• Cloud Edge Secure Access
• Welcome to SonicWall Cloud Edge!
• Prerequisites
• Installation
  • Accessing the Client Management Console
  • Installation Methods
• Networks
  • Understanding Networks
  • SDP Networks
  • Regions and Gateways
    • Adding a region
    • Adding a gateway
  • Connecting Infrastructure
    • Prerequisites
    • Site-to-Site Connections
    • IPsec Tunnel
    • WireGuard Connector
    • Connect On-Prem Resources
      • Firewalls
        • SonicWall
    • Connect Cloud Resources
      • Amazon AWS
        • AWS Virtual Gateway
        • AWS Transit Gateway
      • Alibaba Cloud
      • Microsoft Azure
      • Google Cloud Platform
      • Heroku Enterprise
      • IBM Cloud
      • Docker
• Groups and Members
  • Members
    • Inviting Members
    • Password Requirements
    • Managing Roles
  • Groups
    • Managing Groups
    • Identity Provider Groups
  • Identity Providers (IdP)
    • Integrate Identity Providers
    • Azure AD
      • Azure Active Directory (SAML 2.0)
      • Azure Active Directory
    • Google Suite
      • Google Services
      • Google Apps (SAML 2.0)
    • On-Premises Active Directory
    • SAML 2.0
      • Generic SAML
      • Active Directory Federation Services (ADFS)
      • Auth0
      • Okta
      • OneLogin
      • PingIdentity
      • JumpCloud
• Securing the Platform
  • Securing Networks
    • Segmenting Networks
    • Device Posture Check
    • Network Traffic Control
    • Firewall-as-a-Service
  • Securing User Access
    • Multi-Factor Authentication
      • MFA Authentication
      • DUO Security
    • Agent-less Access
      • Zero Trust Application
        • HTTP/HTTPS
        • RDP (Remote Desktop Protocol)
        • SSH (Secure Shell)
        • VNC (Virtual Network Computing)
      • Zero Trust Policies and Rules
    • Agent-based Access
      • SonicWall Agents
        • Downloading and Installation
      • Agents Configuration
        • User-Groups Policies
        • Managing Configurations
        • General Configurations
        • Network Configuration
        • OS-Specific Configurations
• Monitoring
  • Activity Tracking
    • Activities and Logs
    • Member Devices
  • Monitoring Dashboard
  • Integrations
    • Amazon S3
    • Azure Sentinel
    • Splunk Cloud
• Compliance
  • HIPAA
  • GDPR
  • SOC 2 Type 2
• SonicWall Support
  • About This Document

Alibaba Cloud

This article describes how to establish a Site-To-Site IPSEC VPN connection between Alibaba Cloud and SonicWall Cloud Edge Secure Access.

• Setting a tunnel on Alibaba Cloud
• Setting access rules in Alibaba security groups
• SonicWall Cloud Edge setting

Please follow the steps below:

Setting a tunnel on Alibaba Cloud

1. Log in to the VPC console.
2. In the Management Portal on the left side, choose VPN > IPsec Connections.
3. Select a region.
4. On the IPsec Connections page, select Create IPsec Connection.
5. On the Create IPsec Connection page, configure the IPsec-VPN connection with the following information, and select OK.

• Name: Enter the name of the IPsec-VPN connection.
• VPN Gateway: Select the VPN Gateway to connect - If none exists, create a new one.
• Customer Gateway: Select the customer gateway to connect. If none exists, create a new one for the gateway public IP.
• Local Network: Enter the CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation.
• Remote Network: Enter the CIDR block of the on-premises data center to be connected with the VPC. This parameter is used for phase two negotiation (if you didn't select a specific subnet) default is - 10.255.0.0/16.
• Effective Immediately: Choose Yes.

• Advanced Configuration: IKE Configurations.

  • Pre-Shared Key: Enter the pre-shared key used for the authentication between the VPN Gateway and the customer gateway. By default, it is an automatically generated value. But you can also specify a pre-shared key - this key should be used also in the connection side.
  • Version: IKEv1
  • Negotiation Mode: Main mode
  • Encryption Algorithm: aes256
  • Encryption Algorithm: sha1
  • DH Group: group2
  • SA Life Cycle (seconds): Set the SA lifecycle for phase one negotiation. The default value is 86,400 seconds.
  • LocalId: Local VPN Gateway public IP address
  • RemoteId: Gateway public IP address

Advanced Configuration: IPSec Configurations

• Encryption Algorithm: aes256
• Authentication Algorithm: sha1
• DH Group: group2
• SA Life Cycle (seconds): Set the SA lifecycle for phase two negotiation. The default value is 86,400s.

Health Check - Optional

Setting access rules in Alibaba security groups

1. Go to your security group that is associated with your server.
2. Add Allow rule with 10.255.0.0/16 object to the desired ports.

Setting routes in Alibaba cloud

1. Go to your VPN.
2. Select Route Tables.
3. Add the following route under the System route table or on your custom route table: 10.255.0.0/16. The next hop should be the VPN Gateway you created for the connector.

SonicWall Cloud Edge setting

1. Go to the Gateway in your network from which you want to create the tunnel to Alibaba Cloud.

2. Select the three-dotted menu (...) and select Add Tunnel.

   

3. Select IPSec Site-2-Site Tunnel and select Continue.

   

4. Enter the General Settings:

   

   Name: Set the name for the Tunnel.
   Shared Secret: Put the same Shared secret you set in Alibaba Cloud.
   Public IP and Remote ID: enter AliBaba VPN Gateway Public IP address.
   In Gateway Proposal Subnets, select Any or Specific Subnet.
   In Remote Gateway Proposal Subnets put your Alibaba Cloud subnet/s.

Advanced Settings:

1. Enter the Advanced Settings:

   

   • IKE Version: V1
   • IKE Lifetime: 8h
   • Tunnel Lifetime: 1h
   • Dead Peer Detection Delay: 10s
   • Dead Peer Detection Timeout: 30s
   • Encryption (Phase 1): aes256
   • Encryption (Phase 2): aes256
   • Integrity (Phase 1): sha1
   • Integrity (Phase 2): sha1
   • Deffie-Hellman Groups (Phase 1): 2
   • Deffie-Hellman Groups (Phase 1):2

3. Select Add Tunnel.