Site to Site VPN between Sonicwall and Azure, AWS and GCP

Request Demo

Configuring Azure Site to Site VPN with SonicWall hardware Firewall

To configure a VPN between a sonicwall firewall and Microsoft Azure, you will need:

Azure Side Resources

  • A Gateway subnet
  • A LAN subnet
  • A Public IP

SonicWall Side Resources

  • A LAN subnet
  • A Public IP

Azure Configuration:

  • Login to the Azure portal at https://portal.azure.com
  • Navigate to Virtual Networks and click Add to create a new network scheme.
  • In this scenario we've defined the following network. Once filled out click Create.
  • Then, define the gateway network inside of the virtual network just created, click on it and select Subnet | Subnet Gateway. Define the Gateway Subnet and click Create.
  • Next, we'll create a virtual network gateway. In the search bar at the top of the page start typing gateway. Select Virtual network gateway.
  • Create a new virtual gateway, give it a name and define the type. Select gateway type VPN, VPN type route-based, select the virtual network and create a new public IP address. We'll use this public IP address later on while configuring the VPN on the SonicWall. Click Create.
  • Click on the newly created virtual network gateway. Select Connections| Add.
  • Define this connection with a name, under connection type 'select' Site-to-site (IPSec). Create a new local network gateway. This will be the public IP of the SonicWall and the local network.
  • Provide a secure shared key. This will also be used on the SonicWall. Click OK.
  • Get the public IP of Azure and use it in the SonicWall. Navigate to Dashboard and select the Public IP address resource.

Sonicwall Configuration

Creating an Address Object for the virtual network-

  • Navigate to the Network > Address Objects.
  • Click Add to create a new Address Object.

Enter the following information:

  • Name - Enter a name for the Address ObjectZone Assignment - Click the drop-down, and then select VPN.
  • Type -Click the drop-down, and then select Network.
  • Network - Enter the network IP address as shown in the SL-VNET.
  • Netmask/Prefix Length - Enter the netmask.
  • Click Add.

Creating a SonicWall VPN Connection

  • Name - Enter a name for the Address ObjectZone Assignment - Click the drop-down, and then select VPN.
  • Give the VPN policy a name. We'll use the following settings:
    • Policy Type: Tunnel Interface
    • Authentication Method: IKE using Pre-shared Secret
    • Next, click the Proposals tab.
  • Under Proposals select:
    • IKE (Phase 1) Proposal: Exchange - IKEv2 Mode, Group - 2, Encryption - AES-256, Authentication - SHA1, Life Time -28800.
    • IKE (Phase 2) Proposal- Protocol - ESP, Encryption - 3DES, Authentication - SHA1, Life Time - 27000.
  • Select the Advanced tab. Select Enable Keep Alive. Deselect Enable Windows Networking. Select Do not send trigger packet during IKE SA negotiation.
  • Next, navigate to Network | Routing. Select Route Policies and create a new policy. Set the destination for the Azure network and select the Azure interface.

Test the connectivity from SonicWall

  • It takes 5-7 minutes for the VPN policy to come up. Once the VPN policy is up, we see a green indicator.
  • The SonicWALL firewall automatically initiates the VPN connection and keeps it alive when Keep Alive is enabled.

Test the connectivity from Azure:

  • Go to the Azure Management Portal, and navigate to Virtual Networks Gateway. Click the Connections and go to its Dashboard.
  • You can see the connection status changed from "Connecting" to "Connected".

AWS Integration with SonicWall

SonicOS' interface with Amazon Web Services (AWS) allows for the sending of logs to AWS CloudWatch Logs, the mapping of Address Objects and Groups to EC2 Instances, and the building of VPNs to connect to Virtual Private Clouds (VPCs). SonicOS connects with Amazon Web Services' (AWS) different Application Programming Interfaces (APIs).

  1. Azure Side Resources
  2. Create AWS identity from AWS Management Console. The user needs some permissions to access the different services:

    • AmazonEC2FullAccess
    • CloudWatchLogsFullAccess

    Retrieve the Secret Access Key that has been created for the user.

  3. AWS Access Configuration in SonicOS
  4. On the MANAGE | System Setup | Network | AWS Configuration page, configure SonicOS with the AWS Security Credentials. The settings include an AWS Identity and Access Management (IAM) User's Access Key (Access Key ID), the corresponding Secret Access Key and a default region.

