CLI

Configuring Site-to-Site VPN Using CLI

Introduction
This technote describes how to create a VPN policy using the Command Line Interface (CLI). In this example, we use a TZ 170 with SonicOS Enhanced 3.2 firmware. You can configure all of the parameters using the CLI, and enable the VPN, without using the Web management interface. Note: In this example, the VPN policy on the other end has already been created.

CLI Access
1. 2. Use a DB9 to RJ45 connector to connect the serial port of your PC to the console port of your TZ 170. Using a terminal emulator program such as TerraTerm, use the following parameters: 115,200 baud (9600 for TZ 170) 8 bits No parity 1 stop bit No flow control 3. You may need to hit return two to three times to get to a command prompt, which will look similar to the following: TZ170> If you have used any other CLI, such as Unix shell or Cisco IOS, this process should be relatively easy and similar. It has auto-complete so you do not have to type in the entire command. 4. When a you need to make a configuration change, you should be in configure mode. To enter configure mode, type configure. TZ170 > configure (config[TZ170])> The command prompt changes and adds the word config to distinguish it from the normal mode. Now you can configure all the settings, enable and disable the VPNs, and configure the firewall.

CLI

Configuration
In this example, a site-to-site VPN is configured between two TZ 170 appliances using the following settings: Local TZ 170 (home): WAN IP: 10.50.31.150 LAN subnet: 192.168.61.0 Mask : 255.255.255.0 Remote TZ 170 (office): WAN IP: 10.50.31.104 LAN subnet: 192.168.15.0 Mask : 255.255.255.0 Authentication Method: IKE using a Pre-Shared Key Phase 1 Exchange: Main Mode Phase 1 Encryption: 3DES Phase 1 Authentication: SHA1 Phase 1 DH group: 2 Phase 1Lifetime: 28800 Phase 2 Protocol: ESP Phase 2 Encryption: 3DES Phase 2 Authentication: SHA1 Phase 2 Lifetime: 28800 No PFS 1. In configure mode, create an address object for the remote network, specifying the name, zone assignment, type, and address. In this example, we use the name OfficeLAN: (config[TZ170])> address-object OfficeLAN (config-address-object[OfficeLAN])> Note: The prompt has changed to indicate the configuration mode for the address object. (config-address-object[OfficeLAN])> zone VPN (config-address-object[OfficeLAN])> network 192.168.15.0 255.255.255.0 (config-address-object[OfficeLAN])> finished 2. To display the address object, type the command show address-object [name]: TZ170 > show address-object OfficeLAN The output will be similar to the following: address-object OfficeLAN network 192.168.15.0 255.255.255.0 zone VPN 3. To create the VPN policy, type the command vpn policy [name] [authentication method]: (config[TZ170])> vpn policy OfficeVPN pre-shared (config-vpn[OfficeVPN])> Note: The prompt has changed to indicate the configuration mode for the VPN policy. All the settings regarding this VPN will be entered here.

4.

Configure the Pre-Shared Key. In this example, the Pre-Shared Key is sonicwall: (config-vpn[OfficeVPN])> pre-shared-secret sonicwall

5.

Configure the IPSec gateway: (config-vpn[OfficeVPN])> gw ip-address 10.50.31.104

6.

Define the local and the remote networks: (config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet" (config-vpn[OfficeVPN])> network remote address-object "OfficeLAN"

7.

Configure the IKE and IPSec proposals: (config-vpn[OfficeVPN])> proposal ike main encr triple-des auth sha1 dh 2 lifetime 28800 (config-vpn[OfficeVPN])> proposal ipsec esp encr triple-des auth sha1 dh no lifetime 28800

8.

In the Advanced tab in the UI configuration, enable keepalive on the VPN policy: (config-vpn[OfficeVPN])> advanced keepalive

9.

To enable the VPN policy, use the command vpn enable name : (config[TZ170])> vpn enable "OfficeVPN"

10. Use the finished command to save the VPN policy and exit from the VPN configure mode: (config-vpn[OfficeVPN])> finished (config[TZ170])> The configuration is complete. Note: The command prompt goes back to the configure mode prompt.

CLI

Creating a VPN policy and enabling it on TZ170 using CLI

Viewing VPN configuration

Use the following steps to configure the VPN policies. 1. To view a list of all the configured VPN policies, type the command show vpn policy. The output will be similar to the following: (config[TZ170])> show vpn policy Policy: WAN GroupVPN (Disabled) Key Mode: Pre-shared Pre Shared Secret: DE65AD2228EED75A Proposals: IKE: Aggressive Mode, 3DES SHA, DH Group 2, 28800 seconds IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds Advanced: Allow NetBIOS OFF, Allow Multicast OFF Management: HTTP OFF, HTTPS OFF Lan Default GW: 0.0.0.0 Require XAUTH: ON, User Group: Trusted Users Client: Cache XAUTH Settings: Never Virtual Adapter Settings: None Allow Connections To: Split Tunnels Set Default Route OFF, Apply VPN Access Control List OFF Require GSC OFF Use Default Key OFF Policy: OfficeVPN (Enabled) Key Mode: Pre-shared Primary GW: 10.50.31.104 Secondary GW: 0.0.0.0 Pre Shared Secret: sonicwall IKE ID: Local: IP Address Peer: IP Address Network: Local: LAN Primary Subnet

Remote: OfficeLAN

Proposals: IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds Advanced: Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF Allow Multicast OFF Management: HTTP ON, HTTPS ON User Login: HTTP ON, HTTPS ON Lan Default GW: 0.0.0.0 Require XAUTH: OFF Bound To: Zone WAN

2.

To view the configuration for a specific policy, specify the policy name in double quotes. For example: (config[TZ170])> show vpn policy "OfficeVPN" The output will be similar to the following: Policy: OfficeVPN (Enabled) Key Mode: Pre-shared Primary GW: 10.50.31.104 Secondary GW: 0.0.0.0 Pre Shared Secret: sonicwall IKE ID: Local: IP Address Peer: IP Address Network: Local: LAN Primary Subnet

Remote: OfficeLAN

Proposals: IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds Advanced: Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF Allow Multicast OFF Management: HTTP ON, HTTPS ON User Login: HTTP ON, HTTPS ON Lan Default GW: 0.0.0.0 Require XAUTH: OFF Bound To: Zone WAN

3. Type the command show vpn sa name to see the active SA: (config[TZ170])> show vpn sa "OfficeVPN" Policy: OfficeVPN IKE SAs GW: 10.50.31.150:500 --> 10.50.31.104:500 Main Mode, 3DES SHA, DH Group 2, Responder Cookie: 0x0ac298b6328a670b (I), 0x28d5eec544c63690 (R) Lifetime: 28800 seconds (28783 seconds remaining) IPsec SAs GW: 10.50.31.150:500 --> 10.50.31.104:500 (192.168.61.0 - 192.168.61.255) --> (192.168.15.0 - 192.168.15.255) ESP, 3DES SHA, In SPI 0xed63174f, Out SPI 0x5092a0b2 Lifetime: 28800 seconds (28783 seconds remaining)

Last Update: 01/04/08