Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register
Options

Site to Site VPN with more than 2 internet connections.

ASIRWAASIRWA Newbie ✭
edited January 2 in SSL VPN

I am doing Site to Site VPNs between multiple TZ-270s and a NSA-2700.

Each Sonicwall has two internet providers in a failover configuration.

Due to how one of the providers does their networking, the X0 interface has a Private static ip. This IP has to be used for any other devices on that provider when connecting to it. For devices not on that provider there is a Public static ip. that maps to the Private ip. Connections between devices on this provider can not use the Public ip to connect to each other.

Therefore each device may need to connect to 3 remote IPs and needs to accept connections from the same three.

IP1 normal operations.

IP2 if local device is on its secondary provider.

IP3 if remote device is on its secondary provider.

Can I use a DNS name with 2 IPs for the provider with the Private IPs?

Thanks.

Category: SSL VPN
Reply

Answers

  • Options
    ArkwrightArkwright All-Knowing Sage ✭✭✭✭
    edited January 3

    A diagram might help here. I think you might be saying that there is some kind of CGN going on with one provider and for the firewalls to reach each other through that provider you have to use the private IP rather than the public? Is that right?

    Do you really mean X0? Private static IP on X0 is totally normal as it can only ever be LAN zone.

    I think your scenario might be suited to tunnel-mode VPNs with either route policies + probes, or SD-WAN. You bind these to a specific interface and they only accept one gateway IP, so this could work.

  • Options
    ASIRWAASIRWA Newbie ✭
    image.png

    X1 and X2 are WAN Zone

    X0 is LAN Zone (per default Sonicwall) as you caught.


    FW1 can connect using its X1 to FW2 @ 10.1.#.# and @ 201.1.#.# but not @ 200.1.#.#

    FW1 can connect using its X2 to FW2 @ 200.1.#.# and @ 201.1.#.# but not @ 10.1.#.#

  • Options
    MitatOngeMitatOnge All-Knowing Sage ✭✭✭✭

    @ASIRWA

    This scneario has a little bit a problem for vpn phase 1. behind the sonciwall1 X1 interface gets local IKE id from FW site ISP router interface ip not SonicWall FW2 interface ip. therefore you have to change manually. please check logs. for X1 vpn logs.


    My advance for redudancy : you should create tunnel interfaces for each vpn and create Policy base routings.


    for informations:

    Local ike:

    https://www.sonicwall.com/support/knowledge-base/the-vpn-log-shows-ike-initiator-remote-party-timeout-error/170505540632928/

    Tunnel interface vpn:

    https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-tunnel-interface-vpn-static-route-based-vpn/170505633799556/


Sign In or Register to comment.