-
SonicOS
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
Network Security Configuring SonicOS for Amazon VPC
TechNote
Contents Overview
........................................................................................................................................................................
1 System or Network Requirements / Prerequisites
........................................................................................................
3 Deployment Considerations
..........................................................................................................................................
3 Configuring Amazon VPC with a Policy-Based VPN
....................................................................................................
4 Configuring Amazon VPC with a Dynamic Route-Based VPN
...................................................................................
19 Configuring the VPC for Deployment in Elastic Compute Cloud
................................................................................
36 Glossary of Terms
.......................................................................................................................................................
43
Overview This TechNote describes how to connect a Dell SonicWALL
firewall to the Amazon Virtual Private Cloud (VPC) via a static
policy-based VPN or dynamic route-based VPN.
SonicOS for Amazon VPC is a Network Security feature that
enables network administrators to configure a Dell SonicWALL
Security Appliance firewall in a VPC on Amazon Web Services (AWS),
providing an easy-to-use cloud computing platform that is suitable
for individuals and organizations of all sizes.
Two VPN types are supported by SonicOS, depending on the SonicOS
release:
VPN Type Version of SonicOS
Static policy-based VPN
5.8.1.8 and higher
5.9.0.0 and higher
6.1.1.0 and higher
Dynamic route-based VPN 5.9.0.0 and higher
-
2
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote The following graphic shows a typical topology for
connecting a Dell SonicWALL firewall to an AWS VPC. Amazon VPC
offers failover capability to customers by providing two tunnels
for each instance of a VPN the customer creates.
-
3
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote System or Network Requirements / Prerequisites SonicOS
configuration for Amazon Virtual Private Cloud (VPC) is supported
on the following versions of SonicOS:
SonicOS 5.8.1.8 and higher SonicOS 5.9.0.0 and higher SonicOS
6.1.1.0 and higher
SonicOS configuration for Amazon Virtual Private Cloud (VPC) is
supported on the following Dell SonicWALL products running SonicOS
5.8 or 5.9:
NSA 220 / 220W NSA 240 NSA 2400 NSA 250M / 250MW NSA 3500 NSA
4500 NSA 5000 NSA E5500 NSA E6500 NSA E7500 NSA E8500 NSA E8510 TZ
100 / 100 Wireless TZ 105 / 105 Wireless TZ 200 / 200 Wireless TZ
205 / 205 Wireless TZ 210 / 210 Wireless TZ 215 / 215 Wireless
SonicOS configuration for Amazon Virtual Private Cloud (VPC) is
supported on the following Dell SonicWALL products running SonicOS
6.1 or higher:
NSA 2600 NSA 3600 NSA 4600 NSA 5600 NSA 6600 SuperMassive 9200
SuperMassive 9400 SuperMassive 9600
Deployment Considerations No special license is needed, but you
must have a current support contract for SonicOS 5.8.1.8. The
SonicWALL firewall for Amazon VPC is not supported on the NSA
2400MX. The SonicWALL firewall for Amazon VPC does not support a
secondary customer VPN gateway on a
secondary WAN interface, in the same VPC. VPNs are deployed on
one interface only in a single VPC. The SonicWALL firewall for
Amazon VPC cannot be deployed behind a NAT device. Amazon does
not
support NAT traversal. Some platforms may require an expanded
license for BGP support, required for a dynamic route-based
VPN.
-
4
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Configuring Amazon VPC with a Policy-Based VPN To
configure a policy-based VPN between the Dell SonicWALL firewall
and the Amazon Virtual Private Cloud (VPC), perform the following
tasks:
Amazon Web Services Configuration Tasks
1. Initializing the VPC
2. Creating the Subnet
3. Creating the Virtual Private Gateway
4. Attaching the Virtual Private Gateway to the VPC
5. Creating a Customer Gateway
SonicOS Configuration Tasks
1. Configuring the Tunnel Interface VPN Policy
2. Configuring a Static Route
Amazon Web Services Configuration Tasks To create a Virtual
Private Cloud on Amazon Web Services (AWS), perform the tasks in
this section on the AWS portal:
Initializing the VPC 1. On your PC, from your browser, go to
https://console.aws.amazon.com/console/home.
https://console.aws.amazon.com/console/home
-
5
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 2. Go to Services > VPC.
