Create IPSEC VPN Sonicwall Tunnel Amazon Web Service (AWS) VPC – No Traffic No Ping…. How to fix it.

Hi,

If you are like me and you want to deploy a Sonicwall and create a Private VPN between your Network and Amazon Web Service.. This can give you an hard time and you to understand the Sonicwall / Amazon to get this working. Dell Create a procedure for that, first link on Google and to be honest… 75% is working…

http://support-public.cfm.software.dell.com/27707_configuring_sonicos_for_amazon_vpc_technote.pdf

This is an Update Version of this Procedure, I will add some screen shot a bit Later On.. But if you have Knowledge in VPN and Sonicwall This might give you the part missing.

My first attempt The VPN was setup but no traffic in between..

Important Information:

Sonicwall

  • For the BGP (Dynamic Routing) even if your Sonicwall support it in the Specs…You need a Sonicwall License Upgrade call SonicOS Expanded…  Good News. The Static Will Work!
  • Tested with Sonic OS 6.2+

Amazon Site.

Go to VPC

Steps :

  • 1. Initializing the VPC (You can use the default)
  • 2. Creating the Subnet (You can use the default)
  • 3. Creating the Virtual Private Gateway
  • 4. Attaching the Virtual Private Gateway to the VPC
  • 5. Creating a Customer Gateway
  • 6. Create the VPN Connections
  • 7. Define the Route Tables

1 – Initializing the VPC (VPC it’s the Private Cloud- I can compare it to a router)

If you have no VPC, Create One and assigned a VPC CIDR (IP Range like : 10.1.0.0/16)

2 – Creating the Subnet (Network Range visible to the EC2 Instance and also the private Network accessible over the VPN)

Create a Subnet attached to your VPN like 10.1.1.0/24

3 – Creating the Virtual Private Gateway

Create a Virtual Private Gateway (This is the “Amazon side of the VPN”)

4 – Attaching the Virtual Private Gateway to the VPC

(Select the VPG) and attach to VPC

5 – Creating a Customer Gateway

The Customer Gateway it’s the Sonicwall Specs.

  • Name Tag (A Friendly name to define the service)
  • Routing (Static)
  • IP Address : The WAN IP of the Sonicwall

6 – Create the VPN Connections

VPN Connections – Create

  • NameTag (A Friendly name to define the service)
  • Virtual Private Gateway (The one Created at Step 3)
  • Customer Gateway (The one Created at Step 5)
  • Routing Options (Choose Static)
  • Static IP Prefixes it’s your LAN NETWORK ( 192.168.10.0/24)

Download the configuration File in the Format : Generic / Generic / Vendor Agnostic *** KEEP IT FOR FUTUR STEPS

7 – Go to Route Table

Select the Route available – Click on Route and Edit the following :

Add 2 routes :

Destination : 0.0.0.0 / 0      Target : Virtual Private Gateway (it’s Amazon ID – Steps 3)

Destination : 192.168.10.0 / 24 (YOUR LAN NETWORK) Target : Virtual Private Gateway (it’s Amazon ID – Steps 3)

GoTo Route Propagation Tab and Edit and Set Propagate to Yes

Save

NOW SONICWALL! **** I WILL SHOW IT ONLY FOR ONE TUNNEL THE FAILOVER IT’S THE SAME

Open the Text File you Downloaded at Steps 6.

The important Information it’s under : IPSec Tunnel #1

Go to VPN :

  • Add…
  • General : 
  • Policy Type : Tunnel Interface
  • Name : Friendly Name Me : AWS VPN
  • IPSec Primary Gateway Name (Take the Outside IP Addresses– Virtual Private Gateway)
  • Shared Secret (In the Text File : Pre-Shared Key)
  • Local IKE ID: (Take the Outside IP Addresses– Customer Gateway)
  • Peer IKE ID: (Take the Outside IP Addresses– Virtual Private Gateway)
  • Proposals : (Double check the spec in the Text Files)
  • Phase 1
  • Exchange : Main Mode
  • DH Group : Group 2
  • Encryption : AES-128
  • Authentication : SHA1
  • Life Time : 28800
  • Phase 2
  • Protocol : ESP
  • Encryption : AES-128
  • Authentication SHA1
  • Check the Check Box Enable Perfect Foward Secrecy
  • DH Group : Group 2
  • Life time : 28800
  • Advanced
  • Check Enable Keep Alive
  • VPN Policy Bound to : Interface X1

Clic OK at this point you should have within couple of seconds the VPN UP.. but the trouble begin 🙂

Go to the Menu VPN / Advanced

  • UnCheck : Enable NAT Traversal

Go to the Menu Network / Interfaces

Add Interface (Zone VPN)

  • VPN policy Select : AWS VPN
  • Name : AWSVPN
  • Static Ip Mode
  • IP Address : In the Text Files : (Inside IP Addresses – Customer Gateway) This can be 169.254.x.x
  • Subnet Mark : In the Text Files : (Inside IP Addresses – Customer Gateway) This can be 255.255.255.252
  • Add This.

Go to the Menu Network / Routing

Under Route Policies

  • Add
  • Source : Lan Subnets
  • Destination : Create a New Object
    • Name : AWSNetwork
    • Zone Assignement : VPN
    • Type : Network
    • Network : The VPC CIDR CREATED AT STEP 1 (10.1.0.0/16)
  • Service : ANY
  • Interface :  AWSVPN (The only created at the previous step)
  • Metric : 1

Go to Menu Firewal / Access Rules

from VPN to LAN

Add :

  • from : VPN
  • to : LAN
  • Source Port : Any
  • Service : Any
  • Sources : AWSNetwork (Created at the previous steps)
  • Destination : Any
  • Always On

OK

*** Create the Reverse now :

from LAN to VPN

Add :

  • from : LAN
  • to : VPN
  • Source Port : Any
  • Service : Any
  • Sources : Any
  • Destination : AWSNetwork (Created at the previous steps)
  • Always On

OK

NOW THE EC2 Instance :

Network and Security

  • Security Groups (Select the group, go to inbound tab then EDIT)
    • Add Rules
      • All traffic
      • Protocol : All
      • Port Range : 0 – 65535
      • Source : Custom IP
      • Your LAN : 192.168.10.0/24

*** BE SURE YOUR SECURITY GROUP IS ASSIGN PROPERLY TO YOUR EC2

EC2 :

select one of your instance :

Action / Manage Private IP

Set a Private IP from the RANGE you Define in Step 2 (Subnet).

ex :  10.1.1.1

From your Network test the ping : 10.1.1.1

You Should have an answer!

 

 

 

 

Leave a Reply