Configuring Tunnel Interface (static route-based) VPN using Enterprise Command Line
03/26/2020 11 13851
SonicOS 5.9 introduces a new, more robust, enterprise-level Command Line Interface (E-CLI). This articles describes how to create a static route-based Tunnel-Interface VPN policy using E-CLI.
Global System Commands The following system commands are global and can be executed from anywhere in the config module.
Tab key aids in completing a command. Displays useful information such as the next option in the command.
Exit current mode and return to global configuration mode without saving changes made in the current mode.
The ? key lists the next command or commands with a short description of each command. For certain commands, the ? key even displays examples of using the given command.
Exit current mode without saving changes made in the current mode
The 'q' key breaks listing of commands or information. Useful when the output of a command likeShow current-config needs to be stopped.
Export system status or configuration
Exit from the mode without saving changes.
Display command help
Negate a command or set its defaults.
Save configuration changes. The command commit best-effort will save only valid changes
Show system status or configuration.
For the purpose of this article, we use an NSA 220 and an NSA 4500 with the following IP addresses as examples to demonstrate the VPN configuration.
WAN (X1):192.168.170.31 LAN (X0): 10.10.10.0/24
WAN (X1): 192.168.170.51 LAN (X0): 172.27.24.0/24
Note: One of the benefits of E-CLI is that commands can be copied and pasted into the CLI. Therefore, users can copy and paste the commands below directly into each SonicWall's CLI, substituting your IP addresses, names etc. for ones shown below.
NSA 220 Configuration
NSA 4500 Configuration
Create an address object for the remote networks
address-object ipv4 "NSA 4500 LAN" network 172.27.24.0 /24 zone VPN
The proposal ipsec commands (for Phase II) need not be included if using default parameters. If proposal ipsec is not explicitly specified, the default parameters of esp,triple-des,sha1,none,28800 is configured.
Other (optional) commands
netbios //Enable Windows Networking (NetBIOS) Broadcast multicast //Enable Multicast management snmp //Enable SNMP via this SA user-login http //Enable user login via this SA over HTTP user-login https //Enable user login via this SA over HTTPS tcp-acceleration //Enable acceleration
Create a static bound to a tunnel-interface
Once a tunnel-interface VPN policy is created, a numbered tunnel-Interface is auto-created. To view tunnel-interfaces, press the Tab key after after the command policy interface. This will display all the interfaces. To create a static route, follow these steps:
routing policy interface TI2 metric 1 source any destination name "NSA 4500 LAN" service any gateway default commit exit
Edit VPN policies
To edit and change a VPN policy, follow these steps:
//as already mentioned, at each command, pressing "?" would list usage with example/s; pressing the Tab key would either auto-complete half-way through a command or list suggestions of next commands or values to type. For example:
pressing the Tab key at vpn policy would list the following options: enable group-vpn site-to-site tunnel-interface
pressing the Tab key at vpn policy tun would auto-complete tunnel-interface
pressing the Tab key at vpn policy tunnel-interface would either list multiple VPN policies, if multiple policies are configured. If only one tunnel-interface VPN policy is configured, this auto-completes the command by filling the name of the VPN policy: vpn policy tunnel-interface To Remote Site
vpn policy tunnel-interface "To Remote Site"
Pressing the "?" or the Tab key would list the commands available within this module.
Show Log with specified Priority. Show Log with specified Source Interface. Show Log with specified Destination Interface. Show Log with specified Source-Ip. Show Log with specified Source-Port. Show Log with specified Destination-Ip. Show Log with specified Destination-Port. Show Log with specified IP Protocol number. Show Log with specified User Name. Show Log with specified Application.