How to Create a Site to Site VPN Policy using Certificates from the Command-line Interface (CLI)
03/26/2020 
7 
12504
DESCRIPTION:
How to Create a Site to Site VPN Policy using Certificates from the Command-line Interface (CLI)
RESOLUTION:
Feature/Application:
This KB article describes how to create a Site to Site VPN from the CLI between two SonicWall UTM appliances using certificates for authentication.
Procedure:
For the purpose of this article, we use the following scenario:
| Site A | Site B |
| NSA 5600 | NSA 4500 |
| X1 IP: 1.1.1.1 | X1 IP: 2.2.2.2 |
| X0 Subnet: 10.10.100.0/24 | X0 Subnet: 172.27.24.0/24 |
| Site A Configuration |
configure terminal | Enter configuration mode |
| address-object ipv4 NSA-4500 network 172.27.24.0 255.255.255.0 zone VPN | Create an address object of remote network |
vpn policy site-to-site NSA-4500
enable
gateway primary 2.2.2.2
auth-method certificate
certificate Server3 | Server3 is the name of the certificate. This command assumes that a certificate has already been imported into the SonicWall. |
| ike-id local distinguished-name | ike-id local has the following to choose from:- distinguished-name=the Subject field of the certificate
- domain-name=FQDN in the format "DNS Name:" in the SubjAltName field of the certificate
- email-id=Email address in the format "email:" in the SubjAltName field of the certificate
- ip=IP address in the format IP Address: in the SubjAltName field of the certificate
|
ike-id peer distinguished-name "/C=IN/ST=KA/L=BLR/O=SonicWall Inc./CN=SiteA.soniclab-kb.local"
exit | ike-id peer has the following to choose from:- distinguished-name=the Subject field of the certificate
- domain-name=FQDN in the format "DNS Name:" in the SubjAltName field of the certificate
- email-id=Email address in the format "email:" in the SubjAltName field of the certificate
- ip=IP address in the format IP Address: in the SubjAltName field of the certificate
|
network local name "X0 Subnet"
network remote name NSA-4500
proposal ike exchange ikev2
proposal ike encryption triple-des
proposal ike authentication sha-1
proposal ike dh-group 2
proposal ike lifetime 28800
proposal ipsec protocol esp
proposal ipsec encryption triple-des
proposal ipsec authentication sha-1
proposal ipsec lifetime 28800
management https
keep-alive
bound-to zone WAN
exit | |
| commit | Save the settings |
| Site B Configuration |
| |
| configure terminal | Enter configuration mode |
| address-object ipv4 NSA-5600 network 10.10.100.0 255.255.255.0 zone VPN | Create an address object of remote network |
vpn policy site-to-site NSA-5600 enable gateway primary 1.1.1.1 auth-method certificate certificate vpn-256 | vpn-256 is the name of the certificate. This command assumes that a certificate has already been imported into the SonicWall. |
| ike-id local distinguished-name | ike-id local has the following to choose from:- distinguished-name=the Subject field of the certificate
- domain-name=FQDN in the format "DNS Name:" in the SubjAltName field of the certificate
- email-id=Email address in the format "email:" in the SubjAltName field of the certificate
- ip=IP address in the format IP Address: in the SubjAltName field of the certificate
|
ike-id peer distinguished-name "/C=IN/ST=KA/L=BLR/O=SonicWall Inc./CN=SiteB.soniclab-kb.local"
exit | ike-id peer has the following to choose from:- distinguished-name=the Subject field of the certificate
- domain-name=FQDN in the format "DNS Name:" in the SubjAltName field of the certificate
- email-id=Email address in the format "email:" in the SubjAltName field of the certificate
- ip=IP address in the format IP Address: in the SubjAltName field of the certificate
|
network local name "LAN Primary Subnet" network remote name NSA-5600
proposal ike exchange ikev2
proposal ike encryption triple-des
proposal ike authentication sha1
proposal ike dh-group 2
proposal ike lifetime 28800
proposal ipsec protocol esp
proposal ipsec encryption triple-des
proposal ipsec authentication sha1
proposal ipsec dh-group none
proposal ipsec lifetime 28800management https bound-to zone WAN
exit
| |
| commit | Save the settings |
After entering the above commands, to bring up the tunnel, start a ping from a host behind the Site A network to a host behind the Site B network. 
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