This takes you to the VPC home page.
-
6
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 3. In the left column, click Your VPCs.
4. Click the Create VPC button.
5. In the CIDR Block: box, enter the network IP address.
For example, enter 10.0.0.0/16.
6. Click the Yes, Create button.
-
7
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Creating the Subnet
7. In the left column, click Subnets.
8. Click the Create Subnet button.
9. In the CIDR Block: box, enter the subnet IP address.
For example, enter 10.0.1.0/24.
10. Click the Yes, Create button.
-
8
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Creating the Virtual Private Gateway
11. In the left column, click Virtual Private Gateways.
12. Click the Create Virtual Private Gateway button.
13. Click the Yes, Create button.
-
9
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Attaching the Virtual Private Gateway to the VPC
14. Select the Virtual Private Gateway you just created.
15. Click the Attach to VPC button.
16. Select the VPC you created.
17. Click the Yes, Attach button.
-
10
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Creating a Customer Gateway
18. In the left column, click Customer Gateways.
19. Click the Create Customer Gateway button.
20. In the Routing box, select Static.
21. In IP Address box, enter the WAN IP address of the SonicWALL
appliance.
For example, enter 192.0.2.1.
22. Click the Yes, Create button.
-
11
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote To create a VPN:
23. In the left column, click Route Tables.
24. Select the appropriate Route Table.
25. In the second row of the Route Table, in the Destination
column, enter 0.0.0.0/0 in the box.
26. Click the Add button.
27. In the left column, click VPN Connections.
28. Click the Create VPN Connection button.
-
12
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 29. In the Virtual Private Gateway list, select the
appropriate Virtual Private Gateway.
30. In the Customer Gateway list, select the appropriate
Customer Gateway.
31. Select the Use static routing option.
32. In the IP Prefix box, enter the prefix of the interface on
the protected subnet of the SonicWALL appliance. For example,
192.168.0.0/16.
33. Click the Yes, Create button.
34. Click the Static Routes tab to add more subnets.
To download the configuration text file to configure the Dell
SonicWALL appliance connection to the AWS VPC:
35. In the left column, click VPN Connections.
-
13
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 36. Select the appropriate VPN connection.
37. Click Download Configuration.
38. In the Vendor list, select Generic.
39. In the Platform list, select Generic.
40. In the Software list, select Vendor Agnostic.
41. Click the Yes, Download button.
42. Save the text file to your PC.
Open the text file you just downloaded from AWS. This text file
contains the tunnel interface VPN policy configuration for the
firewall. You can configure the VPN policy on your Dell SonicWALL
Security Appliance by using the values from the text file.
-
14
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote SonicOS Configuration Tasks To connect a firewall to
your AWS VPC, a matching VPN policy must be configured on the Dell
SonicWALL Security Appliance. A tunnel interface is created by
configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway.
Configuring the Tunnel Interface VPN Policy To configure a
tunnel interface VPN policy:
1. In the SonicOS management interface on your Dell SonicWALL
appliance, go to VPN > Settings.
2. Under VPN Policies, click the Add button.
-
15
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 3. Click the General tab.
4. In the Policy Type list, select Tunnel Interface.
5. In the Authentication Method list, select IKE using Preshared
Secret.
6. In the Name box, type the name of your policy.
7. In the IPsec Primary Gateway Name or Address box, enter the
matching identity address from the text file that you downloaded
from AWS. The matching identity address is the IP address of the
Amazon Virtual Gateway.
8. In the IKE Authentication section, enter the required
information using the configuration text file you downloaded from
VPC.
-
16
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 9. Click the Proposals tab.
10. In the Exchange list, select Main Mode.
11. In the DH Group list, select the value that matches the
group value from the AWS text file. For example, Group 2.
