EdgeRouter - Site-to-Site VPN between USG and EdgeRouter

Overview


Readers will how to configure a site-to-site VPN using an EdgeRouter and USG.

Implementation


The example is written based on UniFi version v5.4.11 and EdgeOS v1.5.0. The hardware platforms include a 3-port USG and a 5-port EdgeRouter.

Below is the network diagram that we aim to deploy.

 

Setting Networks in ER-5-POE

We are not going into details on setting networks in EdgeOS in this article; but steps include:

  • configure eth1 IP
  • configure switch0 to include eth3,4,5 and assign an IP, 192.168.202.1
  • Set a DHCP server for 192.168.202.0/23 subnet
  • Configure NAT

Setting Networks in USG

In UniFi Controller, navigate to "Settings" > "Networks" to create/edit the 192.168.100.0/24 subnet.

Establishing Site-to-Site VPN on EdgeRouter

1. Select "VPN" panel
2. Choose "IPsec Site-to-Site"
3. See above diagram, we use "eth1" for IPsec interface
4. "Add Peer" for the USG
5. Peer IP: 10.1.2.236    => WAN IP for USG
6. Local IP: 10.1.2.170   => WAN IP for EdgeRouter
7. Pre-shared secret: ubntUBNT   => just an example, set your own secret
8. Local subnet: 192.168.202.0/23     => Site under EdgeRouter
9. Remote subnet: 192.168.100.0/24    => Site under USG
10. Click "Apply"

 In the attachment, you can find the configuration dump of the EdgeRouter used in this scenario.

Establishing Site-to-Site VPN on USG

You can configure the VPN in the UI of the UniFi Controller as shown in the screenshot below:

Once you click save, the USG will be provisioned with the IPsec VPN configuration. If you want to check the status of the VPN, SSH into the USG and type 'show vpn ipsec sa' - note that the phase 2 portion of the VPN will only come up if traffic is sent across the tunnel.

Checking VPN Connection

Try to "ping 192.168.100.1" from a client behind the EdgeRouter and "ping 192.168.202.1" from a client behind the USG, don't ping sourcing from the EdgeRouter or USG themselves unless you source the ping from the LAN interface. If the pings are successful, then the VPN is up and functional. You will need to add an Allow ICMP rule on WAN local in the UniFi controller (Settings > Routing and Firewall > Firewall > WAN Local > Create new rule)