This document describes how to build an IPsec tunnel based Site2Cloud connection between Aviatrix Gateway and Sonicwall.
The network setup is as follows:
VPC/VNet-AVX (with Aviatrix Gateway)
VPC/VNet CIDR: 10.0.0.0/16
On-Prem (with Sonicwall)
On-Prem Network CIDR: 10.16.100.0/24
Creating a Site2Cloud Connection at the Aviatrix Controller ======================================================
- Go to Gateway > New Gateway to launch an Aviatrix Gateway at the subnet (public subnet in AWS, GCP, or OCI) of VPC/VNet-AVX. Collect Gateway's public IP addresses (35.161.77.0 in this example).
- Go to the Site2Cloud page and click Add New to create a Site2Cloud connection.
Field | Value |
---|---|
|
Choose VPC/VNet ID of VPC-AVX |
|
Unmapped |
|
Arbitrary (e.g. avx-sonicwall-s2c) |
|
Sonicwall |
|
UDP |
|
Unmark this checkbox |
|
Unmark this checkbox |
|
Unmark this checkbox |
|
Unmark this checkbox |
|
Select Aviatrix Gateway created above |
|
Public IP of Sonicwall (66.7.242.225 in this example) |
|
Optional (auto-generated if not entered) |
|
10.16.100.0/24 (On-Prem Network CIDR) |
|
10.0.0.0/16 |
Creating Address Objects for the VPN subnets ========================================
Navigate to Network > Address Objects > click Add.
Field | Value |
---|---|
|
Arbitrary e.g. Site2Cloud-local |
|
LAN |
|
Network |
|
The LAN network range |
|
e.g. 255.255.255.0 |
Field | Value |
---|---|
Name | Arbitrary e.g. site2cloud-cloud |
Zone | WAN |
Type | Network |
Network | The Cloud network range |
Network Mask/Prefix | e.g. 255.255.0.0 |
Navigate to VPN > Settings > click Add.
On the General tab fill in the following fields:
Field | Value |
---|---|
Policy Type | Site to site |
Authentication Method | IKE using Preshared Secret |
Name | Arbitrary (e.g. Aviatrix-GW) |
IPsec Primary Gateway Address | The public IP of the Aviatrix Gateway |
IPsec Secondary Gateway Address | The public IP of the Aviatrix HA Gateway if configured |
Shared Secret | Arbitrary |
Confirm Shared Secret | Re-enter Shared Secret |
Local IKE ID | Leave blank |
Peer IKE ID | Leave blank |
Select the Network tab and select the Address objects created above.
Choose local network from list: e.g. Site2Cloud-local.
- Select the Proposals tab and set the IKE and IPsec values.
Field | Value |
---|---|
Exchange | Main Mode |
DH Group | Group2 |
Encryption | AES-256 |
Authentication | SHA1 |
Life Time (seconds) | 28800 |
IPsec (Phase 2) Proposals
Field | Value |
---|---|
Protocol | ESP |
Encryption | AES-256 |
Authentication | SHA1 |
Enable Perfect Forward Secrecy | Mark this checkbox |
DH Group | Group 2 |
Life Time (seconds) | 3600 |
- Click the Advance tab.
- Mark the Enable Keep Alive checkbox.
- Click OK to save.