Multiple subnets on far side of tunnel


#1

Greetings, community!

So I’ve gotten a tunnel established between my AWS VPC and the corporate datacenter, and traffic is flowing! However, there are two different CIDR blocks I need to route to over the tunnel and it doesn’t seem obvious how to set this up without establishing a completely separate tunnel, so I’m looking for a pointer or two. Here’s what I’m looking for:

AWS VPC 10.54.0.0/16 > VyOS Tunnel endpoint (10.54.0.5) > SonicWall VPN device (10.105.1.3) > 10.64.0.0/10 & 10.128.0.0/9

Apparently SonicWall devices just allow you to put in 10.0.0.0/8 and if there is a more specific subnet for traffic, it will send the packets there. I believe AWS will do the same, but I want to see if there’s a “proper” way to do this.

Thanks!


#2

More information:

I’ve set up a second tunnel for the second remote CIDR block, but it never seems to connect. Here’s the config, with the proper bits redacted:

site-to-site {
peer {
authentication {
id
mode pre-shared-secret
pre-shared-secret XXXXX
}
connection-type initiate
default-esp-group espGroup1
description “Tunnel 1”
ike-group ikeGroup1
local-address 10.54.0.5
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.54.0.0/16
}
remote {
prefix 10.64.0.0/10
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.54.0.0/16
}
remote {
prefix 10.128.0.0/9
}
}
}
}

I’d appreciate any help!


#3

yes it’s should works, it the configuration is made accordingly on the other side.

can you share more details about the other ipsec endpoint ?


#4

In my experience setting up multiple tunnels between SonicWalls and VyOS you are better off using an ipsec vti routed tunnel. The configuration you have here results in only one tunnel active at a time while with a vti interface you can route the subnets you need.