Aviatrix Gateway to Sonicwall
This document describes how to build an IPsec tunnel based Site2Cloud connection between Aviatrix Gateway and Sonicwall.
The network setup is as follows:
VPC/VNet-AVX (with Aviatrix Gateway)
VPC/VNet CIDR: 10.0.0.0/16
On-Prem (with Sonicwall)
On-Prem Network CIDR: 10.16.100.0/24
Creating a Site2Cloud Connection at the Aviatrix Controller
Go to Gateway > New Gateway to launch an Aviatrix Gateway at the subnet (public subnet in AWS, GCP, or OCI) of VPC/VNet-AVX. Collect Gateway’s public IP addresses (35.161.77.0 in this example).
Go to the Site2Cloud page and click Add New to create a Site2Cloud connection.
Field |
Value |
---|---|
VPC ID/VNet Name |
Choose VPC/VNet ID of VPC-AVX |
Connection Type |
Unmapped |
Connection Name |
Arbitrary (e.g. avx-sonicwall-s2c) |
Remote Gateway Type |
Sonicwall |
Tunnel Type |
UDP |
Algorithms |
Unmark this checkbox |
IKEv2 |
Unmark this checkbox |
Encryption over DirectConnect |
Unmark this checkbox |
Enable HA |
Unmark this checkbox |
Primary Cloud Gateway |
Select Aviatrix Gateway created above |
Remote Gateway IP Address |
Public IP of Sonicwall (66.7.242.225 in this example) |
Pre-shared Key |
Optional (auto-generated if not entered) |
Remote Subnet |
10.16.100.0/24 (On-Prem Network CIDR) |
Local Subnet |
10.0.0.0/16 |
Creating Address Objects for the VPN subnets
Navigate to Network > Address Objects > click Add.
Creating an Address Object for the Local Network
Field |
Value |
---|---|
Name |
Arbitrary e.g. Site2Cloud-local |
Zone |
LAN |
Type |
Network |
Network |
The LAN network range |
Network Mask/Prefix |
e.g. 255.255.255.0 |
Creating an Address Object for the Cloud Network
Field |
Value |
---|---|
Name |
Arbitrary e.g. site2cloud-cloud |
Zone |
WAN |
Type |
Network |
Network |
The Cloud network range |
Network Mask/Prefix |
e.g. 255.255.0.0 |
Configuring the VPN Tunnel
Navigate to VPN > Settings > click Add.
On the General tab fill in the following fields:
Field |
Value |
---|---|
Policy Type |
Site to site |
Authentication Method |
IKE using Preshared Secret |
Name |
Arbitrary (e.g. Aviatrix-GW) |
IPsec Primary Gateway Address |
The public IP of the Aviatrix Gateway |
IPsec Secondary Gateway Address |
The public IP of the Aviatrix HA Gateway if configured |
Shared Secret |
Arbitrary |
Confirm Shared Secret |
Re-enter Shared Secret |
Local IKE ID |
Leave blank |
Peer IKE ID |
Leave blank |
Assigning the Local and Remote Address Objects to the Tunnel
Select the Network tab and select the Address objects created above.
Choose local network from list: e.g. Site2Cloud-local.
Select the Proposals tab and set the IKE and IPsec values.
Field |
Value |
---|---|
Exchange |
Main Mode |
DH Group |
Group2 |
Encryption |
AES-256 |
Authentication |
SHA1 |
Life Time (seconds) |
28800 |
IPsec (Phase 2) Proposals
Field |
Value |
---|---|
Protocol |
ESP |
Encryption |
AES-256 |
Authentication |
SHA1 |
Enable Perfect Forward Secrecy |
Mark this checkbox |
DH Group |
Group 2 |
Life Time (seconds) |
3600 |
- Note - If Secondary Peer IP is configured, then Peer IKE ID must be left blank or else failover will not work properly.
Advanced Settings
Click the Advance tab.
Mark the Enable Keep Alive checkbox.
Click OK to save.