Configuring Site to Site VPN policies using Enterprise Command Line Interface (E-CLI)

Description

Configuring Site to Site VPN policies using Enterprise Command Line Interface (E-CLI)

Resolution

SonicOS 5.9 introduces a new, more robust, enterprise-level Command Line Interface (E-CLI). This KB articles describes how to create Site to Site VPN policies using E-CLI.

The CLI can be accessed via Serial cable and SSH. Please refer to the SonicOS 5.9 – Administration Guide. Appendix A: CLI Guide for more details.

Global System Commands

The following system commands are global and can be executed from anywhere in the config module.

Command    DescriptionCommand               Description                                                     
Tab keyTab key aids in completing a command. Displays useful information such as the next option in the command. end               Exits current mode and returns to global configuration mode without saving any changes made in the current mode.
keyThe ? key lists the next command or commands with a short  description of each command. For certain commands, the ? key even displays examples of using the given command.exitExit the current mode without saving any changes made in the current mode                                            
keyThe 'q' key breaks listing of commands or information. Useful when the output of a command like Show current-config needs to be stopped.exportExport system status or configuration
cancelExit from the mode without saving changes.help              Display command help
clearReset functions.no                 Negate a command or set its defaults.
commitSave configuration changes. The command commit best-effort will save only valid changes                                                                show             Show system status or configuration.                            
diagDiagnostic functions.  

For the purpose of this article, we use an NSA 220 and an NSA 4500 with the following IP addresses as examples to demonstrate the VPN configuration.

NSA 220

WAN (X1):192.168.170.31
LAN (X0): 10.10.10.0/24

NSA 4500

WAN (X1): 192.168.170.51
LAN (X0): 172.27.24.0/24


Note: One of the benefits of E-CLI is that commands can be copied and pasted into the CLI. Therefore, users can copy and paste the commands below directly into each SonicWall's CLI, substituting your IP addresses, names etc. for ones shown below.
 

NSA 220 ConfigurationNSA 4500 Configuration
Create an address object for the remote networks
config address-object ipv4 "NSA 4500 LAN" network 172.27.24.0 /24 zone VPNconfig
address-object ipv4 "NSA 220 LAN" network 10.10.10.0 /24 zone VPN
  • Make sure there is a space after the network address and before the slash notation. Also the "/" & the bit notation must not have a space.
  • These address objects will be referenced, as an example, throughout this article.
  • Address objects can also be created "on the fly" while creating the VPN policy. For example, network remote network 172.27.24.0 /24 would create an address object by the name of  "172.27.24.0/24".
Site to Site VPN Configuration - IKEv2 Mode
vpn policy site-to-site "To Remote Site"
enable
gateway primary 192.168.170.51
auth-method shared-secret
shared-secret "1234"
exit
network local name "X0 Subnet"
network remote name "NSA 4500 LAN"
proposal ike authentication sha256
proposal ike dh-group 2
proposal ike encryption triple-des
proposal ike exchange ikev2
proposal ike lifetime 28800
keep-alive
management https ssh
bound-to zone WAN
commit
exit		vpn policy site-to-site "To Central Site"
enable
gateway primary 192.168.170.31
auth-method shared-secret
shared-secret "1234"
exit
network local name "X0 Subnet"
network remote name "NSA 220 LAN"
proposal ike authentication sha256
proposal ike dh-group 2
proposal ike encryption triple-des
proposal ike exchange ikev2
proposal ike lifetime 28800
management https ssh
bound-to zone WAN
commit
exit
Other (optional) commands
netbios                              
multicast                            
management snmp           
user-login http                   
user-login https                
default-lan-gateway          
 
