info_i_25x25.png See important information about Ubiquiti Devices and KRACK Vulnerability in this article. We will update this document as more information becomes available.

NR - EdgeRouter - Configure EdgeRouter to Cisco IPSEC VPN

Caveats for this Example

- Strictly Point to Point (no NAT between the 2 devices)

Topology Notes:

EdgeRouter: 
- WAN: 8.8.8.8
- LAN: 10.12.10.0/24 (Local Subnet)

Cisco:
- WAN: 4.4.4.4
- LAN: 10.11.0.0/24 (Remote Subnet)

 

On this Cisco 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key YOURPRESHAREDKEYHERE address 8.8.8.8 no-xauth


crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to Ubnt Demo
 set peer 8.8.8.8
 set transform-set ESP-3DES-SHA1
 match address 107

access-list 107 permit ip host 10.11.0.63 10.12.10.0 0.0.0.255

 

On the ER Lite side

disable-uniqreqids
 esp-group vpntunnel {
     compression disable
     lifetime 1800
     mode tunnel
     pfs disable
     proposal 1 {
         encryption 3des
         hash sha1
     }
 }
 ike-group vpntunnel {
     lifetime 28800
     proposal 1 {
         dh-group 2
         encryption 3des
         hash sha1
     }
 }
 site-to-site {
     peer 4.4.4.4 {
         authentication {
             mode pre-shared-secret
             pre-shared-secret YOURPRESHAREDKEYHERE
         }
         connection-type initiate
         default-esp-group vpntunnel
         ike-group HostedVoice
         local-ip 8.8.8.8
         tunnel 10 {
             allow-nat-networks disable
             allow-public-networks disable
             esp-group vpntunnel
             local {
                 subnet 10.12.10.0/24
             }
             remote {
                 subnet 10.11.0.63/32
             }
         }
     }
 }

 

The commands used on the ER are as follows
(Remember to replace 8.8.8.8 and 4.4.4.4 with your appropriate addresses)

configure
set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group vpntunnel
set vpn ipsec esp-group vpntunnel compression disable
set vpn ipsec esp-group vpntunnel lifetime 1800
set vpn ipsec esp-group vpntunnel mode tunnel
set vpn ipsec esp-group vpntunnel pfs disable
set vpn ipsec esp-group vpntunnel proposal 1
set vpn ipsec esp-group vpntunnel proposal 1 encryption 3des
set vpn ipsec esp-group vpntunnel proposal 1 hash sha1
set vpn ipsec ike-group vpntunnel
set vpn ipsec ike-group vpntunnel lifetime 28800
set vpn ipsec ike-group vpntunnel proposal 1
set vpn ipsec ike-group vpntunnel proposal 1 dh-group 2
set vpn ipsec ike-group vpntunnel proposal 1 encryption 3des
set vpn ipsec ike-group vpntunnel proposal 1 hash sha1
set vpn ipsec site-to-site peer 4.4.4.4
set vpn ipsec site-to-site peer 4.4.4.4 local-address 8.8.8.8 
set vpn ipsec site-to-site peer 4.4.4.4 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 4.4.4.4 authentication pre-shared-secret mysecretkey
set vpn ipsec site-to-site peer 4.4.4.4 connection-type initiate
set vpn ipsec site-to-site peer 4.4.4.4 default-esp-group vpntunnel
set vpn ipsec site-to-site peer 4.4.4.4 ike-group vpntunnel
set vpn ipsec site-to-site peer 4.4.4.4 tunnel 1
set vpn ipsec site-to-site peer 4.4.4.4 tunnel 1 esp-group vpntunnel
set vpn ipsec site-to-site peer 4.4.4.4 tunnel 1 local prefix 10.12.10.0/24 
set vpn ipsec site-to-site peer 4.4.4.4 tunnel 1 remote prefix 10.11.0.63/32 
commit

 

Note the remote subnet in the example commands differs from above as I am only wanting to be able to communicate with 1 IP on the remote side (hence the /32)

Reminder: Don't forget to exclude the remote subnet from local NAT rules

- jeff824