EdgeRouter - Policy-Based Site-to-Site IPsec VPN


Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between two EdgeRouters.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Policy-Based VPN
  4. Related Articles

FAQ


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128 
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:

ER-R

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

ER-L

  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24

site-to-site_policy-based_topology_new.png


Policy-Based VPN


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The ports and protocol that are relevant to IPsec are:

  • UDP 500 (IKE)
  • Protocol 50 (ESP)
  • UDP 4500 (NAT-T)
GUI: Access the Graphical User Interface (GUI) on ER-R.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

GUI: Access the Graphical User Interface (GUI) on ER-L.

1. Define the IPsec peer and the hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 192.0.2.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

2. Apply the changes.


Related Articles


Back to Top