- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to Create a Site to Site VPN Policy using Certificates from the Command-line Interface (CLI)
03/26/2020 
8 People found this article helpful
94,786 Views
Description
How to Create a Site to Site VPN Policy using Certificates from the Command-line Interface (CLI)
Resolution
Feature/Application:
This KB article describes how to create a Site to Site VPN from the CLI between two SonicWall UTM appliances using certificates for authentication.
Procedure:
- Before configuring the VPN policy, import the certificates into each UTM appliance from the GUI. For more information on how to import certificates into the SonicWall UTM appliance, see Using Digital Certificates in Site to Site VPN, WAN GroupVPN & Global VPN Client connections
- Login to the SonicWall Command Line Interface using either SSH or Console.
- Enter the following commands one after another. The CLI also supports pasting from the clipboard.
For the purpose of this article, we use the following scenario:
| Site A | Site B |
| NSA 5600 | NSA 4500 |
| X1 IP: 1.1.1.1 | X1 IP: 2.2.2.2 |
| X0 Subnet: 10.10.100.0/24 | X0 Subnet: 172.27.24.0/24 |
| Site A Configuration | |
configure terminal | Enter configuration mode |
| address-object ipv4 NSA-4500 network 172.27.24.0 255.255.255.0 zone VPN | Create an address object of remote network |
| vpn policy site-to-site NSA-4500 enable gateway primary 2.2.2.2 auth-method certificate certificate Server3 | Server3 is the name of the certificate. This command assumes that a certificate has already been imported into the SonicWall. |
| ike-id local distinguished-name | ike-id local has the following to choose from:
|
| ike-id peer distinguished-name "/C=IN/ST=KA/L=BLR/O=SonicWall Inc./CN=SiteA.soniclab-kb.local" exit | ike-id peer has the following to choose from:
|
| network local name "X0 Subnet" network remote name NSA-4500 proposal ike exchange ikev2 proposal ike encryption triple-des proposal ike authentication sha-1 proposal ike dh-group 2 proposal ike lifetime 28800 proposal ipsec protocol esp proposal ipsec encryption triple-des proposal ipsec authentication sha-1 proposal ipsec lifetime 28800 management https keep-alive bound-to zone WAN exit | |
| commit | Save the settings |
| Site B Configuration | |
| configure terminal | Enter configuration mode |
| address-object ipv4 NSA-5600 network 10.10.100.0 255.255.255.0 zone VPN | Create an address object of remote network |
vpn policy site-to-site NSA-5600 enable gateway primary 1.1.1.1 auth-method certificate certificate vpn-256 | vpn-256 is the name of the certificate. This command assumes that a certificate has already been imported into the SonicWall. |
| ike-id local distinguished-name | ike-id local has the following to choose from:
|
| ike-id peer distinguished-name "/C=IN/ST=KA/L=BLR/O=SonicWall Inc./CN=SiteB.soniclab-kb.local" exit | ike-id peer has the following to choose from:
|
network local name "LAN Primary Subnet" network remote name NSA-5600proposal ike exchange ikev2 proposal ike encryption triple-des proposal ike authentication sha1 proposal ike dh-group 2 proposal ike lifetime 28800 proposal ipsec protocol esp proposal ipsec encryption triple-des proposal ipsec authentication sha1 proposal ipsec dh-group none proposal ipsec lifetime 28800 management https bound-to zone WANexit | |
| commit | Save the settings |
After entering the above commands, to bring up the tunnel, start a ping from a host behind the Site A network to a host behind the Site B network.
Related Articles
- How to remove 2FA for admin using CLI
- 2FA authentication error using TOTP "Please try again later"
- Methods to add Address Objects
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO