Setting up IPsec Tunnel from Sonicwall NSv to remote site

Question

Setting up IPsec Tunnel from Sonicwall NSv to remote site

Jakezxz1 40

Hello,

I have a VM inside of azure which is running Sonicwall NSv 270

I am trying to build an IPSec tunnel between it and a remote site.

The VM has 2 NICs

X1 WAN 10.1.0.4 DFGW 10.1.0.1

X0 LAN 10.1.1.4

I have 2 Subnets in Azure for these interfaces:

10.1.0.0/24

10.1.1.0/24

What I aiming to do is create an IPSec tunnel between a remote site and my Sonicwall instance.

I have created an ANY/ANY rule from the public IP of the remote site

I have a route table that is associated with both subnets - I am not sure if this route table is correctly configured.

IPsecInternal

10.156.0.0/24 <-- Remote VPN Range

VirtualAppliance

10.1.0.1 <-- The default gateway of the Sonicwall

IPsecTest

10.1.1.0/24 <--- X0 subnet

VirtualAppliance

10.1.0.1 <-- The default gateway of the sonicwall

I'm quite new to Azure as you can see so any advice would be great.

Accepted answer

0 additional answers

Your answer

Answer 1

Jackson Martins 10,606 MVP Volunteer Moderator

hi @Jakezxz1

From what I understand, your VPN policy is based on tunnel interfaces, correct? Why not consider using a site-to-site connection?

A site-to-site connection is more straightforward and automatically adds routes. The configuration for this is provided below:

Authentication Method: IKE using Preshared Secret

For Proposals:

User's image

I believe that using this way it is easier to manage and configure

Get in touch if you need more help with this issue.

--please don't forget to "[Accept the answer]" if the reply is helpful--

Jakezxz1 40 Reputation points

2023-05-04T14:17:42.9533333+00:00

Hello, Thanks for your reply.

I am not using VTI and I do not plan to use an Azure based VPN concentrator, this is the job of the sonicwall ! :)

What I want to do is establish a tunnel between a remote site and the Sonicwall which is running inside of azure.

I can see packets from 500 and 4500 coming to and from my remote device and the sonicwall, so from an Azure POV everything seems fine.

Unfortunately, the tunnel establishes for 1 second and then is immediately destroyed.

I've spoken to many people and the key take aways are that there must be an issue inside of the Azure routing as it doesn't know how to route traffic between the private address ranges.

This would make sense, somewhat, but in trying to resolve this, becomes tricky.

When, for example, I setup a default route in the Azure route table (0.0.0.0/0) and put the next hop as the virtual appliance (I.e. The sonicwall) the public IP no longer is reachable - Which confuses me somewhat.

There are limitations using the VPN Gateway in azure that we are trying to move away from.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-04T14:20:57.6466667+00:00

Got it, you are using a NSV sonicall azure and said:

"I configured a default route in the Azure route table (0.0.0.0/0) and put the next hop as the virtual device (i.e. the sonicwall), the public IP is no longer reachable - which confuses me a bit ."

In this case the nexthop is the sonicwall private ip which is accessible via Azure Vnet
Jakezxz1 40 Reputation points

2023-05-04T14:45:40.7866667+00:00

Hi friend,

As you can see from the attached, I changed the next hop to the Azure vnet and my pings stop and go no further, access to the VM is no longer working.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-04T14:59:04.07+00:00

can you check the infos like the official doc below?

https://www.sonicwall.com/support/knowledge-base/how-do-i-route-all-traffic-to-sonicwall-nsv-using-the-same-address-space-same-vnet-and-same-subnet/191112224656416/
Jakezxz1 40 Reputation points

2023-05-04T18:22:25.18+00:00

This is a very insightful article! Thank you, I've now completed this.
Unfortunately, perhaps more sonicwall related, I am on the SSL VPN to the firewall and have learned the routes for firewalled subnets (All subnets essentially) and still cannot ping the VM inside of the X0 subnet
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T21:33:57.2533333+00:00

@Jakezxz1

Please "[Accept the answer]" if the information helped you. This will help us and others in the community as well.

Share via

Setting up IPsec Tunnel from Sonicwall NSv to remote site

0 additional answers

Your answer