Cloud Edge Secure Access Getting Started Guide

Download PDF
Technical Documentation > Cloud Edge Secure Access Getting Started Guide > Networks > Connecting Infrastructure > Connect Cloud Resources > Amazon AWS > AWS Virtual Gateway

AWS Virtual Gateway

This article describes how to establish a Site-To-Site IPSec VPN connection between your AWS server and the SonicWall Cloud Edge network.

  • Configuring the tunnel in the AWS Console
  • Configuring a virtual private gateway
  • Creating a virtual private network connection
  • Configuring the tunnel in your Management Platform

Please follow the steps below:

Configuring the tunnel in the AWS Console

  1. Go to the VPC section in the AWS Console.

  2. Under Services, scroll down to Networking & Content Delivery and select VPC.

    360004436499mceclip61.png

  3. Under the left menu VPN section, go to Customer Gateways.

    360004436399mceclip4.png

  4. Select Create Customer Gateway.
  5. Select static routing.

  6. Fill in the IP Address of the SonicWall Cloud Edge gateway. This can be obtained within the SonicWall Cloud Edge panel, under Networks.

  7. Select Create Customer Gateway. A message should display indicating the gateway was created successfully.

Configuring a virtual private gateway

If you already have a virtual private gateway attached to your VPC, skip this section and continue at Creating a virtual private network connection.

  1. Go back to Services, scroll down to Networking & Content Delivery, and select VPC.

    360004436499mceclip61.png

  1. On the left side, under Virtual Private Network (VPN) select Virtual Private Gateways.

    360004380360mceclip7.png

  2. Select Create Virtual Private Gateway.

    360004436519mceclip8.png

  3. Type the name of the gateway (for example US_HQ ).
  4. Select ASN as Amazon default ASN.

  5. Select Create Virtual Private Gateway.

    httpsfilesreadmeio1d3f3f3-ScreenShot2018-04-16at180054.png

    A message should display indicating that the virtual Private Gateway was created successfully.

  6. Select the newly created gateway and select Actions; on the context menu select Attach to VPC.

    360004380380mceclip9.png

  7. From the drop-down menu, select the VPC and select Yes, Attach.

Creating a virtual private network connection

  1. Under Virtual Private Network in the left menu, go to Site-to-Site VPN Connections.

    360004380400mceclip10.png

  2. Select Create VPN Connection.

    360004380440mceclip12.png

  3. Enter the name tag (for example US_HQ).
  4. Select the created Virtual Private Gateway.
  5. Under Customer Gateway, select Existing.
  6. Select the Customer Gateway that you have created.
  7. Under Routing Options, select Static.

  8. Fill in the following Static IP Prefixes: 10.XXX.0.0/16 (according to your SonicWall Cloud Edge network subnet)

    This address might differ in case you haven't chosen the default subnet mask for your tunnel.

    360004436559mceclip13.png

  9. Under Tunnel Options leave the default values as is.

    Tunnel option

    AWS supports various types of Encryptions and hash formats for both of the tunnels they are offering, if the tunnel options are set to default (as shown below) it will accept any encryption suite you'd like for the handshake with SonicWall Cloud Edge.

    In this screen you can also select the inside subnets you would like to connect via the tunnel.

  10. Select Create VPN Connection.

    360004436579mceclip14.png

  11. A message should display indicating that a VPN Connection Request was created successfully.

Configuring the routing rules to the default gateway

  1. Select the VPC section in the AWS Console and enter the Route table associated with your VPC.

    360004406260mceclip23.png

  2. For the Route Tables menu option, select the routing table that is associated with the VPC you have created for the tunnel.

    360004461879mceclip22.png

  3. Select Edit and add the new static routes for the subnets below:


    Fill in 10.2xx.0.0/16 (SonicWall Cloud Edge network subnet listed in the SonicWall Cloud Edge web portal, in Networks > Gateway > Settings) at the destination field and your new VPN Gateway ID as the target (it will appear under the subcategory Virtual Private Gateway).

  4. Select Save.

    In case have a customized security group associated with your VPC:

    Allow incoming connections from the local network within your security groups: Configure your AWS security groups to allow all traffic from SonicWall Cloud Edge subnets (10.2xx.0.0/16) or allow only special traffic using the port or services from these sources.

Configuring the tunnel in your Platform

  1. Return to Site-to-Site VPN Connections and select Download Configuration.

    360004436599mceclip16.png

  2. Fill in the following information, and download the config file:

    httpsfilesreadmeiod6430ba-Untitled.png

    Examining the configuration file, you may notice that AWS has created two separate tunnels for the same VPN connection, however, SonicWall Cloud Edge utilizes only one of them. You may randomly choose any of the two, but for consistency purposes and in order to avoid possible confusion we advise you to use the one that appears first in the file.

  3. Go to the Management Platform. Under the Networks tab in the left menu, select the name of the network where you'd like to set the tunnel.

  4. Locate the desired gateway, select the three-dotted menu (...), select Add Tunnel, and then IPSec Site-2-Site Tunnel.

  5. Open the configuration file that you have downloaded. Fill in the following fields according to the file's content: Public IP, Remote ID (both identical; marked in red in the attached example) and Shared Secret (marked in yellow; remember to omit the quotation marks).

  6. The rest of the fields should be filled in with the following information:

    • Name: Enter the name you chose for the tunnel.
    • SonicWall Cloud Edge Gateway Proposal Subnets: By default, this should be set to 10.2xx.0.0/16.

    • Remote Gateway Proposal Subnets: Select specified Subnets. Insert your VPC CIDR.

      360008885499ScreenShot2020-02-11at152346.png

  7. At the Advanced Settings section fill in the following information if you selected the default tunnel options on AWS:

    • IKE Version: V2
    • IKE Lifetime: 8h
    • Tunnel Lifetime: 1h
    • Dead Peer Detection Delay: 10s
    • Dead Peer Detection Timeout: 30s
    • Encryption(Phase 1): aes256
    • Encryption(Phase 2): aes256
    • Integrity (Phase 1): sha512
    • Integrity (Phase 2): sha512
    • Diffie-Hellman Groups (Phase 1): 21
    • Diffie-Hellman Groups (Phase 2): 21

  8. Select Add Tunnel.

Troubleshooting the connection

  1. To verify the tunnel is UP, check your SonicWall Cloud Edge interface for the Green dot next to the tunnel:

  2. You can check the tunnel routes via "Routes Table" inside the SonicWall Cloud Edge network

  3. Even if the tunnel state is UP, you may still not be able to reach your VPC via the tunnel, further steps to verify AWS reachability may include:

    • Checking the route table that's associated with your VPC for a route that pushes traffic from the internal range for SonicWall Cloud Edge to the VPG
    • Checking the route table that's associated with the specific Subnet you are trying to access (if different from the main VPC route table)
    • Check to see if you have a Security Group that allows traffic from the internal range for SonicWall Cloud Edge to your AWS resource

Was This Article Helpful?

Help us to improve our support portal

Yes! Not Really

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden