EdgeRouter - Policy-Based Site-to-Site IPsec VPN


Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN on an EdgeRouter.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Configuring a Policy-Based VPN
  3. Related Articles

Frequently Asked Questions (FAQ)


Back to Top

1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options for IKE and ESP?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Setting up a Policy-Based VPN


Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.


Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:

GUI: Access the Web UI on ER-L.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.


GUI: Access the Web UI on ER-R.

1. Define the IPsec peer and the hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 192.0.2.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

2. Apply the changes.

NOTE: There is more information on the 'Automatic Firewall/NAT'  feature in the Modifying the Default IPsec Site-to-Site VPN article.

Related Articles


Back to Top

EdgeRouter - Modifying the Default IPsec Site-to-Site VPN

EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs

EdgeRouter - Route-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!