EdgeRouter - Site-to-Site VPN Behind NAT


Overview


Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters, where one of the devices is located behind NAT.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Table of Contents


  1. Network Diagram
  2. Configuring the Policy-Based VPN
  3. Adding Authentication IDs
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:

ER-L

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

ER-R

  • eth0 (WAN) - 10.0.0.2
  • eth1 (LAN) - 172.16.1.1/24

topology.png

ER-R is located behind the ISP modem and does not have its own routable public IP address.


Configuring the Policy-Based VPN


Back to Top

The first step is to set up the site-to-site VPN using the public IP addresses of ER-L and the ISP modem in front of ER-R. 

GUI: Access the Graphical User Interface (GUI) on ER-L.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

GUI: Access the Graphical User Interface (GUI) on ER-R.

1. Define the IPsec peer and the hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

2. Apply the changes.


Adding Authentication IDs


Back to Top

The next step is to add an authentication ID on either ER-L or ER-R. There are two options:

  1. Set the private IP address of ER-R as the remote-id on ER-L.
  2. Set the public IP address of the modem as the (local) id on ER-R.

 

Option #1

CLI: Access the command line interface (CLI) on ER-L.

1. Enter configuration mode.

configure

2. Configure the remote-id on ER-L using the private IP address value of ER-R (10.0.0.2).

set vpn ipsec site-to-site peer 192.0.2.1 authentication remote-id 10.0.0.2

3. Commit the changes and save the configuration.

commit ; save

Option #2

CLI: Access the command line interface (CLI) on ER-R.

1. Enter configuration mode.

configure

2. Configure the id on ER-R using the public IP address value of the ISP modem (192.0.2.1).

set vpn ipsec site-to-site peer 203.0.113.1 authentication id 192.0.2.1

3. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH

EdgeRouter - Policy-Based Site-to-Site IPsec VPN


We're sorry to hear that!