Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


Setup IPSec tunnel/site2site on BGP assigned public IP address


I have NSa 3650 HA (Active/Passive) cluster stretched between two Datacenters.

in each I have Internet connection to the same provider with BGP address but different connection links:

Let's assume:

Datacenter I (X1) - gateway

Datacenter II (X2) gateway

all gateways are BGP neighbors of the same private AS

BGP network is

I need to set VPN connection to 3rd party and give them IP address as my VPN address, so I don't have to care about my VPN tunnels during failover.

Is it possible?. I know that on Fortigate it is possible but on Sonicwall I have problem (IMHO) with setting this policy bound to in advanced setting in vpn interface/site2site setup.

Any ideas?

Category: Mid Range Firewalls


  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭ is an RFC 1918 address and no one will route to it. Im assuming you are just masking the real one.

    AFAIK BGP configuration is only possible on the CLI, so you might have to try configuring your tunnel there.

  • Options
    BbialyBbialy Newbie ✭

    @TKWITS you're right. ip address are just an example. I could use A.B.C.D.

    I know that BGP on sonicwall is only by CLI. The real question is: Does anyone know how to bind VPN policy (either tunnel interface or site2site) to BGP IP address. As far as I was able to dig in, sonicwall allows to bind VPN to an IP address which is set on interface and I was wondering if someone was smarter than me. it even doesn't allow to set VPN to address within pool of IP addresses set on Interface. i.e. my WAN network so my X1 might be with gateway pointing in that particular case i'm not able to setup VPN on address

    I'm most interested in setting up VPN on BGP addresses. Anyone?

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭

    I do not have experience setting up a VPN tunnel using a BGP address.

    Have you tried seeing what options are available for configuring the tunnels 'bound-to' settings in the CLI?

    Contact support and let us know what you come up with.

  • Options
    BbialyBbialy Newbie ✭
    edited February 2023
    I already tried to contact support regarding the case… but they didn’t convince me. Rather I had impression that they didn’t quite understood my problem. (I didn’t had luck to reach us support, but far far east :-) if you know what i mean). Bound to ZONE Wan is only valid setting for site2site (it is not possible to set it on tunnel interface). Even though all vpn traffic goes out from router with interface source ip. Incoming traffic is banned by firewall because of ip spoofing. When I disable ip, on dish page, incoming IKE packets dropped by other mechanisms (can’t remember right now but for sure it WASN’T network policy ).

    Sad thing is that on FORTIGATE such config is available even with hardware acceleration even on internally routed VDOMs.
    I thought I will be able to kick forti, but know it isn’t so obvious.

    For all interested: case number 44155819.
  • Options
    ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    What do you mean by "BGP assigned public IP address"? BGP is a way of exchanging routing information, not assigning IPs, right?

    I feel like your real question is, how do I bind a VPN policy to an IP that doesn't belong to an interface?, to which I think the answer is "you can't".

    Even though all vpn traffic goes out from router with interface source ip. Incoming traffic is banned by firewall because of ip spoofing.

    So...maybe my interpretation of your question is wrong? "with interface source ip": is this the IP you're expecting and wanting it to use, but the replies are discarded? You can disable "IP Spoof checking" in the internal settings.

  • Options
    BbialyBbialy Newbie ✭


    "What do you mean by "BGP assigned public IP address"?"

    • - I mean to bind VPN policy to one of available IP address from BGP pool which I advertise to my ISP.

    • and your guess is right, but I hope that your answer is wrong (unfortunately this hope is small and poor) but I'm still fighting.
    • anybody other ideas.
    • DNAT --> all traffic to far end IP of IPSec tunnel should go with specified IP from BGP IP Pool?
    • routing -->
    • IPSec from CLI?
    • any hidden setting on diag page?
    • anything :-)

Sign In or Register to comment.