Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Configuring Site to Site VPN policies using Enterprise Command Line Interface (E-CLI)

03/26/2020 675 People found this article helpful 101,126 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Configuring Site to Site VPN policies using Enterprise Command Line Interface (E-CLI)

    Resolution

    SonicOS 5.9 introduces a new, more robust, enterprise-level Command Line Interface (E-CLI). This KB articles describes how to create Site to Site VPN policies using E-CLI.

    The CLI can be accessed via Serial cable and SSH. Please refer to the SonicOS 5.9 – Administration Guide. Appendix A: CLI Guide for more details.

    Global System Commands

    The following system commands are global and can be executed from anywhere in the config module.

    Command     Description Command                Description                                                     
    Tab key Tab key aids in completing a command. Displays useful information such as the next option in the command.  end                Exits current mode and returns to global configuration mode without saving any changes made in the current mode.
    ? key The ? key lists the next command or commands with a short  description of each command. For certain commands, the ? key even displays examples of using the given command. exit Exit the current mode without saving any changes made in the current mode                                            
    q key The 'q' key breaks listing of commands or information. Useful when the output of a command like Show current-config needs to be stopped. export Export system status or configuration
    cancel Exit from the mode without saving changes. help               Display command help
    clear Reset functions. no                  Negate a command or set its defaults.
    commit Save configuration changes. The command commit best-effort will save only valid changes                                                                 show              Show system status or configuration.                            
    diag Diagnostic functions.    

    For the purpose of this article, we use an NSA 220 and an NSA 4500 with the following IP addresses as examples to demonstrate the VPN configuration.

    NSA 220

    WAN (X1):192.168.170.31
    LAN (X0): 10.10.10.0/24

    NSA 4500

    WAN (X1): 192.168.170.51
    LAN (X0): 172.27.24.0/24


    Note: One of the benefits of E-CLI is that commands can be copied and pasted into the CLI. Therefore, users can copy and paste the commands below directly into each SonicWall's CLI, substituting your IP addresses, names etc. for ones shown below.
     

    NSA 220 Configuration NSA 4500 Configuration
    Create an address object for the remote networks
    config address-object ipv4 "NSA 4500 LAN" network 172.27.24.0 /24 zone VPN config
    address-object ipv4 "NSA 220 LAN" network 10.10.10.0 /24 zone VPN
    • Make sure there is a space after the network address and before the slash notation. Also the "/" & the bit notation must not have a space.
    • These address objects will be referenced, as an example, throughout this article.
    • Address objects can also be created "on the fly" while creating the VPN policy. For example, network remote network 172.27.24.0 /24 would create an address object by the name of  "172.27.24.0/24".
    Site to Site VPN Configuration - IKEv2 Mode
    vpn policy site-to-site "To Remote Site"
    enable
    gateway primary 192.168.170.51
    auth-method shared-secret
    shared-secret "1234"
    exit
    network local name "X0 Subnet"
    network remote name "NSA 4500 LAN"
    proposal ike authentication sha256
    proposal ike dh-group 2
    proposal ike encryption triple-des
    proposal ike exchange ikev2
    proposal ike lifetime 28800
    keep-alive
    management https ssh
    bound-to zone WAN
    commit
    exit
    vpn policy site-to-site "To Central Site"
    enable
    gateway primary 192.168.170.31
    auth-method shared-secret
    shared-secret "1234"
    exit
    network local name "X0 Subnet"
    network remote name "NSA 220 LAN"
    proposal ike authentication sha256
    proposal ike dh-group 2
    proposal ike encryption triple-des
    proposal ike exchange ikev2
    proposal ike lifetime 28800
    management https ssh
    bound-to zone WAN
    commit
    exit
    Other (optional) commands
    netbios                              
    multicast                            
    management snmp           
    user-login http                   
    user-login https                
    default-lan-gateway          
     
