Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Configuring Tunnel Interface (static route-based) VPN using Enterprise Command Line

03/26/2020 11 People found this article helpful 197,765 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    SonicOS 5.9 introduces a new, more robust, enterprise-level Command Line Interface (E-CLI). This articles describes how to create a static route-based Tunnel-Interface VPN policy using E-CLI.

    Resolution

    Global System Commands
    The following system commands are global and can be executed from anywhere in the config module.

    Command 
    Description Command  Description 
    Tab key Tab key aids in completing a command. Displays useful information such as the next option in the command. end Exit current mode and return to global configuration mode without saving  changes made in the current mode.
    ? key The ? key lists the next command or commands with a short description of each command. For certain commands, the ? key even displays examples of using the given command. exit Exit current mode without saving changes made in the current mode
    q key The 'q' key breaks listing of commands or information. Useful when the output of a command like Show current-config needs to be stopped. export Export system status or configuration
    cancel Exit from the mode without saving changes. help Display command help
    clear Reset functions. no   Negate a command or set its defaults.
    commit Save configuration changes. The command commit best-effort will save only valid changes  show Show system status or configuration. 
    diag Diagnostic functions.    

     

    For the purpose of this article, we use an NSA 220 and an NSA 4500 with the following IP addresses as examples to demonstrate the VPN configuration.

    NSA 220

    WAN (X1):192.168.170.31
    LAN (X0): 10.10.10.0/24

    NSA 4500

    WAN (X1): 192.168.170.51
    LAN (X0): 172.27.24.0/24


    Note: One of the benefits of E-CLI is that commands can be copied and pasted into the CLI. Therefore, users can copy and paste the commands below directly into each SonicWall's CLI, substituting your IP addresses, names etc. for ones shown below.

    NSA 220 Configuration NSA 4500 Configuration
    Create an address object for the remote networks
    config
    address-object ipv4 "NSA 4500 LAN" network 172.27.24.0 /24 zone VPN
     
    config
    address-object ipv4 "NSA 220 LAN" network 10.10.10.0 /24 zone VPN

     
    • Make sure there is a space after the network address and before the slash notation. Also the "/" & the bit notation must not have a space.
    • These address objects will be referenced, as an example, throughout this article.
    • Address objects can also be created "on the fly" while creating the VPN policy. For example, network remote network 172.27.24.0 /24 would create an address object by the name of "172.27.24.0/24".
    Tunnel-Interface VPN Configuration - IKEv2 Mode

    vpn policy tunnel-interface "To Remote Site"
    enable
    gateway primary 192.168.170.51
    auth-method shared-secret
    shared-secret "1234"
    exit
    proposal ike authentication sha256
    proposal ike dh-group 2
    proposal ike encryption triple-des
    proposal ike exchange ikev2
    proposal ike lifetime 28800

    proposal ipsec protocol esp
    proposal ipsec encryption triple-des
    proposal ipsec authentication sha256
    proposal ipsec dh-group none
    proposal ipsec lifetime 28800
    keep-alive
    management https ssh
    bound-to interface X1
    commit
    exit

    vpn policy tunnel-interface "To Central Site"
    enable
    gateway primary 192.168.170.31
    auth-method shared-secret
    shared-secret "1234"
    exit
    proposal ike authentication sha256
    proposal ike dh-group 2
    proposal ike encryption triple-des
    proposal ike exchange ikev2
    proposal ike lifetime 28800

    proposal ipsec protocol esp
    proposal ipsec encryption triple-des
    proposal ipsec authentication sha256
    proposal ipsec dh-group none
    proposal ipsec lifetime 28800
    management https ssh
    bound-to interface X1
    commit
    exit

