Aviatrix Gateway to Sonicwall¶
This document describes how to build an IPsec tunnel based Site2Cloud connection between Aviatrix Gateway and Sonicwall.
The network setup is as follows:
VPC/VNet-AVX (with Aviatrix Gateway)
VPC/VNet CIDR: 10.0.0.0/16
On-Prem (with Sonicwall)
On-Prem Network CIDR: 10.16.100.0/24
Creating a Site2Cloud Connection at the Aviatrix Controller¶
- Go to Gateway > New Gateway to launch an Aviatrix Gateway at the subnet (public subnet in AWS, GCP, or OCI) of VPC/VNet-AVX. Collect Gateway’s public IP addresses (35.161.77.0 in this example).
- Go to the Site2Cloud page and click Add New to create a Site2Cloud connection.
| Field | Value |
|---|---|
| VPC ID/VNet Name | Choose VPC/VNet ID of VPC-AVX |
| Connection Type | Unmapped |
| Connection Name | Arbitrary (e.g. avx-sonicwall-s2c) |
| Remote Gateway Type | Sonicwall |
| Tunnel Type | UDP |
| Algorithms | Unmark this checkbox |
| IKEv2 | Unmark this checkbox |
| Encryption over DirectConnect | Unmark this checkbox |
| Enable HA | Unmark this checkbox |
| Primary Cloud Gateway | Select Aviatrix Gateway created above |
| Remote Gateway IP Address | Public IP of Sonicwall (66.7.242.225 in this example) |
| Pre-shared Key | Optional (auto-generated if not entered) |
| Remote Subnet | 10.16.100.0/24 (On-Prem Network CIDR) |
| Local Subnet | 10.0.0.0/16 |
Creating Address Objects for the VPN subnets¶
Navigate to Network > Address Objects > click Add.
Creating an Address Object for the Local Network¶
| Field | Value |
|---|---|
| Name | Arbitrary e.g. Site2Cloud-local |
| Zone | LAN |
| Type | Network |
| Network | The LAN network range |
| Network Mask/Prefix | e.g. 255.255.255.0 |
Creating an Address Object for the Cloud Network¶
| Field | Value |
|---|---|
| Name | Arbitrary e.g. site2cloud-cloud |
| Zone | WAN |
| Type | Network |
| Network | The Cloud network range |
| Network Mask/Prefix | e.g. 255.255.0.0 |
Configuring the VPN Tunnel¶
Navigate to VPN > Settings > click Add.
On the General tab fill in the following fields:
| Field | Value |
|---|---|
| Policy Type | Site to site |
| Authentication Method | IKE using Preshared Secret |
| Name | Arbitrary (e.g. Aviatrix-GW) |
| IPsec Primary Gateway Address | The public IP of the Aviatrix Gateway |
| IPsec Secondary Gateway Address | The public IP of the Aviatrix HA Gateway if configured |
| Shared Secret | Arbitrary |
| Confirm Shared Secret | Re-enter Shared Secret |
| Local IKE ID | Leave blank |
| Peer IKE ID | Leave blank |
Assigning the Local and Remote Address Objects to the Tunnel¶
Select the Network tab and select the Address objects created above.
Choose local network from list: e.g. Site2Cloud-local.
- Select the Proposals tab and set the IKE and IPsec values.
| Field | Value |
|---|---|
| Exchange | Main Mode |
| DH Group | Group2 |
| Encryption | AES-256 |
| Authentication | SHA1 |
| Life Time (seconds) | 28800 |
IPsec (Phase 2) Proposals
| Field | Value |
|---|---|
| Protocol | ESP |
| Encryption | AES-256 |
| Authentication | SHA1 |
| Enable Perfect Forward Secrecy | Mark this checkbox |
| DH Group | Group 2 |
| Life Time (seconds) | 3600 |
- Note - If Secondary Peer IP is configured, then Peer IKE ID must be left blank or else failover will not work properly.
