Configuring Tunnel Interface (static route-based) VPN using Enterprise Command Line

03/26/2020 13 People found this article helpful 506,092 Views

Description

SonicOS 5.9 introduces a new, more robust, enterprise-level Command Line Interface (E-CLI). This articles describes how to create a static route-based Tunnel-Interface VPN policy using E-CLI.

Resolution

Global System Commands
The following system commands are global and can be executed from anywhere in the config module.

Command	Description	Command	Description
Tab key	Tab key aids in completing a command. Displays useful information such as the next option in the command.	end	Exit current mode and return to global configuration mode without saving changes made in the current mode.
? key	The ? key lists the next command or commands with a short description of each command. For certain commands, the ? key even displays examples of using the given command.	exit	Exit current mode without saving changes made in the current mode
q key	The 'q' key breaks listing of commands or information. Useful when the output of a command like Show current-config needs to be stopped.	export	Export system status or configuration
cancel	Exit from the mode without saving changes.	help	Display command help
clear	Reset functions.	no	Negate a command or set its defaults.
commit	Save configuration changes. The command commit best-effort will save only valid changes	show	Show system status or configuration.
diag	Diagnostic functions.

For the purpose of this article, we use an NSA 220 and an NSA 4500 with the following IP addresses as examples to demonstrate the VPN configuration.

NSA 220

WAN (X1):192.168.170.31
LAN (X0): 10.10.10.0/24

NSA 4500

WAN (X1): 192.168.170.51
LAN (X0): 172.27.24.0/24

Note: One of the benefits of E-CLI is that commands can be copied and pasted into the CLI. Therefore, users can copy and paste the commands below directly into each SonicWall's CLI, substituting your IP addresses, names etc. for ones shown below.

NSA 220 Configuration

NSA 4500 Configuration

Create an address object for the remote networks

config

address-object ipv4 "NSA 4500 LAN" network 172.27.24.0 /24 zone VPN

config
address-object ipv4 "NSA 220 LAN" network 10.10.10.0 /24 zone VPN

Make sure there is a space after the network address and before the slash notation. Also the "/" & the bit notation must not have a space.
These address objects will be referenced, as an example, throughout this article.
Address objects can also be created "on the fly" while creating the VPN policy. For example, network remote network 172.27.24.0 /24 would create an address object by the name of "172.27.24.0/24".

Tunnel-Interface VPN Configuration - IKEv2 Mode

vpn policy tunnel-interface "To Remote Site"
enable
gateway primary 192.168.170.51
auth-method shared-secret
shared-secret "1234"
exit
proposal ike authentication sha256
proposal ike dh-group 2
proposal ike encryption triple-des
proposal ike exchange ikev2
proposal ike lifetime 28800

proposal ipsec protocol esp
proposal ipsec encryption triple-des
proposal ipsec authentication sha256
proposal ipsec dh-group none
proposal ipsec lifetime 28800
keep-alive
management https ssh
bound-to interface X1
commit
exit

vpn policy tunnel-interface "To Central Site"
enable
gateway primary 192.168.170.31
auth-method shared-secret
shared-secret "1234"
exit
proposal ike authentication sha256
proposal ike dh-group 2
proposal ike encryption triple-des
proposal ike exchange ikev2
proposal ike lifetime 28800

proposal ipsec protocol esp
proposal ipsec encryption triple-des
proposal ipsec authentication sha256
proposal ipsec dh-group none
proposal ipsec lifetime 28800
management https ssh
bound-to interface X1
commit
exit

The proposal ipsec commands (for Phase II) need not be included if using default parameters. If proposal ipsec is not explicitly specified, the default parameters of esp,triple-des,sha1,none,28800 is configured.

Other (optional) commands

netbios //Enable Windows Networking (NetBIOS) Broadcast
multicast //Enable Multicast
management snmp //Enable SNMP via this SA
user-login http //Enable user login via this SA over HTTP
user-login https //Enable user login via this SA over HTTPS
tcp-acceleration //Enable acceleration

Create a static bound to a tunnel-interface

Once a tunnel-interface VPN policy is created, a numbered tunnel-Interface is auto-created. To view tunnel-interfaces, press the Tab key after after the command policy interface. This will display all the interfaces. To create a static route, follow these steps:

routing
policy interface TI2 metric 1 source any destination name "NSA 4500 LAN" service any gateway default
commit
exit

Edit VPN policies

To edit and change a VPN policy, follow these steps:

//as already mentioned, at each command, pressing "?" would list usage with example/s; pressing the Tab key would either auto-complete half-way through a command or list suggestions of next commands or values to type. For example:

pressing the Tab key at vpn policy would list the following options:
enable group-vpn site-to-site tunnel-interface
pressing the Tab key at vpn policy tun would auto-complete tunnel-interface
pressing the Tab key at vpn policy tunnel-interface would either list multiple VPN policies, if multiple policies are configured. If only one tunnel-interface VPN policy is configured, this auto-completes the command by filling the name of the VPN policy:
vpn policy tunnel-interface To Remote Site

config

vpn policy tunnel-interface "To Remote Site"

Pressing the "?" or the Tab key would list the commands available within this module.

auth-method
bound-to
enable
gateway
management
multicast
name
netbios
proposal
tcp-acceleration
transport-mode
user-login

Authentication Method.
Configure VPN Policy Bound To.
Enable Policy.
IPsec Gateway Name or Address.
Enable Management for VPN Policy.
Enable VPN Policy Multicast.
Policy name.
Enable VPN Policy NetBIOS.
Policy proposal.
Enable Permit TCP Acceleration.
Enable Transport Mode.
Enable VPN Policy for User Login.

(edit-tunnel-interface[To Remote Site])# no enable
(edit-tunnel-interface[To Remote Site])# no management https
(edit-tunnel-interface[To Remote Site])# user-login https
(edit-tunnel-interface[To Remote Site])# no netbios
(edit-tunnel-interface[To Remote Site])# cancel
(edit-tunnel-interface[To Remote Site])# commit

disable the VPN
disable HTTPS management over VPN
enable HTTPS user login over VPN
disable NetBios broadcasts over VPN
exit out of this module without saving changes
save changes

Delete a VPN policy

To delete a VPN policy enter the following command. Must be entered at the config prompt.

config
no vpn policy tunnel-interface "To Remote Site"

Display VPN policies and VPN Tunnel information

The show command is global and can be executed from any module.

Enter this command to show a specific VPN policy by name

show vpn policy "To Remote Site"

Enter this command to show all VPN policies :

show vpn policies

To display information on an active VPN tunnel, enter this command:

show vpn tunnel "To Remote Site"

To display information on all active VPN tunnels, enter this command:

show vpn tunnels

Display VPN Logs

To display VPN logs, enter the following command:

show log view category "VPN"

The view can be further filtered using the following options:

priority
source-interface
destination-interface
source-ip
source-port
destination-ip
destination-port
ip-protocol
user-name
application

Show Log with specified Priority.
Show Log with specified Source Interface.
Show Log with specified Destination Interface.
Show Log with specified Source-Ip.
Show Log with specified Source-Port.
Show Log with specified Destination-Ip.
Show Log with specified Destination-Port.
Show Log with specified IP Protocol number.
Show Log with specified User Name.
Show Log with specified Application.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Configuring Tunnel Interface (static route-based) VPN using Enterprise Command Line

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch