How to Configure Site-to-Site IPsec VPN on Ubiquiti EdgeRouter
by Kamoltorn Theppunya
Site-to-Site IPsec VPN on Ubiquiti EdgeRouter Network Topology
Site A
configure
set vpn ipsec esp-group SiteA
set vpn ipsec esp-group SiteA mode tunnel
set vpn ipsec esp-group SiteA pfs enable
set vpn ipsec esp-group SiteA proposal 1
set vpn ipsec esp-group SiteA proposal 1 encryption aes
set vpn ipsec esp-group SiteA proposal 1 hash sha1
set vpn ipsec esp-group SiteA lifetime 86400
set vpn ipsec esp-group SiteA compression disable
set vpn ipsec ike-group SiteA dead-peer-detection action restart
set vpn ipsec ike-group SiteA dead-peer-detection interval 30
set vpn ipsec ike-group SiteA dead-peer-detection timeout 60
set vpn ipsec ike-group SiteA proposal 1
set vpn ipsec ike-group SiteA proposal 1 encryption aes
set vpn ipsec ike-group SiteA proposal 1 hash sha1
set vpn ipsec ike-group SiteA lifetime 86400
set vpn ipsec ike-group SiteA key-exchange ikev1
set vpn ipsec ike-group SiteA proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer 77.77.77.xx
set vpn ipsec site-to-site peer 77.77.77.xx connection-type initiate
set vpn ipsec site-to-site peer 77.77.77.xx authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 77.77.77.xx authentication pre-shared-secret SuperSecureXXXX
set vpn ipsec site-to-site peer 77.77.77.xx ike-group SiteA
set vpn ipsec site-to-site peer 77.77.77.xx local-address 66.66.66.xx
set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1
set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 esp-group SiteA
set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 local prefix 10.10.10.0/24
set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 remote prefix 10.10.20.0/24
set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 allow-public-networks disable
set vpn ipsec nat-traversal enable
commit
save
Site B
configure
set vpn ipsec esp-group SiteB
set vpn ipsec esp-group SiteB mode tunnel
set vpn ipsec esp-group SiteB pfs enable
set vpn ipsec esp-group SiteB proposal 1
set vpn ipsec esp-group SiteB proposal 1 encryption aes
set vpn ipsec esp-group SiteB proposal 1 hash sha1
set vpn ipsec esp-group SiteB lifetime 86400
set vpn ipsec esp-group SiteB compression disable
set vpn ipsec ike-group SiteB dead-peer-detection action restart
set vpn ipsec ike-group SiteB dead-peer-detection interval 30
set vpn ipsec ike-group SiteB dead-peer-detection timeout 60
set vpn ipsec ike-group SiteB proposal 1
set vpn ipsec ike-group SiteB proposal 1 encryption aes
set vpn ipsec ike-group SiteB proposal 1 hash sha1
set vpn ipsec ike-group SiteB lifetime 86400
set vpn ipsec ike-group SiteB key-exchange ikev1
set vpn ipsec ike-group SiteB proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer 66.66.66.xx
set vpn ipsec site-to-site peer 66.66.66.xx connection-type initiate
set vpn ipsec site-to-site peer 66.66.66.xx authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 66.66.66.xx authentication pre-shared-secret SuperSecureXXXX
set vpn ipsec site-to-site peer 66.66.66.xx ike-group SiteB
set vpn ipsec site-to-site peer 66.66.66.xx local-address 77.77.77.xx
set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1
set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 esp-group SiteB
set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 local prefix 10.10.20.0/24
set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 remote prefix 10.10.10.0/24
set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 allow-public-networks disable
set vpn ipsec nat-traversal enable
commit
save
Check List
- Create NAT rule for LAN to WAN(masquerade to eth0)
- Exclude IPsec traffic from default NAT rule LAN to WAN(masquerade to eth0)
- Site A; Exclude 10.10.20.0/24
- Site B; Exclude 10.10.10.0/24
- Configure firewall to allow IKE/ESP from WAN to Local
Subscribe via RSS