Example: Configuring a Site-to-Site VPN Using the CLI

This section describes how to create a VPN policy using the Command Line Interface. You can configure all of the parameters using the CLI, and enable the VPN without using the Web management interface.

* 
NOTE: In this example, the VPN policy on the other end has already been created.

CLI Access

1
Use a DB9 to RJ45 connector to connect the serial port of your PC to the console port of your firewall.
2
Using a terminal emulator program (such as PuTTY or Tera Term) use the following parameters:
115,200 baud
8 bits
No parity
1 stop bit
No flow control
3
You may need to hit return two to three times to get to a command prompt, which will look similar to the following:
NSA3600>

or

SM9200>
4
If you have used any other CLI, such as Unix shell or Cisco IOS, this process should be relatively easy and similar. It has auto-complete so you do not have to type in the entire command.
5
When you need to make a configuration change, you must be in configure mode. To enter configure mode, type configure.
NSA3600> configure
(config[NSA3600])>
6
The command prompt changes and adds the word config to distinguish it from the normal mode. Now you can configure all the settings, enable and disable the VPNs, and configure the firewall.

Configuration

In this example, a site-to-site VPN is configured between two NSA 3600 appliances, with the following settings:

Local NSA 3600 (home):
WAN IP: 10.50.31.150
LAN subnet: 192.168.61.0
Mask 255.255.255.0

Remote NSA 3600 (office):
WAN IP: 10.50.31.104
LAN subnet: 192.168.15.0
Mask: 255.255.255.0

Authentication Method: IKE using a Pre-Shared Key
Phase 1 Exchange: Main Mode
Phase 1 Encryption: 3DES
Phase 1 Authentication SHA1
Phase 1 DH group: 2
Phase 1 Lifetime: 28800
Phase 2 Protocol: ESP
Phase 2 Encryption: 3DES
Phase 2 Authentication: SHA1
Phase 2 Lifetime: 28800
No PFS

1
In configure mode, create an address object for the remote network, specifying the name, zone assignment, type, and address. In this example, we use the name OfficeLAN:

(config[NSA3600]> address-object Office LAN
(config-address-object[OfficeLAN])>

* 
NOTE: The prompt has changed to indicate the configuration mode for the address object.

(config-address-object[OfficeLAN])> zone VPN
(config-address-object[OfficeLAN])> network 192.168.15.0 255.255.255.0
(config-address-object[OfficeLAN])> finished

2
To display the address object, type the command show address-object [name]:

NSA3600 > show address-object OfficeLAN

The output will be similar to the following:

address-object OfficeLAN
network 192.168.15.0 255.255.255.0
zone VPN

3
To create the VPN policy, type the command:

vpn policy [name] [authentication method]

(config[NSA3600])> vpn policy OfficeVPN pre-shared
(config-vpn[OfficeVPN])>

* 
NOTE: The prompt changes to indicate the configuration mode for the VPN policy. All the settings regarding this VPN will be entered here.
4
Configure the Pre-Shared Key. In this example, the Pre-Shared Key is sonicwall:

(config-vpn[OfficeVPN])> pre-shared-secret sonicwall

5
Configure the IPSec gateway:

(config-vpn[OfficeVPN])> gw ip-address 10.50.31.104

6
Define the local and the remote networks:

(config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet"
(config-vpn[OfficeVPN])> network remote address-object "OfficeLAN"

7
Configure the IKE and IPSec proposals:

(config-vpn[OfficeVPN])> proposal ike main encr triple-des auth sha1 dh 2
lifetime 28800
(config-vpn[OfficeVPN])> proposal ipsec esp encr triple-des auth sha1 dh no
lifetime 28800

8
In the Advanced tab in the UI configuration, enable keepalive on the VPN policy:

(config-vpn[OfficeVPN])> advanced keepalive

9
To enable the VPN policy, use the command vpn enable [name]:

(config[NSA3600])> vpn enable "OfficeVPN"

10
Use the finished command to save the VPN policy and exit from the VPN configure mode:

(config-vpn[OfficeVPN])> finished
(config[NSA3600])>

The configuration is complete.

* 
NOTE: The command prompt goes back to the configure mode prompt.

Viewing a VPN Configuration

To view a list of all the configured VPN policies:

1
Type the command show vpn policy. The output is similar to the following:

(config[NSA3600])> show vpn policy

Policy: WAN GroupVPN (Disabled)
Key Mode: Pre-shared
Pre Shared Secret: DE65AD2228EED75A

Proposals:
IKE: Aggressive Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Allow NetBIOS OFF, Allow Multicast OFF
Management: HTTP OFF, HTTPS OFF
Lan Default GW: 0.0.0.0
Require XAUTH: ON, User Group: Trusted Users

Client:
Cache XAUTH Settings: Never
Virtual Adapter Settings: None
Allow Connections To: Split Tunnels
Set Default Route OFF, Apply VPN Access Control List OFF
Require GSC OFF
Use Default Key OFF

Policy: OfficeVPN (Enabled)
Key Mode: Pre-shared
Primary GW: 10.50.31.104
Secondary GW: 0.0.0.0
Pre Shared Secret: sonicwall

IKE ID:
Local: IP Address
Peer: IP Address

Network:
Local: LAN Primary Subnet
Remote: OfficeLAN

Proposals:
IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF
Allow Multicast OFF
Management: HTTP ON, HTTPS ON
User Login: HTTP ON, HTTPS ON
Lan Default GW: 0.0.0.0
Require XAUTH: OFF
Bound To: Zone WAN

2
To view the configuration for a specific policy, specify the policy name in double quotes. For example:

(config[NSA3600])> show vpn policy "OfficeVPN"

The output is similar to the following:

Policy: OfficeVPN (Enabled)
Key Mode: Pre-shared
Primary GW: 10.50.31.104
Secondary GW: 0.0.0.0
Pre Shared Secret: sonicwall

IKE ID:
Local: IP Address
Peer: IP Address

Network:
Local: LAN Primary Subnet
Remote: OfficeLAN

Proposals:
IKE: Main Mode, 3DES SHA, DH Group 2, 28800 seconds
IPSEC: ESP, 3DES SHA, No PFS, 28800 seconds

Advanced:
Keepalive ON, Add Auto-Rule ON, Allow NetBIOS OFF
Allow Multicast OFF
Management: HTTP ON, HTTPS ON
User Login: HTTP ON, HTTPS ON
Lan Default GW: 0.0.0.0
Require XAUTH: OFF
Bound To: Zone WAN

3
Type the command show vpn sa [name] to see the active SA:

(config[NSA3600])> show vpn sa "OfficeVPN"

Policy: OfficeVPN
IKE SAs

GW: 10.50.31.150:500 --> 10.50.31.104:500
Main Mode, 3DES SHA, DH Group 2, Responder
Cookie: 0x0ac298b6328a670b (I), 0x28d5eec544c63690 (R)
Lifetime: 28800 seconds (28783 seconds remaining)

IPsec SAs

GW: 10.50.31.150:500 --> 10.50.31.104:500
(192.168.61.0 - 192.168.61.255) --> (192.168.15.0 - 192.168.15.255)
ESP, 3DES SHA, In SPI 0xed63174f, Out SPI 0x5092a0b2
Lifetime: 28800 seconds (28783 seconds remaining)