Aviatrix Gateway to Sonicwall

This document describes how to build an IPsec tunnel based Site2Cloud connection between Aviatrix Gateway and Sonicwall.

The network setup is as follows:

VPC/VNet-AVX (with Aviatrix Gateway)

VPC/VNet CIDR: 10.0.0.0/16

On-Prem (with Sonicwall)

On-Prem Network CIDR: 10.16.100.0/24

Creating a Site2Cloud Connection at the Aviatrix Controller

  1. Go to Gateway > New Gateway to launch an Aviatrix Gateway at the subnet (public subnet in AWS, GCP, or OCI) of VPC/VNet-AVX. Collect Gateway’s public IP addresses (35.161.77.0 in this example).

  2. Go to the Site2Cloud page and click Add New to create a Site2Cloud connection.

    Field Value

    VPC ID/VNet Name

    Choose VPC/VNet ID of VPC-AVX

    Connection Type

    Unmapped

    Connection Name

    Arbitrary (e.g. avx-sonicwall-s2c)

    Remote Gateway Type

    Sonicwall

    Tunnel Type

    UDP

    Algorithms

    Unmark this checkbox

    IKEv2

    Unmark this checkbox

    Encryption over DirectConnect

    Unmark this checkbox

    Enable HA

    Unmark this checkbox

    Primary Cloud Gateway

    Select Aviatrix Gateway created above

    Remote Gateway IP Address

    Public IP of Sonicwall (66.7.242.225 in this example)

    Pre-shared Key

    Optional (auto-generated if not entered)

    Remote Subnet

    10.16.100.0/24 (On-Prem Network CIDR)

    Local Subnet

    10.0.0.0/16

Creating Address Objects for the VPN subnets

Navigate to Network > Address Objects > click Add.

Creating an Address Object for the Local Network

Field Value

Name

Arbitrary e.g. Site2Cloud-local

Zone

LAN

Type

Network

Network

The LAN network range

Network Mask/Prefix

e.g. 255.255.255.0
image0

Creating an Address Object for the Cloud Network

Field Value

Name

Arbitrary e.g. site2cloud-cloud

Zone

WAN

Type

Network

Network

The Cloud network range

Network Mask/Prefix

e.g. 255.255.0.0
image2

Configuring the VPN Tunnel

Navigate to VPN > Settings > click Add.

On the General tab fill in the following fields:

Field Value

Policy Type

Site to site

Authentication Method

IKE using Preshared Secret

Name

Arbitrary (e.g. Aviatrix-GW)

IPsec Primary Gateway Address

The public IP of the Aviatrix Gateway

IPsec Secondary Gateway Address

The public IP of the Aviatrix HA Gateway if configured

Shared Secret

Arbitrary

Confirm Shared Secret

Re-enter Shared Secret

Local IKE ID

Leave blank

Peer IKE ID

Leave blank
image1

Assigning the Local and Remote Address Objects to the Tunnel

Select the Network tab and select the Address objects created above.

Choose local network from list: e.g. Site2Cloud-local.

  1. Select the Proposals tab and set the IKE and IPsec values.

    Field Value

    Exchange

    Main Mode

    DH Group

    Group2

    Encryption

    AES-256

    Authentication

    SHA1

    Life Time (seconds)

    28800

    IPsec (Phase 2) Proposals

    Field Value

    Protocol

    ESP

    Encryption

    AES-256

    Authentication

    SHA1

    Enable Perfect Forward Secrecy

    Mark this checkbox

    DH Group

    Group 2

    Life Time (seconds)

    3600
    image4

    • Note - If Secondary Peer IP is configured, then Peer IKE ID must be left blank or else failover will not work properly.:: image::sw-failover-vpn.png[image5]

    === Advanced Settings

    • Click the Advance tab.

    • Mark the Enable Keep Alive checkbox.

    • Click OK to save.

    image3