EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs


Overview


Readers will learn how to configure a site-to-site VPN between two EdgeRouters that use dynamic public IP addresses.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Configuring a Policy-Based VPN using FQDNs
  3. Related Articles

FAQ


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec

2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Configuring a Policy-Based VPN using FQDNs


Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.


GUI: Access the EdgeRouter Web UI.

1. Define the IPsec peer and Security Associations (SAs) on ER-L (replace <secret> with your desired passphrase).

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: er-l.ubnt.com
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Define the IPsec peer and Security Associations (SAs) on ER-R (replace <secret> with your desired passphrase).

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: er-r.ubnt.com
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

Depending on your setup, optionally add the following additional configuration:

CLI: Access the Command Line Interface on ER-L. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Use the dhcp-interface command instead of local-address.

configure
delete vpn ipsec site-to-site peer er-r.ubnt.com local-address
set vpn ipsec site-to-site peer er-r.ubnt.com dhcp-interface eth0
commit ; save

2. Add remote and local authentication IDs.

configure
set vpn ipsec site-to-site peer er-r.ubnt.com authentication id @er-l.ubnt.com
set vpn ipsec site-to-site peer er-r.ubnt.com authentication remote-id @er-r.ubnt.com
commit ; save

3. Change from pre-shared key to certificate-based authentication.

generate vpn rsa-key

configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name er-r rsa-key <er-r public key>

delete vpn ipsec site-to-site peer er-r.ubnt.com authentication mode
delete vpn ipsec site-to-site peer er-r.ubnt.com authentication pre-shared-secret

set vpn ipsec site-to-site peer er-r.ubnt.com authentication mode rsa
set vpn ipsec site-to-site peer er-r.ubnt.com authentication rsa-key-name er-r
commit ; save

CLI: Access the Command Line Interface on ER-R.

1. Use the dhcp-interface command instead of local-address.

configure
delete vpn ipsec site-to-site peer er-l.ubnt.com local-address
set vpn ipsec site-to-site peer er-l.ubnt.com dhcp-interface eth0
commit ; save

2. Add remote and local authentication IDs.

configure
set vpn ipsec site-to-site peer er-l.ubnt.com authentication id @er-r.ubnt.com
set vpn ipsec site-to-site peer er-l.ubnt.com authentication remote-id @er-l.ubnt.com
commit ; save

3. Change from pre-shared key to certificate-based authentication.

generate vpn rsa-key

configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name er-l rsa-key <er-l public key>

delete vpn ipsec site-to-site peer er-l.ubnt.com authentication mode
delete vpn ipsec site-to-site peer er-l.ubnt.com authentication pre-shared-secret

set vpn ipsec site-to-site peer er-l.ubnt.com authentication mode rsa
set vpn ipsec site-to-site peer er-l.ubnt.com authentication rsa-key-name er-l
commit ; save

Related Articles


Back to Top

EdgeRouter - Policy-Based IPsec Site-to-Site VPN

EdgeRouter - Route-Based IPsec Site-to-Site VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!