- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Configuring Tunnel Interface (static route-based) VPN using Enterprise Command Line
03/26/2020 
11 People found this article helpful
45,237 Views
Description
SonicOS 5.9 introduces a new, more robust, enterprise-level Command Line Interface (E-CLI). This articles describes how to create a static route-based Tunnel-Interface VPN policy using E-CLI.
Resolution
Global System Commands
The following system commands are global and can be executed from anywhere in the config module.
| Command | Description | Command | Description |
| Tab key | Tab key aids in completing a command. Displays useful information such as the next option in the command. | end | Exit current mode and return to global configuration mode without saving changes made in the current mode. |
| ? key | The ? key lists the next command or commands with a short description of each command. For certain commands, the ? key even displays examples of using the given command. | exit | Exit current mode without saving changes made in the current mode |
| q key | The 'q' key breaks listing of commands or information. Useful when the output of a command like Show current-config needs to be stopped. | export | Export system status or configuration |
| cancel | Exit from the mode without saving changes. | help | Display command help |
| clear | Reset functions. | no | Negate a command or set its defaults. |
| commit | Save configuration changes. The command commit best-effort will save only valid changes | show | Show system status or configuration. |
| diag | Diagnostic functions. |
For the purpose of this article, we use an NSA 220 and an NSA 4500 with the following IP addresses as examples to demonstrate the VPN configuration.
NSA 220
WAN (X1):192.168.170.31
LAN (X0): 10.10.10.0/24
NSA 4500
WAN (X1): 192.168.170.51
LAN (X0): 172.27.24.0/24
WAN (X1):192.168.170.31
LAN (X0): 10.10.10.0/24
NSA 4500
WAN (X1): 192.168.170.51
LAN (X0): 172.27.24.0/24
Note: One of the benefits of E-CLI is that commands can be copied and pasted into the CLI. Therefore, users can copy and paste the commands below directly into each SonicWall's CLI, substituting your IP addresses, names etc. for ones shown below.
| NSA 220 Configuration | NSA 4500 Configuration | ||||
| Create an address object for the remote networks | |||||
config address-object ipv4 "NSA 4500 LAN" network 172.27.24.0 /24 zone VPN | config address-object ipv4 "NSA 220 LAN" network 10.10.10.0 /24 zone VPN | ||||
| |||||
| Tunnel-Interface VPN Configuration - IKEv2 Mode | |||||
vpn policy tunnel-interface "To Remote Site" | vpn policy tunnel-interface "To Central Site" | ||||
| The proposal ipsec commands (for Phase II) need not be included if using default parameters. If proposal ipsec is not explicitly specified, the default parameters of esp,triple-des,sha1,none,28800 is configured. | |||||
| Other (optional) commands | |||||
netbios //Enable Windows Networking (NetBIOS) Broadcast multicast //Enable Multicast management snmp //Enable SNMP via this SA user-login http //Enable user login via this SA over HTTP user-login https //Enable user login via this SA over HTTPS tcp-acceleration //Enable acceleration | |||||
| Create a static bound to a tunnel-interface | |||||
| Once a tunnel-interface VPN policy is created, a numbered tunnel-Interface is auto-created. To view tunnel-interfaces, press the Tab key after after the command policy interface. This will display all the interfaces. To create a static route, follow these steps: routing policy interface TI2 metric 1 source any destination name "NSA 4500 LAN" service any gateway default commit exit | |||||
| Edit VPN policies | |||||
| To edit and change a VPN policy, follow these steps: //as already mentioned, at each command, pressing "?" would list usage with example/s; pressing the Tab key would either auto-complete half-way through a command or list suggestions of next commands or values to type. For example:
config vpn policy tunnel-interface "To Remote Site" Pressing the "?" or the Tab key would list the commands available within this module.
| |||||
| Delete a VPN policy | |||||
To delete a VPN policy enter the following command. Must be entered at the config prompt. config | |||||
| Display VPN policies and VPN Tunnel information | |||||
| The show command is global and can be executed from any module. Enter this command to show a specific VPN policy by name show vpn policy "To Remote Site" Enter this command to show all VPN policies :show vpn policies show vpn tunnel "To Remote Site" To display information on all active VPN tunnels, enter this command:show vpn tunnels | |||||
| Display VPN Logs | |||||
| To display VPN logs, enter the following command: show log view category "VPN" The view can be further filtered using the following options:
| |||||
Related Articles
- How to Create Gen 7 Settings File by Using the Online Migration Tool
- DNS Resolution of Wildcard FQDN Address Objects
- All associated wildcard FQDN IP addresses do not display in the web browser
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO