Skip to main content
This document describes how to build an IPsec tunnel based Site2Cloud connection between Aviatrix Gateway and Sonicwall. The network setup is as follows: VPC/VNet-AVX (with Aviatrix Gateway) VPC/VNet CIDR: 10.0.0.0/16 On-Prem (with Sonicwall) On-Prem Network CIDR: 10.16.100.0/24

Creating a Site2Cloud Connection

  1. Launch a Spoke or Transit Gateway in the subnet of VPC/VNet-AVX (public subnet in AWS, GCP, or OCI). Make note of the Gateway’s public IP address (35.161.77.0 in this example).
  2. Navigate to Networking > Connectivity > External Connections (S2C) and click Add New to create a Site2Cloud connection using the values for one of the below options (for either you can select either PSK or certificate-based authentication).
  3. Substitute the following values:
    • Local Gateway: select the Aviatrix Gateway created above
    • Remote Device Type: Generic (or Sonicwall if your version of Controller is lower than Controller version 6.7. If using a higher Controller version, only select Generic or Aviatrix).
    • Remote Device IP: Public IP of Sonicwall (66.7.242.225 in this example)
    • Remote Subnet CIDR(s): 10.16.100.0/24 (on-prem network CIDR)
    • Local Subnet CIDR(s): 10.0.0.0/16
    • Pre-Shared Key is optional; it is auto-generated if not entered

Creating Address Objects for the VPN subnets

In the Sonicwall UI, go to Network > Address Objects > click Add.

Creating an Address Object for the Local Network

FieldValue
NameArbitrary e.g. Site2Cloud-local
ZoneLAN
TypeNetwork
NetworkThe LAN network range
Network Mask/Prefixe.g. 255.255.255.0
Address Object for the Local Network

Creating an Address Object for the Cloud Network

FieldValue
NameArbitrary e.g. site2cloud-cloud
ZoneWAN
TypeNetwork
NetworkThe Cloud network range
Network Mask/Prefixe.g. 255.255.0.0
Address Object for the Cloud Network

Configuring the VPN Tunnel

  1. Navigate to VPN > Settings > click Add.
  2. On the General tab fill in the following fields:
    FieldValue
    Policy TypeSite to site
    Authentication MethodIKE using Preshared Secret
    NameArbitrary (e.g. Aviatrix-GW)
    IPsec Primary Gateway AddressThe public IP of the Aviatrix Gateway
    IPsec Secondary Gateway AddressThe public IP of the Aviatrix HA Gateway if configured
    Shared SecretArbitrary
    Confirm Shared SecretRe-enter Shared Secret
    Local IKE IDLeave blank
    Peer IKE IDLeave blank
    VPN Tunnel General Settings

Assigning the Local and Remote Address Objects to the Tunnel

  1. Select the Network tab and select the Address objects created above.
  2. Choose local network from list: e.g. Site2Cloud-local.
  3. Select the Proposals tab and set the IKE and IPsec values.
    FieldValue
    ExchangeMain Mode
    DH GroupGroup2
    EncryptionAES-256
    AuthenticationSHA1
    Life Time (seconds)28800
    IPsec (Phase 2) Proposals
    FieldValue
    ProtocolESP
    EncryptionAES-256
    AuthenticationSHA1
    Enable Perfect Forward SecrecyMark this checkbox
    DH GroupGroup 2
    Life Time (seconds)3600
    VPN Policy Settings
If the Secondary Peer IP is configured, then Peer IKE ID must be left blank or else failover will not work properly.
Failover VPN Settings

Advanced Settings

  1. Click the Advance tab.
  2. Mark the Enable Keep Alive checkbox.
  3. Click OK to save. Advanced VPN Settings