    suppress-trigger-packet 
    tcp-acceleration                
    suppress-auto-add-rule    
    apply-nat                            
    allow-sonicpointn-layer3
    //Enable Windows Networking (NetBIOS) Broadcast
    //Enable Multicast
    //Enable SNMP via this SA
    //Enable user login via this SA over HTTP
    //Enable user login via this SA over HTTPS
    //Default LAN Gateway allows the network administrator to specify the IP address of the default LAN route for incoming IPsec packets for this SA.
    //Enable suppression of IKEv2 trigger packets
    //Enable acceleration
    //Enable suppression of auto-added rules.
    //Enable NAT over VPN.
    //Enable management of SonicPoint over VPN 
    Site to Site VPN Configuration - Main  Mode
    vpn policy site-to-site "To Remote Site"
    enable
    gateway primary 192.168.170.51
    network local name "X0 Subnet"
    network remote name "NSA 4500 LAN"
    auth-method shared-secret
    shared-secret "1234"
    exit
    proposal ike authentication sha256
    proposal ike dh-group 2
    proposal ike encryption triple-des
    proposal ike exchange main
    proposal ike lifetime 28800
    keep-alive
    management https ssh
    bound-to zone WAN
    commit
    exit
    vpn policy site-to-site "To Central Site"
    enable
    gateway primary 192.168.170.31
    network local name "X0 Subnet"
    network remote name "NSA 220 LAN"
    auth-method shared-secret
    shared-secret "1234"
    exit
    proposal ike authentication sha256
    proposal ike dh-group 2
    proposal ike encryption triple-des
    proposal ike exchange main
    proposal ike lifetime 28800
    management https ssh
    bound-to zone WAN
    commit
    exit
    Other (optional) commands are the same as listed under IKEv2 mode
    Site to Site VPN Configuration - Aggressive Mode
    vpn policy site-to-site "To Remote Site"
    enable
    auth-method shared-secret
    shared-secret "1234"
    ike-id local sonicwall-id "Branch Office"
    ike-id peer sonicwall-id "HQ"
    exit
    network local name "X0 Subnet"
    network remote name "NSA 4500 LAN"
    proposal ike authentication sha256
    proposal ike dh-group 2
    proposal ike encryption triple-des
    proposal ike exchange main
    proposal ike lifetime 28800
    keep-alive
    management https ssh
    bound-to zone WAN
    commit
    exit
    vpn policy site-to-site "To Central Site"
    enable
    gateway primary 192.168.170.31
    auth-method shared-secret
    shared-secret "1234"
    ike-id local sonicwall-id "HQ"
    ike-id peer sonicwall-id "Branch Office"
    exit
    network local name "X0 Subnet"
    network remote name "NSA 220 LAN"
    proposal ike authentication sha256
    proposal ike dh-group 2
    proposal ike encryption triple-des
    proposal ike exchange main
    proposal ike lifetime 28800
    management https ssh
    bound-to zone WAN
    commit
    exit
    • Other (optional) commands are the same as listed under IKEv2 mode.
    • Pressing the Tab or the ? key after ike-id local will list the options: domain-name, email-address, ip, key-id, sonicwall-id.
    Edit VPN policies
    To edit and change a VPN policy, follow these steps:

    //as already mentioned, at each command, pressing "?" would list usage with example/s; pressing the Tab key would either auto-complete half-way through a command or list suggestions of next commands or values to type. For example: 
    • pressing the Tab key at vpn policy would list the following options:
        enable  group-vpn   site-to-site   tunnel-interface
    • pressing the Tab key at vpn policy sit would auto-complete site-to-site 
    • pressing the Tab key at vpn policy site-to-site would either list multiple VPN policies, if multiple policies are configured. If there is only one site-to-site VPN policy, this auto-complete the command by filling the name of the VPN policy in this way: vpn policy site-to-site To Remote Site 
    config vpn policy site-to-site "To Remote Site" 
    Pressing the "?" or the Tab key would list the commands available within this module. 
     
    auth-method          
    bound-to                
    enable                    
    gateway              
    management        
    multicast              
    name                    
    netbios                
    proposal              
    tcp-acceleration  
    transport-mode    
    user-login            
     Authentication Method.
     Configure VPN Policy Bound To.
     Enable Policy.
     IPsec Gateway Name or Address.
     Enable Management for VPN Policy.
     Enable VPN Policy Multicast.
     Policy name.
     Enable VPN Policy NetBIOS.
     Policy proposal.
     Enable Permit TCP Acceleration.
     Enable Transport Mode.
     Enable VPN Policy for User Login. 
     
    (edit-site-to-site[To Remote Site])# no enable                    
    (edit-site-to-site[To Remote Site])# no management https  
    (edit-site-to-site[To Remote Site])# user-login https          
    (edit-site-to-site[To Remote Site])# no netbios                  
    (edit-site-to-site[To Remote Site])# cancel                         
    (edit-site-to-site[To Remote Site])# commit
    disable the VPN
    disable HTTPS management over VPN
    enable HTTPS user login over VPN
    disable NetBios broadcasts over VPN
    exit out of this module without saving changes
    save changes 
    Delete a VPN policy

    To delete a VPN policy enter the following command. Must be entered at the config prompt.

    config
    no vpn policy site-to-site "To Remote Site" 

    Display VPN policies and VPN Tunnel information
    The show command is global and can be executed from any module.  

    Enter this command to show a specific site-to-site VPN policy by name

    show vpn policy "To Remote Site"

    Enter this command to show all VPN policies :

    show vpn policies 

    To display information on an active VPN tunnel, enter this command:

    show vpn tunnel "To Remote Site"

    To display information on all active VPN tunnels, enter this command:

    show vpn tunnels

    Display VPN Logs
    To display VPN logs, enter the following command:

    show log view category "VPN"

    The view can be further filtered using the following options:
     
    priority
    source-interface
    destination-interface
    source-ip
    source-port
    destination-ip
    destination-port
    ip-protocol
    user-name
    application
    Show  Log with specified Priority.
    Show  Log with specified Source Interface.
    Show  Log with specified Destination Interface.
    Show  Log with specified Source-Ip.
    Show  Log with specified Source-Port.
    Show  Log with specified Destination-Ip.
    Show  Log with specified Destination-Port.
    Show  Log with specified IP Protocol number.
    Show  Log with specified User Name.
    Show  Log with specified Application.

     

    Related Articles

    • How to configure SSLVPN Tunnel all mode for one or more particular users (Local or Domain users)
    • How to disable TOTP for a Local User with admin privileges via CLI.
    • Parserror on Event logs.

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:dd05288e52973a5809ba22c373a5ba22-70