03/26/2020 9 People found this article helpful 456,473 Views
How to Create a Site to Site VPN Policy using Certificates from the Command-line Interface (CLI)
Feature/Application:
This KB article describes how to create a Site to Site VPN from the CLI between two SonicWall UTM appliances using certificates for authentication.
Procedure:
For the purpose of this article, we use the following scenario:
Site A | Site B |
NSA 5600 | NSA 4500 |
X1 IP: 1.1.1.1 | X1 IP: 2.2.2.2 |
X0 Subnet: 10.10.100.0/24 | X0 Subnet: 172.27.24.0/24 |
Site A Configuration | |
configure terminal | Enter configuration mode |
address-object ipv4 NSA-4500 network 172.27.24.0 255.255.255.0 zone VPN | Create an address object of remote network |
vpn policy site-to-site NSA-4500 enable gateway primary 2.2.2.2 auth-method certificate certificate Server3 | Server3 is the name of the certificate. This command assumes that a certificate has already been imported into the SonicWall. |
ike-id local distinguished-name | ike-id local has the following to choose from:
|
ike-id peer distinguished-name "/C=IN/ST=KA/L=BLR/O=SonicWall Inc./CN=SiteA.soniclab-kb.local" exit | ike-id peer has the following to choose from:
|
network local name "X0 Subnet" network remote name NSA-4500 proposal ike exchange ikev2 proposal ike encryption triple-des proposal ike authentication sha-1 proposal ike dh-group 2 proposal ike lifetime 28800 proposal ipsec protocol esp proposal ipsec encryption triple-des proposal ipsec authentication sha-1 proposal ipsec lifetime 28800 management https keep-alive bound-to zone WAN exit | |
commit | Save the settings |
Site B Configuration | |
configure terminal | Enter configuration mode |
address-object ipv4 NSA-5600 network 10.10.100.0 255.255.255.0 zone VPN | Create an address object of remote network |
vpn policy site-to-site NSA-5600 enable gateway primary 1.1.1.1 auth-method certificate certificate vpn-256 | vpn-256 is the name of the certificate. This command assumes that a certificate has already been imported into the SonicWall. |
ike-id local distinguished-name | ike-id local has the following to choose from:
|
ike-id peer distinguished-name "/C=IN/ST=KA/L=BLR/O=SonicWall Inc./CN=SiteB.soniclab-kb.local" exit | ike-id peer has the following to choose from:
|
network local name "LAN Primary Subnet" network remote name NSA-5600proposal ike exchange ikev2 proposal ike encryption triple-des proposal ike authentication sha1 proposal ike dh-group 2 proposal ike lifetime 28800 proposal ipsec protocol esp proposal ipsec encryption triple-des proposal ipsec authentication sha1 proposal ipsec dh-group none proposal ipsec lifetime 28800 management https bound-to zone WANexit | |
commit | Save the settings |