suppress-trigger-packet 
tcp-acceleration                
suppress-auto-add-rule    
apply-nat                            
allow-sonicpointn-layer3		//Enable Windows Networking (NetBIOS) Broadcast
//Enable Multicast
//Enable SNMP via this SA
//Enable user login via this SA over HTTP
//Enable user login via this SA over HTTPS
//Default LAN Gateway allows the network administrator to specify the IP address of the default LAN route for incoming IPsec packets for this SA.
//Enable suppression of IKEv2 trigger packets
//Enable acceleration
//Enable suppression of auto-added rules.
//Enable NAT over VPN.
//Enable management of SonicPoint over VPN 
Site to Site VPN Configuration - Main  Mode
vpn policy site-to-site "To Remote Site"
enable
gateway primary 192.168.170.51
network local name "X0 Subnet"
network remote name "NSA 4500 LAN"
auth-method shared-secret
shared-secret "1234"
exit
proposal ike authentication sha256
proposal ike dh-group 2
proposal ike encryption triple-des
proposal ike exchange main
proposal ike lifetime 28800
keep-alive
management https ssh
bound-to zone WAN
commit
exit		vpn policy site-to-site "To Central Site"
enable
gateway primary 192.168.170.31
network local name "X0 Subnet"
network remote name "NSA 220 LAN"
auth-method shared-secret
shared-secret "1234"
exit
proposal ike authentication sha256
proposal ike dh-group 2
proposal ike encryption triple-des
proposal ike exchange main
proposal ike lifetime 28800
management https ssh
bound-to zone WAN
commit
exit
Other (optional) commands are the same as listed under IKEv2 mode
Site to Site VPN Configuration - Aggressive Mode
vpn policy site-to-site "To Remote Site"
enable
auth-method shared-secret
shared-secret "1234"
ike-id local sonicwall-id "Branch Office"
ike-id peer sonicwall-id "HQ"
exit
network local name "X0 Subnet"
network remote name "NSA 4500 LAN"
proposal ike authentication sha256
proposal ike dh-group 2
proposal ike encryption triple-des
proposal ike exchange main
proposal ike lifetime 28800
keep-alive
management https ssh
bound-to zone WAN
commit
exit		vpn policy site-to-site "To Central Site"
enable
gateway primary 192.168.170.31
auth-method shared-secret
shared-secret "1234"
ike-id local sonicwall-id "HQ"
ike-id peer sonicwall-id "Branch Office"
exit
network local name "X0 Subnet"
network remote name "NSA 220 LAN"
proposal ike authentication sha256
proposal ike dh-group 2
proposal ike encryption triple-des
proposal ike exchange main
proposal ike lifetime 28800
management https ssh
bound-to zone WAN
commit
exit
  • Other (optional) commands are the same as listed under IKEv2 mode.
  • Pressing the Tab or the ? key after ike-id local will list the options: domain-name, email-address, ip, key-id, sonicwall-id.
Edit VPN policies
To edit and change a VPN policy, follow these steps:

//as already mentioned, at each command, pressing "?" would list usage with example/s; pressing the Tab key would either auto-complete half-way through a command or list suggestions of next commands or values to type. For example: 
  • pressing the Tab key at vpn policy would list the following options:
      enable  group-vpn   site-to-site   tunnel-interface
  • pressing the Tab key at vpn policy sit would auto-complete site-to-site 
  • pressing the Tab key at vpn policy site-to-site would either list multiple VPN policies, if multiple policies are configured. If there is only one site-to-site VPN policy, this auto-complete the command by filling the name of the VPN policy in this way: vpn policy site-to-site To Remote Site 
config vpn policy site-to-site "To Remote Site" 
Pressing the "?" or the Tab key would list the commands available within this module. 
 
auth-method          
bound-to                
enable                    
gateway              
management        
multicast              
name                    
netbios                
proposal              
tcp-acceleration  
transport-mode    
user-login            		 Authentication Method.
 Configure VPN Policy Bound To.
 Enable Policy.
 IPsec Gateway Name or Address.
 Enable Management for VPN Policy.
 Enable VPN Policy Multicast.
 Policy name.
 Enable VPN Policy NetBIOS.
 Policy proposal.
 Enable Permit TCP Acceleration.
 Enable Transport Mode.
 Enable VPN Policy for User Login. 
 
(edit-site-to-site[To Remote Site])# no enable                    
(edit-site-to-site[To Remote Site])# no management https  
(edit-site-to-site[To Remote Site])# user-login https          
(edit-site-to-site[To Remote Site])# no netbios                  
(edit-site-to-site[To Remote Site])# cancel                         
(edit-site-to-site[To Remote Site])# commit		disable the VPN
disable HTTPS management over VPN
enable HTTPS user login over VPN
disable NetBios broadcasts over VPN
exit out of this module without saving changes
save changes 
Delete a VPN policy

To delete a VPN policy enter the following command. Must be entered at the config prompt.

config
no vpn policy site-to-site "To Remote Site" 

Display VPN policies and VPN Tunnel information
The show command is global and can be executed from any module.  

Enter this command to show a specific site-to-site VPN policy by name

show vpn policy "To Remote Site"

Enter this command to show all VPN policies :

show vpn policies 

To display information on an active VPN tunnel, enter this command:

show vpn tunnel "To Remote Site"

To display information on all active VPN tunnels, enter this command:

show vpn tunnels

Display VPN Logs
To display VPN logs, enter the following command:

show log view category "VPN"

The view can be further filtered using the following options:
 
priority
source-interface
destination-interface
source-ip
source-port
destination-ip
destination-port
ip-protocol
user-name
application		Show  Log with specified Priority.
Show  Log with specified Source Interface.
Show  Log with specified Destination Interface.
Show  Log with specified Source-Ip.
Show  Log with specified Source-Port.
Show  Log with specified Destination-Ip.
Show  Log with specified Destination-Port.
Show  Log with specified IP Protocol number.
Show  Log with specified User Name.
Show  Log with specified Application.

 

Related Articles

  • How to export and import connection profiles in NetExtender
    Read More
  • Unable access High availability idle device using monitoring IP address
    Read More
  • SSL Control enabled with "Detect Certificate signed by an Untrusted CA" causes Windows Update to fail.
    Read More

Categories

Firewalls
TZ Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall NSA Series
not finding your answers?
Ask the Community
was this article helpful?
YesNo