EdgeRouter - Modifying the Default IPsec Site-to-Site VPN


Overview


Readers will learn how to modify the default Site-to-Site IPsec VPN settings using the Command Line Interface (CLI).

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Creating a VPN using the GUI
  3. Modifying the VPN using the CLI
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

ER-R

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

ER-L

  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24


Creating a VPN using the GUI


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The ports and protocol that are relevant to IPsec are:

  • UDP 500 (IKE)
  • Protocol 50 (ESP)
  • UDP 4500 (NAT-T)
GUI: Access the Graphical User Interface (GUI) on ER-R.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Show advanced options
  • Uncheck: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

GUI: Access the Graphical User Interface (GUI) on ER-L.

1. Define the IPsec peer and the hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Show advanced options
  • Uncheck: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 192.0.2.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

2. Apply the changes.

ATTENTION: Because the automatic creation of firewall rules and NAT exclusion has been disabled, the VPN will not establish until firewall rules are created manually.

The 'Automatically open firewall and exclude from NAT' checkbox adds the following rules to iptables in the background:

  • UBNT_VPN_IPSEC_FW_HOOK Allow UDP port 500 (IKE), UDP port 4500 (NAT-T) and ESP in the local direction.
  • UBNT_VPN_IPSEC_FW_IN_HOOK Allow IPsec traffic from the remote subnet to the local subnet in the local and inbound direction.
  • UBNT_VPN_IPSEC_SNAT_HOOK Exclude all traffic from the local subnet to the remote subnet from NAT.

You can verify the iptables firewall rules and counters by running the following commands in the CLI:

sudo iptables -L -vn
Chain UBNT_VPN_IPSEC_FW_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0

Chain UBNT_VPN_IPSEC_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 172.16.1.0/24 192.168.1.0/24

sudo iptables -t nat -L -vn
Chain UBNT_VPN_IPSEC_SNAT_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.1.0/24 172.16.1.0/24
NOTE: If you have previously enabled the ‘automatic firewall and NAT exclusion' feature and turned it off, you will need to reboot the device to remove the automatically created iptables rules.

Modifying the VPN using the CLI


Back to Top

In the previous section we did not enable the ‘automatic firewall and NAT exclusion' feature. Follow the steps below to add your own IPsec firewall/NAT rules:

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add firewall rules that allow IKE, NAT-T, ESP and IPsec in the local direction.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 source address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec

3. Add a firewall rule that allows IPsec traffic between the remote and local subnet in the inbound direction.

set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description ipsec
set firewall name WAN_IN rule 30 destination address 192.168.1.0/24
set firewall name WAN_IN rule 30 source address 172.16.1.0/24
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 ipsec match-ipsec

4. Prevent the traffic between the remote and local subnets from being translated by NAT.

set service nat rule 5000 description ipsec-exclude
set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 exclude
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade

IPsec VPNs consist of two phases that each uses its own set of hashing/encryption methods called Security Associations (SAs). Phase 1 (P1) is used to authenticate the peers and establish the VPN, whereas the actual data (traffic) is passed in Phase 2 (P2). Because of this, we can define P2 SAs that focus on performance, and P1 SAs that focus on security. The ground rule of any form of encryption/hashing is that an increase in security will (usually) lead to a decrease in performance.

Available encryption options:

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Available hashing options:

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512
NOTE: Using the GCM ciphers or SHA256/384/512 for P2 (ESP) is not recommended as it is not compatible with IPsec offloading. Please see this article for more information on hardware offloading.

Follow the steps below to modify the default VPN settings:

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Display the current IPsec VPN SA configuration (only relevant output is shown).

show vpn
ipsec {
auto-firewall-nat-exclude disable
esp-group FOO0 {
proposal 1 {
encryption aes128
hash sha1
}
}
esp-group FOO0 {
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
}
...

As is shown in the output above, both P1 (ike-group FOO0) and P2 (esp-group FOO0) use the same set of SAs (AES128 and SHA1).

2. Change the P1 and P2 Security Associations.

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5

set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256

3. Change the ESP/IKE lifetimes (in seconds) so that the tunnel renegotiates less frequently.

set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec ike-group FOO0 lifetime 86400

4. Disable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 pfs disable

5. Change the IKE Key Exchange from version 1 to version 2.

set vpn ipsec ike-group FOO0 key-exchange ikev2

6. Change the IKE Key Exchange to Aggressive Mode (not recommended and only supported with IKEv2).

set vpn ipsec ike-group FOO0 mode aggressive

7. Change the IPsec connection type.

set vpn ipsec site-to-site peer 192.0.2.1 connection-type respond
NOTE: This influences how many times a connection is renegotiated. With respond this value is set to a single retry, with initiate the connection is retried indefinitely.

8. Force the use of NAT-T (UDP 4500) encapsulation, even if no NAT is detected.

set vpn ipsec site-to-site peer 192.0.2.1 force-encapsulation enable

9. Change the local IPsec interface address.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP

delete vpn ipsec site-to-site peer 192.0.2.1 local-address
set vpn ipsec site-to-site peer 192.0.2.1 dhcp-interface eth0

(B) Your WAN interface receives an address through PPPoE

set vpn ipsec site-to-site peer 192.0.2.1 local-address 0.0.0.0

10. Change the peer address to 0.0.0.0 if the remote peer is behind NAT (not compatible with L2TP).

delete vpn ipsec site-to-site peer 192.0.2.1
set vpn ipsec site-to-site peer 0.0.0.0 …

11. Enable Dead Peer Detection (DPD).

set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 30
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120
  • hold The VPN state is put ‘on-hold’ but the policies are kept until traffic is re-initiated.
  • clear The VPN state and policies are cleared and the tunnel is torn down.
  • restart The VPN state and policies are restarted and the router attempts to renegotiate the tunnel.

The DPD interval is the time in seconds after which these messages start. The timeout is the number of seconds the messages are resent after a failed attempt.

NOTE: There is no need for DPD when IKEv2 is used, as it has a built-in keep-alive mechanism.

12. Enable the offloading of the P2 (ESP) IPsec traffic.

set system offload ipsec enable

13. Commit the changes and save the configuration.

commit ; save
ATTENTION: The commands below have been deprecated in EdgeOS firmware v1.8.5 and v1.8.0.
  • set vpn ipsec ipsec-interfaces
  • set vpn ipsec nat-traversal
  • set vpn ipsec nat-networks

You can verify the VPN settings using the following commands from operational mode:

show firewall name WAN_LOCAL statistics
show firewall name WAN_IN statistics
show nat statistics
show vpn ipsec sa
show vpn log

Related Articles


Back to Top