12. In the Encryption list, select the value that matches the
encryption value from the AWS text file. For example, AES-128.
13. In the Authentication list, select the value that matches
the authentication value from the AWS text file. For example,
SHA1.
14. In the Life Time box, enter the value that matches the
lifetime value from the AWS text file. For example, 28800.
-
17
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 15. Click the Advanced tab.
16. Select the Enable Keep Alive option (box should be
checked).
17. In the VPN Policy bound to list, select the appropriate
interface (the WAN interface on the SonicWALL Security Appliance).
For example, Interface X1.
18. Click OK.
-
18
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Configuring a Static Route To configure a static
route:
19. In the SonicOS management interface on your Dell SonicWALL
appliance, go to Network > Routing.
20. Under Route Policies, click the Add button.
21. In the Source list, select Any.
22. In the Destination list, select the appropriate subnet. For
example, 10.30.1.0.
(This is the protected subnet on the AWS VPC. If it does not
appear in the list, you must first create it.
See To create a Subnet: in the Configuring the AWS VPC
section.)
23. In the Service list, select Any.
24. In the Gateway list, select Default Gateway.
25. In the Interface list, select the name of your VPN
policy.
26. Select the Auto-add Access Rules option.
27. Click OK.
-
19
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Configuring Amazon VPC with a Dynamic Route-Based VPN
To configure a dynamic route-based VPN between the Dell SonicWALL
Firewall and the Amazon Virtual Private Cloud (VPC), perform the
following tasks:
Amazon Web Services Configuration Tasks
1. Initializing the VPC
2. Creating the Subnet
3. Creating the Virtual Private Gateway
4. Attaching the Virtual Private Gateway to the VPC
5. Creating a Customer Gateway
SonicOS Configuration Tasks
1. Configuring the Tunnel Interface VPN Policy
2. Configure Routing
Amazon Web Services Configuration Tasks To create a Virtual
Private Cloud on Amazon Web Services (AWS), perform the tasks in
this section on the AWS portal:
Initializing the VPC 1. On your PC, from your browser, go to
https://console.aws.amazon.com/console/home.
https://console.aws.amazon.com/console/home
-
20
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 2. Go to Services > VPC.
This takes you to the VPC home page.
-
21
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 3. In the left column, click Your VPCs.
4. Click the Create VPC button.
5. In the CIDR Block: box, enter the network IP address.
For example, enter 10.0.0.0/16.
6. Click the Yes, Create button.
-
22
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Creating the Subnet
7. In the left column, click Subnets.
8. Click the Create Subnet button.
9. In the CIDR Block: box, enter the subnet IP address.
For example, enter 10.0.1.0/24.
10. Click the Yes, Create button.
-
23
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Creating the Virtual Private Gateway
11. In the left column, click Virtual Private Gateways.
12. Click the Create Virtual Private Gateway button.
13. Click the Yes, Create button.
-
24
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Attaching the Virtual Private Gateway to the VPC
14. Select the Virtual Private Gateway you just created.
15. Click the Attach to VPC button.
16. Select the VPC you created.
17. Click the Yes, Attach button.
-
25
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Creating a Customer Gateway
18. In the left column, click Customer Gateways.
19. Click the Create Customer Gateway button.
20. In the Routing box, select Dynamic.
21. In the BGP ASN text-field, enter your BGP ASN number.
22. In IP Address box, enter the WAN IP address of the SonicWALL
appliance.
For example, enter 192.0.2.1.
23. Click the Yes, Create button.
-
26
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote
To create a VPN:
24. In the left column, click Route Tables.
25. Select the appropriate Route Table.
26. In the second row of the Route Table, in the Destination
column, enter 0.0.0.0/0 in the box.
27. Click the Add button.
28. In the left column, click VPN Connections.
29. Click the Create VPN Connection button.
-
27
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 30. In the Virtual Private Gateway list, select the
appropriate Virtual Private Gateway.
31. In the Customer Gateway list, select the appropriate
Customer Gateway.
32. In the IP Prefix box, enter the prefix of the interface on
the protected subnet of the SonicWALL appliance. For example,
192.168.0.0/16.
