Apply BGP Route Map for Numbered VPN Tunnel Interface Between AWS and SonicWall
03/26/2020 
58 
9319
DESCRIPTION:
This article details how to configure a Site-to-Site VPN between AWS and SonicWall using Tunnel interface and Applying a Route map to influence the incoming and outgoing traffic.
Below is the Schema used for the VPN tunnel configuration between SonicWall and AWS.
- Configuring the VPN Policy
- Configuring the Tunnel Interface
- Configuring the BGP routing
- Configuring the Route-map
IP Addresses used in this article | | |
| | |
| Site A (NSA 6650) | AWS |
WAN IP | X1: 10.20.1.2 X2: 10.30.1.2 | 10.6.220.65 10.6.210.2 |
Tunnel IP | 192.168.5.1 192.168.6.1 | 192.168.5.2 192.168.6.2 |
Local Network | 172.16.32.0/24 | 172.16.31.0/24 |
Peer Network(VPN) | 172.16.31.0/24 | 172.16.32.0/24 |
BGP AS NUMBER | AS 65530 | AS 65532//65531 |
CAUSE:
A route map can utilize access-lists, prefix-lists, as-path access lists, and community lists to create an effective route policy.
RESOLUTION:
STEP 1 Go to Manage | VPN | Base Settings and click on Add. The VPN Policy window is displayed.
General tab:
Policy type: Tunnel Interface
Auth method: IKE using Preshared Secret
Local/Peer IKE ID: IPv4 Address
Note: When configuring a Numbered Tunnel Interface VPN, do not select "Allow Advance Routing" in the VPN Policy Advance tab. This option is use for Unnumbered Tunnel Interface with Advance Routing only.
NOTE: The Proposals tab must be identical on the Tunnel Interface VPNs for both appliances and should Bind with X1 and X2.
STEP 2 Configuring the Tunnel Interface.
Go to Manage | Network | Interfaces, under Add Interface field, select VPN Tunnel Interface to create the VPN tunnel interfaces on both appliances.
STEP 3 Configure BGP using CLI.
Config terminal
config# routing / Enter to Routing Module
(config-routing)# bgp / Enter to BGP module
ARS BGP> configure terminal / Enter configure mode
ARS BGP(config)> router bgp 65530/ Set up AS number on SonicWALL
ARS BGP(config-router)> neighbor 192.168.5.2 remote-as 65532 / Configure neighbor connection
ARS BGP(config-router)> neighbor 192.168.6.2 remote-as 65531 / Configure neighbor connection
ARS BGP(config-router)> neighbor 192.168.5.2 soft-reconfiguration inbound
ARS BGP(config-router)> neighbor 192.168.6.2 soft-reconfiguration inbound
ARS BGP(config-router)> network 172.16.32.0/24/ Advertise your network
STEP 4 Configure BGP using CLI and Sending the outgoing traffic via Tunnel 1 and receiving the incoming traffic via Tunnel 1.
ARS BGP(config-router)> neighbor 192.168.5.2 route-map OUTGOING-RULE in
ARS BGP(config-router)> neighbor 192.168.6.2 route-map INCOMING-RULE out
ip prefix-list 1 OUTGOING-RULE permit 172.16.31.0/24 le 32
ip prefix-list 1 INCOMING-RULE permit 172.16.32.0/24 le 32
!
route-map OUTGOING-RULE permit 10
match ip address prefix-list OUTGOING-RULE
set Local-preference 200
!
route-map INCOMING-RULE permit 10
match ip address prefix-list INCOMING-RULE
set as-path prepend 1000 1000 1000 1000
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
