2700s with a single 500x500 DIA from Charter

Mobile Units - 30x Cradlepoint IBR1700

Setup- Site-to-Site IPSEC tunnel from Each IBR1700 back to the Head Office. We operate in the tunnel-all mode because of specific security policies our field traffic must come from our public at the home office.

the change

Home Office - We've added a backup 100x100 DIA from Horizon

The Goal - is to add redundant VPN tunnels from each mobile, so if the charter fails, Horizon will become active, etc etc

The issue - when using standard Site-to-Site IPSEC tunnels, the NSA's error with overlapping subnets is defined on the destination policy of the tunnel.

Is it possible to route based tunnels from the Cradlepoint to each IP of the NSA2700's? What would be your best practice in this scenario?

Category: Mid Range Firewalls


  • Options
    Mr_KlaatuMr_Klaatu SonicWall Employee


    Standard Site to Site Policy Based VPN's do not allow the configuration of redundant tunnels to the same remote internal networks using 2 different IPSec Gateways. It does allow a 'secondary IPsec gateway' as a backup peer (with Horizon) when the VPN negotiation fails to get a response from the 'primary IPsec gateway' (with Charter). But this is not true redundancy with 2 parallel VPN tunnels but 1 VPN tunnel only when the other fails.

    In your case Route Based VPN using unnumbered/numbered Tunnel Interface (TI) is the best option so as to have both the VPN Tunnels up at the same time without the destination address overlap and then the desired VPN tunnel can be used over the other using lower route metric on the former and higher one on the latter.

    The below KB article will help you to configure a Route Based VPN with a Tunnel Interface and then add static route with metric to the destination network. You can thus create 2 VPN's to the Cradlepoint one via the Charter and other via the Horizon and then make the static route via the Charter Tunnel with lower metric (higher precedence) and then the route via Horizon Tunnel with higher metric (lower precedence) so the traffic will pass through the former and in the event of VPN over Charter is down then the Horizon VPN is used.

    If the above doesn't answer your question, please feel free to contact our Technical Support at to speak to a Technical Support Engineer who can assist you over the Phone to address your issue.

Sign In or Register to comment.