33. Click the Dynamic Routes tab to add more subnets.
To download the configuration text file to configure the Dell
SonicWALL appliance connection to the AWS VPC:
34. In the left column, click VPN Connections.
-
28
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 35. Select the appropriate VPN connection.
36. Click Download Configuration.
37. In the Vendor list, select Generic.
38. In the Platform list, select Generic.
39. In the Software list, select Vendor Agnostic.
40. Click the Yes, Download button.
41. Save the text file to your PC.
Open the text file you just downloaded from AWS. This text file
contains the tunnel interface VPN policy configuration for the
firewall. You can configure the VPN policy on your Dell SonicWALL
Security Appliance by using the values from the text file.
-
29
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote SonicOS Configuration Tasks To connect a firewall to
your AWS VPC, a matching VPN policy must be configured on the Dell
SonicWALL Security Appliance. A tunnel interface is created by
configuring a VPN policy of type Tunnel Interface on a physical
interface from the firewall to the remote AWS gateway.
Note: VPC requires a customer gateway to configure 2 route based
VPN tunnels for each instance of dynamic route based VPNs at VPC.
So there needs to be 2 tunnel interface VPNs and 2 tunnel
interfaces, each with its own BGP configuration.
Configuring the Tunnel Interface VPN Policy To configure a
tunnel interface VPN policy:
1. In the SonicOS management interface on your Dell SonicWALL
appliance, go to VPN > Settings.
2. Under VPN Policies, click the Add button.
-
30
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 3. Click the General tab.
4. In the Policy Type list, select Tunnel Interface.
5. In the Authentication Method list, select IKE using Preshared
Secret.
6. In the Name box, type the name of your policy.
7. In the IPsec Primary Gateway Name or Address box, enter the
matching identity address from the text file that you downloaded
from AWS. The matching identity address is the IP address of the
Amazon Virtual Gateway.
8. In the IKE Authentication section, enter the required
information using the configuration text file you downloaded from
VPC.
-
31
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 9. Click the Proposals tab.
10. In the Exchange list, select Main Mode.
11. In the DH Group list, select the value that matches the
group value from the AWS text file. For example, Group 2.
12. In the Encryption list, select the value that matches the
encryption value from the AWS text file. For example, AES-128.
13. In the Authentication list, select the value that matches
the authentication value from the AWS text file. For example,
SHA1.
14. In the Life Time box, enter the value that matches the
lifetime value from the AWS text file. For example, 28800.
-
32
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 15. Click the Advanced tab.
16. Select the Enable Keep Alive option (box should be
checked).
17. In the VPN Policy bound to list, select the appropriate
interface (the WAN interface on the SonicWALL Security Appliance).
For example, Interface X1.
18. Click OK.
-
33
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Configure Routing
19. In the SonicOS management interface, navigate to the Network
> Interfaces page.
20. Click the Add Interface drop-down menu, then select Tunnel
Interface.
21. In the General tab, select the following options:
Zone VPN
VPN Policy the VPN policy that was previously created
IP Address the IP address provided by Amazon
Subnet Mask the subnet mask provided by Amazon
22. Click the OK button.
-
34
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 23. Navigate to the Network > Routing page.
24. In the Routing Mode drop-down menu, select Advanced
Routing.
25. In the BGP drop-down menu, select Enable (configure with
CLI).
26. Log in to the Dell SonicWALL firewall console command line
interface (CLI).
27. Perform the following:
Execute the conf command to enter the configuration mode.
Execute the routing command to enter the routing configuration
mode.
Execute the bgp command to enter the bgp configuration mode.
Execute the following commands:
router bgp 65011
network 192.168.168.0/24
neighbor 169.254.253.5 remote-as 7224
neighbor 169.254.253.5 timers 10 30
neighbor 169.254.253.5 default-originate
neighbor 169.254.253.5 soft-reconfiguration inbound
Note: 65011 is the BGP ASN, 192.168.168.0/24 is the network you
want to publish to Amazon VPC, 169.254.253.5 is the tunnel
interface IP address provided by Amazon, 7224 is the BGP ASN
provided by Amazon.
