EdgeRouter - Site-to-Site IPsec VPN to USG


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a USG

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
Devices used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. IPsec VPN
  4. Related Articles


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?


  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES


  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Network Diagram

Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:


  • eth0 (WAN) -
  • eth1 (LAN) -


  • eth0 (WAN) -
  • eth1 (LAN) -



Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The ports and protocol that are relevant to IPsec are:

  • UDP 500 (IKE)
  • Protocol 50 (ESP)
  • UDP 4500 (NAT-T)
GUI: Access the Graphical User Interface (GUI) on the EdgeRouter.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Description: ipsec
Local IP:
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet:
Remote subnet:

2. Apply the changes.


GUI: Access the UniFi Controller.

1. Create a new IPsec network using a custom profile.

Settings > Networks > +Create New Network

Name: ipsec
Purpose: Site-to-Site VPN
VPN Type: IPsec VPN
Enabled: Enable this Site-to-Site VPN
Remote Subnets:
Peer IP:
Local WAN IP:
Pre-Shared Key: <secret>
IPsec Profile: Customized

Expand (+) Advanced Options

Key Exchange Version: IKEv1
Encryption: AES-128
DH Group: 14
PFS: Enable Perfect Forward Secrecy / Check
Dynamic Routing: Disable / Uncheck
NOTE: The USG will use the all corporate networks as the local subnet(identifiers) for the IPsec connection.

2. Apply the changes.

Related Articles

Back to Top

EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs

EdgeRouter - Route-Based Site-to-Site IPsec VPN

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH

We're sorry to hear that!