please? the BGP VPN video for sonicwall? 😇

As long as the HQ has a fix IP, you will be good. Follow this: www.sonicwall.com/support/knowledge-base/configuring-aggressive-mode-site-to-site-vpn-when-a-site-has-dynamic-wan-public-ip-address/170505565649605/

Pretty sure it’s there :-)

What I did here is called numbered tunnel interface (with a virtual interface) There is also unnumbered tunnel interface (without an interface) which is probably what you are referring to. I’ll need to dig into the last one and probably do a video on it :)

@@JeanPierTalbot thanks for the quick reply. It would seem that with numbered interfaces, you'd still need to point your routes at the opposing gateway, no? Also, any idea why when setting up split DNS in DNS proxy, you can't pick an unnumbered interface as the path for the proxy redirection but you can (reportedly, haven't tried it yet), use a numbered tunnel interface...

I had this same question as I am trying to set up OSPF on my VPNs and am unsure if I need to set up the tunnel interfaces for it to work.

Watch this video to see how to do a vpn with one firewall have a dynamic wan IP kzbin.info/www/bejne/j6CYf6yYbL2In9Usi=4zIEzLkUA7IvG9aa

Most likely. Just create the policy manually. From lan to vpn and from vpn to lan

I think it’s a preference. Both works. I personally see the standard site to site for simple VPN setup (one subset on each sides) or for VPN with non-sonicwall firewall. I would vote for tunnel interface VPN when there is more than one subnet on each side and/or multiple VPNs. Also when you want the VPN to be a backup of a leased line

You will need to create the access rule. You need: Vpn Interface Route Access rule If you can’t get it to work. Call sonicwall tech support. They are there to help and hold time, if any, is a single digit minute wait time :-)

Good one. I would expect an interface would be needed as it’s called « tunnel interface » The sonicwall KB shows the creation of the interface. So I would expect the interface to be needed in order to be supported.

We also use route based VPN without a tunnel interface existing one works but I can’t create a new working without tunnel interface let me know how this works without a tunnel interface being added

Yes, that’s called a « unnumbered tunnel interface » On the todo list to dig into that :-)

I'm not entirely sure what is meant by Gateway IP Address as this could mean two different things so I'll answer this two ways: For a route-based VPN, gateway IP addresses are not required in the static routes that are added to utilize the tunnel. Instead, a logical pathway is utilized via the VTI (Virtual Tunnel Interface). When traffic is forwarded through this VTI via the static route, it is encapsulated by the sending VPN peer, and then there is only one other peer on the remote side that is also a member of the VPN that is also able to decrypt it. After the peer decrypts each VPN packet, it will utilize its own routing table to send the traffic on its way. If by gateway IP address you imply the specific gateway IP address defined at each peer member to point the tunnel to the opposite member, these tunnels can be bound to a specific interface on the local FW, pointing to a specific peer address at the remote side. This allows you to create dual tunnels between the same two FW appliances for a redundant tunnel configuration where you can configure ECMP routing between each FW appliance.

Of course! In this video I create a Any access rule. Just create the access rules you want instead :-)

@@JeanPierTalbot nice.. I saw it.. Am going to implement 1 but the other side is not using sonicwall... And I wanted to Limit traffic to one the host concerned and protocol

You don’t need to have the access rules the same on both firewall. The other can be set to allow everything in and out and the other firewall to be very specific in what’s allowed

Thanks

The tunnel is up but I am unable to reach any services.. I tried applying an access rule from VPN to my zone targeting my desired ip.. Still no luck.. Although you can see traffic on the access rule as last hit

Sure thing! The site that has a public IP would need to be a fix IP. Then configure the vpn just like if one side have a dynamic IP (like I showed in my video on how to do a site to site vpn)

Yes, create a route for network 0.0.0.0. That will do a tunnel all.

@@JeanPierTalbot It was actually the other VPN policy I had in place. You cannot enable a VPN interface if you have a policy based VPN tunnel enabled. Disabling it doesn't work either, it must be deleted.

Generally speaking, it’s because the other firewall didn’t answer to the initial request to build a vpn. Could be miss configuration of IP or some ISP will block vpn when you don’t have a busineee internet line (I have seen it in Canada)

Hi Pilon, good one, I don't know. I would suggest you ping your local SonicWall SE, he will be able to review that with you and maybe find different solutions if it's not supported.

Natting trafic in a tunnel is uncommon, but it can be done. Go into the nat policies and create a nat policy from your lan to the vpn subnet. Depending on your setup, you might probably want to create the corespondent reverse nat policy. Not something I can go in details here. Best would be to contact a sonicwall reseller that offer professional service.

@@JeanPierTalbot thanks for answering. yes.for the nat policies, is there any easy way on create both way policies?

Thanks for your good feedback. Much appreciated! Sigh… yeah, honestly certificate is my weakness. But fair request. :-)

@@JeanPierTalbot Brother, in my opinion, what put you on the map was your SMA videos, also your videos have good content, you have very good SonicWall content which is hard to find. #KeepItUp

Send me an email, I’ll put you in touch with the local SE in your territory

I was wondering if you ever did accomplish this as I am thinking of doing the same but with SW's SDWAN