configuring site to site vpn using cli
TRANSCRIPT
-
8/2/2019 Configuring Site to Site VPN Using CLI
1/5
CLI Configuring Site-to-Site VPN Using CLI
IntroductionThis technote describes how to create a VPN policy using the Command Line Interface (CLI). In this example, we use aTZ 170 with SonicOS Enhanced 3.2 firmware. You can configure all of the parameters using the CLI, and enable the VPN,without using the Web management interface.
Note: In this example, the VPN policy on the other end has already been created.
CLI Access1. Use a DB9 to RJ45 connector to connect the serial port of your PC to the console port of your TZ 170.
2. Using a terminal emulator program such as TerraTerm, use the following parameters:
115,200 baud (9600 for TZ 170)8 bitsNo parity1 stop bitNo flow control
3. You may need to hit return two to three times to get to a command prompt, which will look similar to thefollowing:
TZ170>
If you have used any other CLI, such as Unix shell or Cisco IOS, this process should be relatively easy andsimilar. It has auto-complete so you do not have to type in the entire command.
4. When a you need to make a configuration change, you should be in configure mode. To enter configure mode,type configure .
TZ170 > configure(config[TZ170])>
The command prompt changes and adds the word config to distinguish it from the normal mode.Now you can configure all the settings, enable and disable the VPNs, and configure the firewall.
-
8/2/2019 Configuring Site to Site VPN Using CLI
2/5
CLI
ConfigurationIn this example, a site-to-site VPN is configured between two TZ 170 appliances using the following settings:
Local TZ 170 (home):WAN IP: 10.50.31.150LAN subnet: 192.168.61.0 Mask : 255.255.255.0
Remote TZ 170 (office):WAN IP: 10.50.31.104LAN subnet: 192.168.15.0 Mask : 255.255.255.0
Authentication Method: IKE using a Pre-Shared KeyPhase 1 Exchange: Main ModePhase 1 Encryption: 3DESPhase 1 Authentication: SHA1Phase 1 DH group: 2Phase 1Lifetime: 28800Phase 2 Protocol: ESPPhase 2 Encryption: 3DES
Phase 2 Authentication: SHA1Phase 2 Lifetime: 28800No PFS
1. In configure mode, create an address object for the remote network, specifying the name , zone assignment ,type , and address . In this example, we use the name OfficeLAN :
(config[TZ170])> address-object OfficeLAN(config-address-object[OfficeLAN])>
Note: The prompt has changed to indicate the configuration mode for the address object.
(config-address-object[OfficeLAN])> zone VPN(config-address-object[OfficeLAN])> network 192.168.15.0 255.255.255.0(config-address-object[OfficeLAN])> finished
2. To display the address object, type the command show address-object [name] :
TZ170 > show address-object OfficeLAN
The output will be similar to the following:
address-object OfficeLANnetwork 192.168.15.0 255.255.255.0zone VPN
3. To create the VPN policy, type the command vpn policy [ name ] [authentication method ]:
(config[TZ170])> vpn policy OfficeVPN pre-shared(config-vpn[OfficeVPN])>
Note: The prompt has changed to indicate the configuration mode for the VPN policy. All the settings regarding thisVPN will be entered here.
2
-
8/2/2019 Configuring Site to Site VPN Using CLI
3/5
3
4. Configure the Pre-Shared Key . In this example, the Pre-Shared Key is sonicwall :
(config-vpn[OfficeVPN])> pre-shared-secret sonicwall
5. Configure the IPSec gateway :
(config-vpn[OfficeVPN])> gw ip-address 10.50.31.104
6. Define the local and the remote networks :
(config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet"(config-vpn[OfficeVPN])> network remote address-object "OfficeLAN"
7. Configure the IKE and IPSec proposals:
(config-vpn[OfficeVPN])> proposal ike main encr triple-des auth sha1 dh 2 lifetime 28800(config-vpn[OfficeVPN])> proposal ipsec esp encr triple-des auth sha1 dh no lifetime 28800
8. In the Advanced tab in the UI configuration, enable keepalive on the VPN policy:
(config-vpn[OfficeVPN])> advanced keepalive
9. To enable the VPN policy , use the command vpn enable name :
(config[TZ170])> vpn enable "OfficeVPN"
10. Use the finished command to save the VPN policy and exit from the VPN configure mode:
(config-vpn[OfficeVPN])> finished(config[TZ170])>
The configuration is complete.
