Multiple subnets on far side of tunnel

system · March 2, 2015, 11:41pm

Greetings, community!

So I’ve gotten a tunnel established between my AWS VPC and the corporate datacenter, and traffic is flowing! However, there are two different CIDR blocks I need to route to over the tunnel and it doesn’t seem obvious how to set this up without establishing a completely separate tunnel, so I’m looking for a pointer or two. Here’s what I’m looking for:

AWS VPC 10.54.0.0/16 > VyOS Tunnel endpoint (10.54.0.5) > SonicWall VPN device (10.105.1.3) > 10.64.0.0/10 & 10.128.0.0/9

Apparently SonicWall devices just allow you to put in 10.0.0.0/8 and if there is a more specific subnet for traffic, it will send the packets there. I believe AWS will do the same, but I want to see if there’s a “proper” way to do this.

Thanks!

system · March 3, 2015, 4:33pm

More information:

I’ve set up a second tunnel for the second remote CIDR block, but it never seems to connect. Here’s the config, with the proper bits redacted:

site-to-site {
peer {
authentication {
id
mode pre-shared-secret
pre-shared-secret XXXXX
}
connection-type initiate
default-esp-group espGroup1
description “Tunnel 1”
ike-group ikeGroup1
local-address 10.54.0.5
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.54.0.0/16
}
remote {
prefix 10.64.0.0/10
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.54.0.0/16
}
remote {
prefix 10.128.0.0/9
}
}
}
}

I’d appreciate any help!

JFL · March 10, 2015, 2:36pm

yes it’s should works, it the configuration is made accordingly on the other side.

can you share more details about the other ipsec endpoint ?

netarchitect · March 11, 2015, 6:27am

In my experience setting up multiple tunnels between SonicWalls and VyOS you are better off using an ipsec vti routed tunnel. The configuration you have here results in only one tunnel active at a time while with a vti interface you can route the subnets you need.