EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs


Overview


Readers will learn how to configure a site-to-site VPN between two EdgeRouters that use dynamic public IP addresses.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Policy-Based VPN using FQDNs
  3. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:

ER-R

  • eth0 (WAN) - 203.0.113.1 / er-r.ubnt.com
  • eth1 (LAN) - 192.168.1.1/24

ER-L

  • eth0 (WAN) - 192.0.2.1 / er-l.ubnt.com
  • eth1 (LAN) - 172.16.1.1/24

dynamic_site-to-site_topology_new.png


Policy-Based VPN using FQDNs


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

GUI: Access the Graphical User Interface (GUI).

1. Define the IPsec peer and Security Associations (SAs) on ER-R (replace <secret> with your desired passphrase).

VPN > IPsec Site-to-Site > +Add Peer

  • Show advanced options
  • Automatically open firewall and exclude from NAT
Peer: er-l.ubnt.com
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Define the IPsec peer and Security Associations (SAs) on ER-L (replace <secret> with your desired passphrase).

VPN > IPsec Site-to-Site > +Add Peer

  • Show advanced options
  • Automatically open firewall and exclude from NAT
Peer: er-r.ubnt.com
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

 

Optionally add the following additional configuration through the Command Line Interface (CLI):

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Use the dhcp-interface command instead of local-address 0.0.0.0.

delete vpn ipsec site-to-site peer er-l.ubnt.com local-address
set vpn ipsec site-to-site peer er-l.ubnt.com dhcp-interface eth0

2. Add remote and local authentication IDs.

set vpn ipsec site-to-site peer er-l.ubnt.com authentication id @er-r.ubnt.com
set vpn ipsec site-to-site peer er-l.ubnt.com authentication remote-id @er-l.ubnt.com

3. Change from pre-shared key to certificate-based authentication.

generate vpn rsa-key

configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name er-l rsa-key <er-l public key>

delete vpn ipsec site-to-site peer er-l.ubnt.com authentication mode
delete vpn ipsec site-to-site peer er-l.ubnt.com authentication pre-shared-secret

set vpn ipsec site-to-site peer er-l.ubnt.com authentication mode rsa
set vpn ipsec site-to-site peer er-l.ubnt.com authentication rsa-key-name er-l

Related Articles


Back to Top

EdgeRouter - Policy-Based IPsec Site-to-Site VPN

EdgeRouter - Route-Based IPsec Site-to-Site VPN

EdgeRouter - Hardware Offloading

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!