Apply BGP Route Map for Numbered VPN Tunnel Interface Between AWS and SonicWall
03/26/2020 
57 
9311
DESCRIPTION:
This article details how to configure a Site-to-Site VPN between AWS and SonicWall using Tunnel interface and Applying a Route map to influence the incoming and outgoing traffic.
Below is the Schema used for the VPN tunnel configuration between SonicWall and AWS.
- Configuring the VPN Policy
- Configuring the Tunnel Interface
- Configuring the BGP routing
- Configuring the Route-map
IP Addresses used in this article | | |
| | |
| Site A (NSA 6650) | AWS |
WAN IP | X1: 10.20.1.2 X2: 10.30.1.2 | 10.6.220.65 10.6.210.2 |
Tunnel IP | 192.168.5.1 192.168.6.1 | 192.168.5.2 192.168.6.2 |
Local Network | 172.16.32.0/24 | 172.16.31.0/24 |
Peer Network(VPN) | 172.16.31.0/24 | 172.16.32.0/24 |
BGP AS NUMBER | AS 65530 | AS 65532//65531 |
CAUSE:
A route map can utilize access-lists, prefix-lists, as-path access lists, and community lists to create an effective route policy.
RESOLUTION:
STEP 1 Go to Manage | VPN | Base Settings and click on Add. The VPN Policy window is displayed.
General tab:
Policy type: Tunnel Interface
Auth method: IKE using Preshared Secret
Local/Peer IKE ID: IPv4 Address
Note: When configuring a Numbered Tunnel Interface VPN, do not select "Allow Advance Routing" in the VPN Policy Advance tab. This option is use for Unnumbered Tunnel Interface with Advance Routing only.
NOTE: The Proposals tab must be identical on the Tunnel Interface VPNs for both appliances and should Bind with X1 and X2.
STEP 2 Configuring the Tunnel Interface.
Go to Manage | Network | Interfaces, under Add Interface field, select VPN Tunnel Interface to create the VPN tunnel interfaces on both appliances.
STEP 3 Configure BGP using CLI.
Config terminal
config# routing / Enter to Routing Module
(config-routing)# bgp / Enter to BGP module
ARS BGP> configure terminal / Enter configure mode
ARS BGP(config)> router bgp 65530/ Set up AS number on SonicWALL
ARS BGP(config-router)> neighbor 192.168.5.2 remote-as 65532 / Configure neighbor connection
ARS BGP(config-router)> neighbor 192.168.6.2 remote-as 65531 / Configure neighbor connection
ARS BGP(config-router)> neighbor 192.168.5.2 soft-reconfiguration inbound
ARS BGP(config-router)> neighbor 192.168.6.2 soft-reconfiguration inbound
ARS BGP(config-router)> network 172.16.32.0/24/ Advertise your network
STEP 4 Configure BGP using CLI and Sending the outgoing traffic via Tunnel 1 and receiving the incoming traffic via Tunnel 1.
ARS BGP(config-router)> neighbor 192.168.5.2 route-map OUTGOING-RULE in
ARS BGP(config-router)> neighbor 192.168.6.2 route-map INCOMING-RULE out
ip prefix-list 1 OUTGOING-RULE permit 172.16.31.0/24 le 32
ip prefix-list 1 INCOMING-RULE permit 172.16.32.0/24 le 32
!
route-map OUTGOING-RULE permit 10
match ip address prefix-list OUTGOING-RULE
set Local-preference 200
!
route-map INCOMING-RULE permit 10
match ip address prefix-list INCOMING-RULE
set as-path prepend 1000 1000 1000 1000
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