-
35
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 28. After the firewall learns the route from the Amazon
VPC, navigate to the Firewall > Access Rules page in
the SonicOS management interface.
29. Add a following firewall rule:
Note: This is an example, please change the options accordingly
to match your deployment.
-
36
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Configuring the VPC for Deployment in Elastic Compute
Cloud This section provides the steps for creating the VPC instance
and deploying the VPC on an AWS virtual server for Elastic Compute
Cloud (EC2).
To configure your EC2 settings:
1. Go to Services > EC2.
2. Click Instances.
-
37
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 3. Click Launch Instance.
4. Select the Classic Wizard option, and Click the Continue
button.
-
38
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 5. Under the Quick Start tab, choose one of the Amazon
Machine Images (AMIs) and click Select.
(Select whichever system you like from the list of AMIs. For
example, Amazon Linux AMI.)
The Request Instances Wizard dialog appears.
6. In the Number of Instances box, enter the number of instances
you want.
7. In the Instance Type list, select Medium.
8. Select the Launch Instances option.
-
39
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 9. Select the VPC option.
10. In the Subnet list, select the appropriate subnet.
11. Click the Continue button.
12. In the IP Address box, enter the IP address of your VPC
instance. For example, if the subnet IP address is
10.0.1.0/24, the IP address for the VPC instance could be
10.0.1.7.
13. Click the Continue button.
14. In the Storage Device Configuration dialog, click the
Continue button.
-
40
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Note: A metadata tag consists of a case-sensitive
key/value pair, which is used to simplify the administration of
your EC2 infrastructure.
15. In the Key Name box, enter a key name for the key/value pair
tag.
16. In the Value box, enter a value for the key/value pair
tag.
17. Click the Continue button.
18. In the name box, enter a name for your key pair.
19. Click Create & Download your key pair.
20. Click the Continue button.
21. Save the key pair to your PC.
-
41
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 22. Select the Choose one or more of your existing
Security Groups option.
23. Select the appropriate security group.
24. Click the Continue button.
-
42
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote 25. Click the Launch button.
26. Click the Close button.
27. Go to Services > VPC.
28. In the left column, click Security Groups.
29. In the lower pane, click the Inbound tab to configure an
inbound rule.
To configure an inbound rule:
Follow the steps given in the AWS Getting Started Guide, Step 8:
Update Your Amazon EC2 Security Group:
http://docs.amazonwebservices.com/gettingstarted/latest/computebasics/getting-started-security-group.html
http://docs.amazonwebservices.com/gettingstarted/latest/computebasics/getting-started-security-group.htmlhttp://docs.amazonwebservices.com/gettingstarted/latest/computebasics/getting-started-security-group.html
-
43
Configuring SonicOS for Amazon VPC P/N 232-001156-00 Rev C
TechNote Glossary of Terms The following abbreviations are used
in this document:
AWS Amazon Web Services EC2 Elastic Compute Cloud VPC Virtual
Private Cloud
_________________
Last updated: 5/22/2014
ContentsOverviewSystem or Network Requirements /
PrerequisitesDeployment ConsiderationsConfiguring Amazon VPC with a
Policy-Based VPNAmazon Web Services Configuration TasksInitializing
the VPCCreating the SubnetCreating the Virtual Private
GatewayAttaching the Virtual Private Gateway to the VPCCreating a
Customer Gateway
SonicOS Configuration TasksConfiguring the Tunnel Interface VPN
PolicyConfiguring a Static Route
Configuring Amazon VPC with a Dynamic Route-Based VPNAmazon Web
Services Configuration TasksInitializing the VPCCreating the
SubnetCreating the Virtual Private GatewayAttaching the Virtual
Private Gateway to the VPCCreating a Customer Gateway
SonicOS Configuration TasksConfiguring the Tunnel Interface VPN
PolicyConfigure Routing
Configuring the VPC for Deployment in Elastic Compute
CloudGlossary of Terms