Aviatrix Gateway to Sonicwall

This document describes how to build an IPsec tunnel based Site2Cloud connection between Aviatrix Gateway and Sonicwall.

The network setup is as follows:

VPC/VNet-AVX (with Aviatrix Gateway)

VPC/VNet CIDR: 10.0.0.0/16

On-Prem (with Sonicwall)

On-Prem Network CIDR: 10.16.100.0/24

Creating a Site2Cloud Connection

Launch a Spoke or Transit Gateway in the subnet of VPC/VNet-AVX (public subnet in AWS, GCP, or OCI).

Make note of the Gateway’s public IP address (35.161.77.0 in this example).
Navigate to Networking > Connectivity > External Connections (S2C) and click Add New to create a Site2Cloud connection using the values for one of the below options (for either you can select either PSK or certificate-based authentication).
- Static Route-Based (Unmapped)
- Static Policy-Based (Unmapped)
Substitute the following values:
- Local Gateway: select the Aviatrix Gateway created above
- Remote Gateway Type: Generic (or Sonicwall if your version of Controller is lower than Controller version 6.7. If using a higher Controller version, only select Generic or Aviatrix).
- Remote Gateway IP: Public IP of Sonicwall (66.7.242.225 in this example)
- Remote Subnet CIDR(s): 10.16.100.0/24 (on-prem network CIDR)
- Local Subnet CIDR(s): 10.0.0.0/16
- Pre-Shared Key is optional; it is auto-generated if not entered

Creating Address Objects for the VPN subnets

In the Sonicwall UI, go to Network > Address Objects > click Add.

Creating an Address Object for the Local Network

Field	Value
Name	Arbitrary e.g. Site2Cloud-local
Zone	LAN
Type	Network
Network	The LAN network range
Network Mask/Prefix	e.g. 255.255.255.0

Field

Value

Name

Arbitrary e.g. Site2Cloud-local

Zone

LAN

Type

Network

The LAN network range

Network Mask/Prefix

e.g. 255.255.255.0

Creating an Address Object for the Cloud Network

Field	Value
Name	Arbitrary e.g. site2cloud-cloud
Zone	WAN
Type	Network
Network	The Cloud network range
Network Mask/Prefix	e.g. 255.255.0.0

Field

Value

Name

Arbitrary e.g. site2cloud-cloud

Zone

WAN

Type

Network

The Cloud network range

Network Mask/Prefix

e.g. 255.255.0.0

Configuring the VPN Tunnel

Navigate to VPN > Settings > click Add.

On the General tab fill in the following fields:

Field	Value
Policy Type	Site to site
Authentication Method	IKE using Preshared Secret
Name	Arbitrary (e.g. Aviatrix-GW)
IPsec Primary Gateway Address	The public IP of the Aviatrix Gateway
IPsec Secondary Gateway Address	The public IP of the Aviatrix HA Gateway if configured
Shared Secret	Arbitrary
Confirm Shared Secret	Re-enter Shared Secret
Local IKE ID	Leave blank
Peer IKE ID	Leave blank

Field

Value

Policy Type

Site to site

Authentication Method

IKE using Preshared Secret

Name

Arbitrary (e.g. Aviatrix-GW)

IPsec Primary Gateway Address

The public IP of the Aviatrix Gateway

IPsec Secondary Gateway Address

The public IP of the Aviatrix HA Gateway if configured

Shared Secret

Arbitrary

Confirm Shared Secret

Re-enter Shared Secret

Local IKE ID

Leave blank

Peer IKE ID

Leave blank

Assigning the Local and Remote Address Objects to the Tunnel

Select the Network tab and select the Address objects created above.
Choose local network from list: e.g. Site2Cloud-local.
Select the Proposals tab and set the IKE and IPsec values.

Field Value

Exchange

Main Mode

DH Group

Group2

Encryption

AES-256

Authentication

SHA1

Life Time (seconds)

28800

IPsec (Phase 2) Proposals

Field Value

Protocol

ESP

Encryption

AES-256

Authentication

SHA1

Enable Perfect Forward Secrecy

Mark this checkbox

DH Group

Group 2

Life Time (seconds)

3600