Support on SonicWall Products, Services and Solutions
Browse Knowledgebase by Category
Configuring Site to Site VPN policies using Enterprise Command Line Interface (E-CLI)
03/26/2020 
672 
10658
DESCRIPTION:
Configuring Site to Site VPN policies using Enterprise Command Line Interface (E-CLI)
RESOLUTION:
SonicOS 5.9 introduces a new, more robust, enterprise-level Command Line Interface (E-CLI). This KB articles describes how to create Site to Site VPN policies using E-CLI.
The CLI can be accessed via Serial cable and SSH. Please refer to the SonicOS 5.9 – Administration Guide. Appendix A: CLI Guide for more details.
Global System Commands
The following system commands are global and can be executed from anywhere in the config module.
| Command | Description | Command | Description |
| Tab key | Tab key aids in completing a command. Displays useful information such as the next option in the command. | end | Exits current mode and returns to global configuration mode without saving any changes made in the current mode. |
| ? key | The ? key lists the next command or commands with a short description of each command. For certain commands, the ? key even displays examples of using the given command. | exit | Exit the current mode without saving any changes made in the current mode |
| q key | The 'q' key breaks listing of commands or information. Useful when the output of a command like Show current-config needs to be stopped. | export | Export system status or configuration |
| cancel | Exit from the mode without saving changes. | help | Display command help |
| clear | Reset functions. | no | Negate a command or set its defaults. |
| commit | Save configuration changes. The command commit best-effort will save only valid changes | show | Show system status or configuration. |
| diag | Diagnostic functions. |
For the purpose of this article, we use an NSA 220 and an NSA 4500 with the following IP addresses as examples to demonstrate the VPN configuration.
NSA 220
WAN (X1):192.168.170.31
LAN (X0): 10.10.10.0/24
NSA 4500
WAN (X1): 192.168.170.51
LAN (X0): 172.27.24.0/24
Note: One of the benefits of E-CLI is that commands can be copied and pasted into the CLI. Therefore, users can copy and paste the commands below directly into each SonicWall's CLI, substituting your IP addresses, names etc. for ones shown below.
| NSA 220 Configuration | NSA 4500 Configuration | ||||
| Create an address object for the remote networks | |||||
| config address-object ipv4 "NSA 4500 LAN" network 172.27.24.0 /24 zone VPN | config address-object ipv4 "NSA 220 LAN" network 10.10.10.0 /24 zone VPN | ||||
| |||||
| Site to Site VPN Configuration - IKEv2 Mode | |||||
| vpn policy site-to-site "To Remote Site" enable gateway primary 192.168.170.51 auth-method shared-secret shared-secret "1234" exit network local name "X0 Subnet" network remote name "NSA 4500 LAN" proposal ike authentication sha256 proposal ike dh-group 2 proposal ike encryption triple-des proposal ike exchange ikev2 proposal ike lifetime 28800 keep-alive management https ssh bound-to zone WAN commit exit | vpn policy site-to-site "To Central Site" enable gateway primary 192.168.170.31 auth-method shared-secret shared-secret "1234" exit network local name "X0 Subnet" network remote name "NSA 220 LAN" proposal ike authentication sha256 proposal ike dh-group 2 proposal ike encryption triple-des proposal ike exchange ikev2 proposal ike lifetime 28800 management https ssh bound-to zone WAN commit exit | ||||
| Other (optional) commands | |||||
| |||||
| Site to Site VPN Configuration - Main Mode | |||||
| vpn policy site-to-site "To Remote Site" enable gateway primary 192.168.170.51 network local name "X0 Subnet" network remote name "NSA 4500 LAN" auth-method shared-secret shared-secret "1234" exit proposal ike authentication sha256 proposal ike dh-group 2 proposal ike encryption triple-des proposal ike exchange main proposal ike lifetime 28800 keep-alive management https ssh bound-to zone WAN commit exit | vpn policy site-to-site "To Central Site" enable gateway primary 192.168.170.31 network local name "X0 Subnet" network remote name "NSA 220 LAN" auth-method shared-secret shared-secret "1234" exit proposal ike authentication sha256 proposal ike dh-group 2 proposal ike encryption triple-des proposal ike exchange main proposal ike lifetime 28800 management https ssh bound-to zone WAN commit exit | ||||
| Other (optional) commands are the same as listed under IKEv2 mode | |||||
| Site to Site VPN Configuration - Aggressive Mode | |||||
| vpn policy site-to-site "To Remote Site" enable auth-method shared-secret shared-secret "1234" ike-id local sonicwall-id "Branch Office" ike-id peer sonicwall-id "HQ" exit network local name "X0 Subnet" network remote name "NSA 4500 LAN" proposal ike authentication sha256 proposal ike dh-group 2 proposal ike encryption triple-des proposal ike exchange main proposal ike lifetime 28800 keep-alive management https ssh bound-to zone WAN commit exit | vpn policy site-to-site "To Central Site" enable gateway primary 192.168.170.31 auth-method shared-secret shared-secret "1234" ike-id local sonicwall-id "HQ" ike-id peer sonicwall-id "Branch Office" exit network local name "X0 Subnet" network remote name "NSA 220 LAN" proposal ike authentication sha256 proposal ike dh-group 2 proposal ike encryption triple-des proposal ike exchange main proposal ike lifetime 28800 management https ssh bound-to zone WAN commit exit | ||||
| |||||
| Edit VPN policies | |||||
| To edit and change a VPN policy, follow these steps: //as already mentioned, at each command, pressing "?" would list usage with example/s; pressing the Tab key would either auto-complete half-way through a command or list suggestions of next commands or values to type. For example:
Pressing the "?" or the Tab key would list the commands available within this module.
| |||||
| Delete a VPN policy | |||||
To delete a VPN policy enter the following command. Must be entered at the config prompt. config | |||||
| Display VPN policies and VPN Tunnel information | |||||
| The show command is global and can be executed from any module. Enter this command to show a specific site-to-site VPN policy by name show vpn policy "To Remote Site" Enter this command to show all VPN policies :show vpn policies To display information on an active VPN tunnel, enter this command:show vpn tunnel "To Remote Site" To display information on all active VPN tunnels, enter this command:show vpn tunnels | |||||
| Display VPN Logs | |||||
| To display VPN logs, enter the following command: show log view category "VPN" The view can be further filtered using the following options:
| |||||