Note : The command prompt goes back to the configure mode prompt.
-
8/2/2019 Configuring Site to Site VPN Using CLI
4/5
CLI Creating a VPN policy and enabling it on TZ170 using CLI
Viewing VPN configurationUse the following steps to configure the VPN policies.
1. To view a list of all the configured VPN policies, type the command show vpn policy . The output will be similarto the following:
(config[TZ170])> show vpn policy
Policy: WAN GroupVPN (Disabled)Key Mode: Pre-sharedPre Shared Secret: DE65AD2228EED75A
Proposals:IKE: Aggressive Mode, 3DES SHA, DH Group 2, 28800 secondsIPSEC: ESP, 3DES SHA, No PFS, 28800 seconds
Advanced:Allow NetBIOS OFF, Allow Multicast OFFManagement: HTTP OFF, HTTPS OFF
Lan Default GW: 0.0.0.0Require XAUTH: ON, User Group: Trusted Users
Client:Cache XAUTH Settings: NeverVirtual Adapter Settings: NoneAllow Connections To: Split TunnelsSet Default Route OFF, Apply VPN Access Control List OFFRequire GSC OFFUse Default Key OFF
Policy: OfficeVPN (Enabled )Key Mode: Pre-sharedPrimary GW: 10.50.31.104Secondary GW: 0.0.0.0
Pre Shared Secret: sonicwall
IKE ID:Local: IP AddressPeer: IP Address
Network:Local: LAN Primary Subnet Remote: OfficeLAN
Proposals:IKE: Main Mode, 3DES SHA, DH Group 2, 28800 secondsIPSEC: ESP, 3DES SHA, No PFS, 28800 seconds
Advanced:Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFFAllow Multicast OFFManagement: HTTP ON, HTTPS ONUser Login: HTTP ON, HTTPS ONLan Default GW: 0.0.0.0Require XAUTH: OFFBound To: Zone WAN
4
-
8/2/2019 Configuring Site to Site VPN Using CLI
5/5
5
2. To view the configuration for a specific policy, specify the policy name in double quotes. For example:
(config[TZ170])> show vpn policy "OfficeVPN"
The output will be similar to the following:Policy: OfficeVPN (Enabled)
Key Mode: Pre-sharedPrimary GW: 10.50.31.104Secondary GW: 0.0.0.0Pre Shared Secret: sonicwall
IKE ID:Local: IP AddressPeer: IP Address
Network:Local: LAN Primary Subnet Remote: OfficeLAN
Proposals:IKE: Main Mode, 3DES SHA, DH Group 2, 28800 secondsIPSEC: ESP, 3DES SHA, No PFS, 28800 seconds
Advanced:Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFFAllow Multicast OFFManagement: HTTP ON, HTTPS ONUser Login: HTTP ON, HTTPS ONLan Default GW: 0.0.0.0Require XAUTH: OFFBound To: Zone WAN
3. Type the command show vpn sa name to see the active SA:
(config[TZ170])> show vpn sa "OfficeVPN"
Policy: OfficeVPNIKE SAs
GW: 10.50.31.150:500 --> 10.50.31.104:500Main Mode, 3DES SHA, DH Group 2, ResponderCookie: 0x0ac298b6328a670b (I), 0x28d5eec544c63690 (R)Lifetime: 28800 seconds (28783 seconds remaining)
IPsec SAs
GW: 10.50.31.150:500 --> 10.50.31.104:500(192.168.61.0 - 192.168.61.255) --> (192.168.15.0 - 192.168.15.255)ESP, 3DES SHA, In SPI 0xed63174f, Out SPI 0x5092a0b2Lifetime: 28800 seconds (28783 seconds remaining)
Last Update: 01/04/08