EdgeRouter - Site-to-Site VPN Behind NAT


Overview


Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters, where one of the devices is located behind NAT.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Table of Contents


  1. Configuring the Policy-Based VPN
  2. Adding Authentication IDs
  3. Related Articles

Configuring the Policy-Based VPN


Back to Top

topology.png

ER-R is located behind the ISP modem and does not have its own routable public IP address.


Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:

GUI: Access the Web UI on ER-L.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.


GUI: Access the Web UI on ER-R.

1. Define the IPsec peer and the hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

2. Apply the changes.


Adding Authentication IDs


Back to Top

The next step is to add an IPsec authentication ID on either ER-L or ER-R. This option influences which IP addresses will be used in the IPsec authentication process. Because ER-R is located behind a modem performing NAT services, the source IP address of the VPN (10.0.0.2) is translated to the 192.0.2.1 address. Choose either of the two following options to change the IPsec authentication IDs:

Set the private IP address (10.0.0.2) of ER-R as the remote Authentication ID on ER-L.

CLI: Access the Command Line Interface on ER-L.

1. Enter configuration mode.

configure

2. Configure the remote-id on ER-L using the private IP address value of ER-R (10.0.0.2).

set vpn ipsec site-to-site peer 192.0.2.1 authentication remote-id 10.0.0.2

3. Commit the changes and save the configuration.

commit ; save

Set the public IP address (192.0.2.1) of the modem as the local Authentication ID on ER-R.

CLI: Access the Command Line Interface on ER-R.

1. Enter configuration mode.

configure

2. Configure the (local) id on ER-R using the public IP address value of the ISP modem (192.0.2.1).

set vpn ipsec site-to-site peer 203.0.113.1 authentication id 192.0.2.1

3. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!