EdgeRouter - IPSec VPN - CLI Commands

Site-to-Site allows you to connect two routers using the IPSec (Internet Protocol Security) protocol.

Network Diagram

Network Diagram

Router R1 Addresses

eth0 ­ 10.1.0.43/23 
eth1 ­ 192.0.2.1/24

Router R2 Addresses

eth0 ­ 203.0.113.1/24
eth1 ­ 172.16.3.48/24

Site-to-Site IPSec Tunnel with Pre-shared Key Authentication

We'll assume that routers R1 and R2 have public addresses so there is no NAT between R1 and R2.

R1 IPSec Config

R1 IPSec Config

R2 IPSec Config

R2 IPSec Config

Verify that IKE is up.

Verify that IKE is up.

Verify that the IPSec tunnel is up.

Verify that the IPSec tunnel is up.

Note: If you try to ping the other side of the tunnel from the router, you may need to use the -/ option of ping to indicate which interface address to use. So from router R1, in order for a packet to match the tunnel criteria (local/remote subnet), the source address must be from 10.1.0.0/23 and the destination address must be in 172.16.3.0/24. On router R1, the interface eth0 has an address in 10.1.0.0/23.

Display the statistics.

Display the statistics.

To clear the VPN tunnel:

To clear the VPN tunnel:

Site-to-Site IPSec Tunnel with RSA Key

Generate the keys on both routers R1 and R2.

The first step is to generate the keys on both routers R1 and R2. Note that the command is storing the key in /config/ipsec.d/rsakey/localhost.key. The benefit of this is that anything in the /config directory gets copied w hen the EdgeOS softw are image is upgraded.

Generate the keys on both routers R1 and R2.

On R2, copy the public portion of the key and configure where the local key is stored.

On R2, copy the public portion of the key and configure where the local key is stored.

Change the peer to use authentication mode "rsa" and configure the key defined in the previous step.

Change the peer to use authentication mode "rsa" and configure the key defined in the previous step.

Repeat the same Site-to-Site IPSec Tunnel with RSA Key procedure on router R1.

IPSec Peer with Dynamic Address

If router R2 has a dynamic external address, then select one of these methods:

  • Use dynamic DNS and use the host name as the peer.

or

  • Use a 0.0.0.0 peer.

When using a 0.0.0.0 peer, the side with the dynamic address must initiate the connection. This is the configuration for R1 using a 0.0.0.0 peer:

IPSec Peer with Dynamic Address

IPSec with NAT-T

Network Diagram

Network Diagram

In this example we still have the same routers R1 and R2 where the IPSec tunnel will be terminated, but now R2 is behind a NAT router R3.

Router R1 Addresses

eth0 - 10.1.0.43/23
eth1 - 192.0.2.1/24

Router R2 Addresses

eth0 - 203.0.113.1/24
eth1 - 172.16.3.48/24

Router R3 Address

eth0 - 192.0.2.2

Change router R1 to use a 0.0.0.0 peer since we can't reach the address behind the NAT router. Then on both routers R1 and R2, enable nat-traversal and define the nat-networks that we want to allow.

R1 IPSec Config

R1 IPSec Config

R2 IPSec Config

R2 IPSec Config

The show vpn ipsec sa command now show s that the NAT-T is detected and that the connection is to 192.0.2.2 since that is the NAT address.

Firewall Guidelines

The remote users will be trying to establish a IPSec tunnel with the server running on the router, so for the local firewall rule we must allow the following:

  • IKE - UDP port 500
  • ESP - protocol 50
  • NAT-T - UDP port 4500 (if using NAT-T)

For an example configuration with firewall see this forum thread.

Troubleshooting

One of the more common problems is that when NAT masquerade is used, you have to exclude that traffic from getting NAT'ed. See this forum thread for an example.