-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Apply BGP Route Map for Numbered VPN Tunnel Interface Between AWS and SonicWall
11/16/2023 
86 People found this article helpful
482,080 Views
Description
This article details how to configure a Site-to-Site VPN between AWS and SonicWall using Tunnel interface and Applying a Route map to influence the incoming and outgoing traffic.
Below is the Schema used for the VPN tunnel configuration between SonicWall and AWS.
- Configuring the VPN Policy
- Configuring the Tunnel Interface
- Configuring the BGP routing
- Configuring the Route-map
| IP Addresses used in this article |
|
|
|
|
| |
|
| Site A (NSA 6650) | AWS |
| WAN IP | X1: 10.20.1.2 X2: 10.30.1.2 | 10.6.220.65 10.6.210.2 |
| Tunnel IP | 192.168.5.1 192.168.6.1 | 192.168.5.2 192.168.6.2 |
| Local Network | 172.16.32.0/24 | 172.16.31.0/24 |
| Peer Network(VPN) | 172.16.31.0/24 | 172.16.32.0/24 |
| BGP AS NUMBER | AS 65530 | AS 65532//65531 |
Cause
A route map can utilize access-lists, prefix-lists, as-path access lists, and community lists to create an effective route policy.
Resolution
STEP 1: Go to Manage | VPN | Base Settings and click on Add. The VPN Policy window is displayed.
General tab:
Policy type: Tunnel Interface
Auth method: IKE using Preshared Secret
Local/Peer IKE ID: IPv4 Address
Note: When configuring a Numbered Tunnel Interface VPN, do not select "Allow Advance Routing" in the VPN Policy Advance tab. This option is use for Unnumbered Tunnel Interface with Advance Routing only.
NOTE: The Proposals tab must be identical on the Tunnel Interface VPNs for both appliances and should Bind with X1 and X2.
STEP 2: Configuring the Tunnel Interface.
Go to Manage | Network | Interfaces, under Add Interface field, select VPN Tunnel Interface to create the VPN tunnel interfaces on both appliances.
STEP 3: Configure BGP using CLI.
Config terminal
config# routing / Enter to Routing Module
(config-routing)# bgp / Enter to BGP module
ARS BGP> configure terminal / Enter configure mode
ARS BGP(config)> router bgp 65530/ Set up AS number on SonicWALL
ARS BGP(config-router)> neighbor 192.168.5.2 remote-as 65532 / Configure neighbor connection
ARS BGP(config-router)> neighbor 192.168.6.2 remote-as 65531 / Configure neighbor connection
ARS BGP(config-router)> neighbor 192.168.5.2 soft-reconfiguration inbound
ARS BGP(config-router)> neighbor 192.168.6.2 soft-reconfiguration inbound
ARS BGP(config-router)> network 172.16.32.0/24/ Advertise your network
STEP 4: Configure BGP using CLI and Sending the outgoing traffic via Tunnel 1 and receiving the incoming traffic via Tunnel 1.
ARS BGP(config-router)> neighbor 192.168.5.2 route-map to31 in
ARS BGP(config-router)> neighbor 192.168.6.2 route-map to32 out
ip prefix-list 1 to31 permit 172.16.31.0/24
ip prefix-list 1 to32 permit 172.16.32.0/24
!
route-map to31 permit 10
match ip address prefix-list to31
set Local-preference 200
!
route-map to32 permit 10
match ip address prefix-list to32
set as-path prepend 1000 1000 1000 1000
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
Categories
- Firewalls > NSa Series > VPN
- Firewalls > SonicWall SuperMassive 9000 Series > VPN
- Firewalls > SonicWall SuperMassive E10000 Series > VPN
- Firewalls > NSv Series > VPN
YES
NO