EdgeRouter - Modifying the Default IPsec Site-to-Site VPN


Overview


Readers will learn how to modify the default Site-to-Site IPsec VPN settings using the Command Line Interface (CLI).

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information.
 
Device used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Configuring a Policy-Based VPN Using the Web UI
  3. Modifying the VPN Settings Using the CLI
  4. Related Articles

Frequently Asked Questions (FAQ)


Back to Top

What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128 
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Configuring a Policy-Based VPN Using the Web UI


Back to Top

ATTENTION: This article is for advanced users that are familiar with the EdgeOS command line. If you are intending to set up a simple VPN using the Web UI, refer to the Policy-Based Site-to-Site IPsec VPN article instead.

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.


Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:

GUI: Access the Web UI on ER-L.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Uncheck: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.


GUI: Access the Web UI on ER-R.

1. Define the IPsec peer and the hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Uncheck: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 192.0.2.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

2. Apply the changes.


Modifying the VPN Settings Using the CLI


Back to Top

Modifying the default VPN settings through the command line may be necessary in some environments. For example, if you wish to disable the PFS (Perfect Forward Secrecy) feature or if you want to manually create the firewall and NAT rules that control the traffic that is passed over the VPN.

ATTENTION: Do not change the VPN configuration through the GUI after adding your own custom modifications through the CLI. Doing so will reset all settings back to the defaults.

In enabled previously, the 'Automatic Firewall/NAT'  checkbox adds the following rules to the iptables firewall in the background:

  • UBNT_VPN_IPSEC_FW_HOOK Allow UDP port 500 (IKE), UDP port 4500 (NAT-T) and ESP in the local direction.
  • UBNT_VPN_IPSEC_FW_IN_HOOK Allow IPsec traffic from the remote subnet to the local subnet in the local and inbound direction.
  • UBNT_VPN_IPSEC_SNAT_HOOK Exclude all traffic from the local subnet to the remote subnet from NAT.

You can verify these firewall and NAT rules by running the following commands on both routers:

sudo iptables -L -v -n
Chain UBNT_VPN_IPSEC_FW_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain UBNT_VPN_IPSEC_FW_IN_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  *      *       192.168.1.0/24       172.16.1.0/24      

sudo iptables -t nat -L -vn
Chain UBNT_VPN_IPSEC_SNAT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  *      *       192.168.1.0/24       172.16.1.0/24      
NOTE: The 'Automatic Firewall/NAT'  checkbox applies to all Site-to-Site VPN connections active on the router. 

The iptables firewall entries are not automatically cleared when the feature is disabled (if it was enabled previously). In order to clear the rules, reboot the device or manually delete the entries with the iptables commands below:

sudo iptables -D UBNT_VPN_IPSEC_FW_HOOK 1
sudo iptables -D UBNT_VPN_IPSEC_FW_HOOK 1
sudo iptables -D UBNT_VPN_IPSEC_FW_IN_HOOK 1
sudo iptables -t nat -D UBNT_VPN_IPSEC_SNAT_HOOK 1

Because we did not enable the 'Automatic Firewall/NAT'  checkbox in the Web UI section above, manual IPsec firewall and NAT rules need to be created. Follow the steps below to add the rules to both routers:

CLI: Access the Command Line Interface on ER-L. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

 1. Enter configuration mode.

configure

2. Add firewall rules that allow IKE and ESP in the local direction.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
NOTE: Make sure to not overwrite any existing firewall rules!

3. Add firewall rules that allows IPsec traffic between the remote and local subnet in the inbound and local direction.

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 source address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec

set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description ipsec
set firewall name WAN_IN rule 30 destination address 192.168.1.0/24
set firewall name WAN_IN rule 30 source address 172.16.1.0/24
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 ipsec match-ipsec

4. Prevent the traffic between the remote and local subnets from being translated by NAT.

set service nat rule 5000 description ipsec-exclude
set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 exclude
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
NOTE: This rule must be inserted in front of any NAT masquerade rules.

5.  Modify the default encryption and hashing settings.

Display the current IPsec VPN configuration (only relevant output is shown).

show vpn
ipsec {
auto-firewall-nat-exclude disable
esp-group FOO0 {
lifetime 3600
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
}
...

By default, the IKE and ESP groups use the same hashing and encryption settings (AES128/SHA1 in this example). We can customize the groups using the commands below:

set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256
set vpn ipsec ike-group FOO0 lifetime 86400

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5
set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 pfs disable

6.  Change the IKE Key Exchange from version 1 to version 2.

set vpn ipsec ike-group FOO0 key-exchange ikev2

7.  Enable Dead Peer Detection (DPD).

set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 30
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120

8. Commit the changes and save the configuration.

commit ; save 

CLI: Access the Command Line Interface on ER-R.

 1. Enter configuration mode.

configure

2. Add firewall rules that allow IKE and ESP in the local direction.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
NOTE: Make sure to not overwrite any existing firewall rules!

3. Add firewall rules that allows IPsec traffic between the remote and local subnet in the inbound and local direction.

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 destination address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 source address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec

set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description ipsec
set firewall name WAN_IN rule 30 destination address 172.16.1.0/24
set firewall name WAN_IN rule 30 source address 192.168.1.0/24
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 ipsec match-ipsec

4. Prevent the traffic between the remote and local subnets from being translated by NAT.

set service nat rule 5000 description ipsec-exclude
set service nat rule 5000 destination address 192.168.1.0/24
set service nat rule 5000 exclude
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 source address 172.16.1.0/24
set service nat rule 5000 type masquerade
NOTE: This rule must be inserted in front of any NAT masquerade rules.

5.  Modify the default encryption and hashing settings.

Display the current IPsec VPN configuration (only relevant output is shown).

show vpn
ipsec {
auto-firewall-nat-exclude disable
esp-group FOO0 {
lifetime 3600
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
}
...

By default, the IKE and ESP groups use the same hashing and encryption settings (AES128/SHA1 in this example). We can customize the groups using the commands below:

set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256
set vpn ipsec ike-group FOO0 lifetime 86400

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5
set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 pfs disable

6.  Change the IKE Key Exchange from version 1 to version 2.

set vpn ipsec ike-group FOO0 key-exchange ikev2

7.  Enable Dead Peer Detection (DPD).

set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 30
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120

8. Commit the changes and save the configuration.

commit ; save 

You can verify the VPN, firewall rules and NAT statistics with the following commands:

show firewall name WAN_LOCAL statistics
show firewall name WAN_IN statistics
show nat statistics
show vpn ipsec sa
show vpn log

Related Articles


Back to Top

EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs

EdgeRouter - Route-Based Site-to-Site IPsec VPN

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!