    The proposal ipsec commands (for Phase II) need not be included if using default parameters. If proposal ipsec is not explicitly specified, the default parameters of esp,triple-des,sha1,none,28800 is configured.
    Other (optional) commands
    netbios   //Enable Windows Networking (NetBIOS) Broadcast
    multicast  //Enable Multicast
    management snmp //Enable SNMP via this SA
    user-login http  //Enable user login via this SA over HTTP
    user-login https   //Enable user login via this SA over HTTPS
    tcp-acceleration   //Enable acceleration
    Create a static bound to a tunnel-interface
    Once a tunnel-interface VPN policy is created, a numbered tunnel-Interface is auto-created. To view tunnel-interfaces, press the Tab key after after the command policy interface. This will display all the interfaces. To create a static route, follow these steps:
    routing
    policy interface TI2 metric 1 source any destination name "NSA 4500 LAN" service any gateway default
    commit
    exit
    Edit VPN policies
    To edit and change a VPN policy, follow these steps:

    //as already mentioned, at each command, pressing "?" would list usage with example/s; pressing the Tab key would either auto-complete half-way through a command or list suggestions of next commands or values to type. For example:
    • pressing the Tab key at vpn policy would list the following options:
      enable  group-vpn site-to-site  tunnel-interface
    • pressing the Tab key at vpn policy tun would auto-complete tunnel-interface
    • pressing the Tab key at vpn policy tunnel-interface would either list multiple VPN policies, if multiple policies are configured. If only one tunnel-interface VPN policy is configured, this auto-completes the command by filling the name of the VPN policy:
       vpn policy tunnel-interface To Remote Site
    config
    vpn policy tunnel-interface "To Remote Site"

    Pressing the "?" or the Tab key would list the commands available within this module.
     
    auth-method 
    bound-to 
    enable 
    gateway 
    management 
    multicast 
    name 
    netbios 
    proposal 
    tcp-acceleration  
    transport-mode 
    user-login  
     Authentication Method.
     Configure VPN Policy Bound To.
     Enable Policy.
     IPsec Gateway Name or Address.
     Enable Management for VPN Policy.
     Enable VPN Policy Multicast.
     Policy name.
     Enable VPN Policy NetBIOS.
     Policy proposal.
     Enable Permit TCP Acceleration.
     Enable Transport Mode.
     Enable VPN Policy for User Login.
     
    (edit-tunnel-interface[To Remote Site])# no enable
    (edit-tunnel-interface[To Remote Site])# no management https 
    (edit-tunnel-interface[To Remote Site])# user-login https 
    (edit-tunnel-interface[To Remote Site])# no netbios
    (edit-tunnel-interface[To Remote Site])# cancel
    (edit-tunnel-interface[To Remote Site])# commit 
    disable the VPN
    disable HTTPS management over VPN
    enable HTTPS user login over VPN
    disable NetBios broadcasts over VPN
    exit out of this module without saving changes
    save changes 
    Delete a VPN policy

    To delete a VPN policy enter the following command. Must be entered at the config prompt.

    config
    no vpn policy tunnel-interface "To Remote Site"

    Display VPN policies and VPN Tunnel information
    The show command is global and can be executed from any module. 

    Enter this command to show a specific VPN policy by name

    show vpn policy "To Remote Site"

    Enter this command to show all VPN policies :

    show vpn policies

    To display information on an active VPN tunnel, enter this command:

    show vpn tunnel "To Remote Site"

    To display information on all active VPN tunnels, enter this command:

    show vpn tunnels

    Display VPN Logs
    To display VPN logs, enter the following command:

    show log view category "VPN"

    The view can be further filtered using the following options:
     
    priority
    source-interface
    destination-interface
    source-ip
    source-port
    destination-ip
    destination-port
    ip-protocol
    user-name
    application
    Show  Log with specified Priority.
    Show  Log with specified Source Interface.
    Show  Log with specified Destination Interface.
    Show  Log with specified Source-Ip.
    Show  Log with specified Source-Port.
    Show  Log with specified Destination-Ip.
    Show  Log with specified Destination-Port.
    Show  Log with specified IP Protocol number.
    Show  Log with specified User Name.
    Show  Log with specified Application.

     

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top