  5. Enable AWS logs in SonicOS
    • Navigate to MANAGE | Logs & Reporting | Log Settings |AWS Logs page.
    • Select Enable Logging.
    • Ensure that the selected AWS Region is the one in which the Log Group and Log Stream were created. You can change the region used by the firewall either on this page or on the AWS Configuration page.
    • Enter the names of the Log Group and Log Stream that you created earlier and which will hold the logs sent to AWS CloudWatch Logs.
    • The logs will be sent at the specified Synchronization Interval. Change the Interval to suit your needs.
    • Click ACCEPT.
  6. Create a new Address Object Mapping:
    • Navigate to MANAGE | Policies | Objects | AWS Objects page in SonicOS.
    • Click New Mapping.
    • Click New Condition button to choose from the whole range of allowable properties.
    • EXAMPLE: Select Custom Tag for Property, then enter the key and value used in your EC2 Instance tag and click OK.
    • Optionally add a second mapping condition by clicking New Condition again.
    • When ready, click OK.
    • Click ACCEPT to save the mapping. Address Objects are then created for the IP addresses of each EC2 Instance that matches the mapping.
    • Select Enable Mapping.
    • Click ACCEPT to make the Address Object Mappings take effect.
  7. AWS VPN Configuration:
    • In SonicOS, go to the MANAGE | Connectivity | VPN | AWS VPN page.
    • In the row for the VPC you want to connect to the firewall, click the Create VPN Connection button.
    • Verify that the IP Address field in the New VPN Connection dialogue contains the firewall's public IP address, or change it as needed.
    • If the firewall detects that route propagation for one or more route tables within a VPC has been disabled, the dialogue will include the Propagate connection to all existing subnets in the VPC option. Choose it unless you want the connection to be propagated only to specific subnets.
    • Click the OK button. The VPN connection between the firewall and AWS is configured through a series of processes on both the firewall and AWS. For more information about the VPN connection, click the Information 'I' button in the table row. Refresh the data in the table and on the associated dialogues by clicking the Refresh button on the AWS VPN page.
    • After you've established the VPN connection, expand the row on the AWS VPN page to see all of the subnets in that VPC, organized by route table. Select Propagate Connection for each route table and associated subnets.

Site-To-Site IPSEC VPN connection between Google Cloud Platform (GCP) and SonicWall

  1. Initial Google Cloud Platform Configuration
    1. Create virtual private gateway
      • Go to the Hybrid Connectivity in the Google Cloud Platform Console.
      • Create VPN Gateway.
      • Fill the following details, while creating VPN gateway
        • Name
        • Network
        • Region
        • IP Address

    2. Create a Tunnel
      • Name
      • Remote peer IP Address
      • IKE Version: IKEv2
      • IKE pre-shared key
      • Routing options: Route-based
      • Remote network IP ranges
      • Select done, then create

  2. Management Platform Configuration
    1. After entering the Management Platform, Select the name of the network in which you want to set the tunnel under the Networks tab in the left menu.
    2. Locate the desired gateway, then select the three-dotted menu (...), Add Tunnel, and finally IPSec Site-2-Site Tunnel.
    3. Fill in the following information:
      • Name
      • Shared Secret
      • Public IP
      • Remote Gateway Proposal Subnets-Specified Subnets

    4. Fill in the Advanced Settings
      • IKE Version: V2
      • IKE Lifetime: 8h
      • Tunnel Lifetime: 1h
      • Dead Peer Detection Delay: 10s
      • Dead Peer Detection Timeout: 30s
      • Encryption (Phase 1): aes256
      • Encryption (Phase 2): aes256
      • Integrity (Phase 1): sha1
      • Integrity (Phase 2): sha1
      • Diffie-Hellman Groups (Phase 1): 2
      • Diffie-Hellman Groups (Phase 1): 2

  3. Configuring the Routing Rules to the VPC Network:
    1. Go to the VPC Network in the Google Cloud Platform Console. Under the left menu go to Routes.
    2. Select Create Route Rule and fill in the following information:
      • Name
      • Network
      • Destination network IP range
      • Priority
      • Next Hop: Select Specify VPN Tunnel
      • Next hop VPN tunnel: Select the VPN tunnel you created in the previous steps.
      • Select Create.

  4. Allow Incoming Connections from the Local Network using Firewall Rules:
    1. Go to the VPC Network in the Google Cloud Platform Console.
    2. Under the left menu go to Firewall Rules.

    3. Select Create Firewall Rule and fill in the following information:
      • Name
      • Logs
      • Network
      • Priority
      • The direction of traffic should be Ingress
      • Action on match: allow
      • Target tags: optional
      • Source filter: IP Ranges
      • Source IP ranges:
      • Second source filter: none
      • Allowed protocols or ports: all

    4. Select Create:
      • IKE Version: V2
      • IKE Lifetime: 8h
      • Tunnel Lifetime: 1h
      • Dead Peer Detection Delay: 10s
      • Dead Peer Detection Timeout: 30s
      • Encryption (Phase 1): aes256
      • Encryption (Phase 2): aes256
      • Integrity (Phase 1): sha1
      • Integrity (Phase 2): sha1
      • Diffie-Hellman Groups (Phase 1): 2
      • Diffie-Hellman Groups (Phase 2): 2

About Vast Edge - Simplified Cloud Solutions

Since 2004, Vast Edge has been providing cloud services including ERP implementation, integrations, migrations, data analytics, and application development. Vast Edge has recently been recognized in the Forbes Magazine as the top velocity partner and is also a certified Oracle Azure, Google, AWS cloud partner.
In these tough times, due to COVID-19 Pandemic, Vast Edge is offering Digital Transformation, Free Cloud Assessments, Free Bronze support for CSP customers, and Free access to software tools such as ticketing, finance, CRM (limitations apply). Contact us for cloud provisioning at competitive pricing, backed by a team of 100+ certified and experienced staff with high quality 24 x 7 help desk support.

Contact

Get in touch with us

chat
Hello! 👋 How can we help you today?