=====Ipsec Site-to-site Vpn===== Guide to set up a site-to-site VPN between two Ubiquiti Edgerouters * Generate a temporary passphrase to use as the pre-shared secret * Setup vpn.site-l.com and vpn.site-r.com as CNAMEs to the root domain for the sites and use those as the peer names * On each of the routers, configure the VPN as below switching the FQDN and subnets as required * ''VPN'' > ''IPsec Site-to-Site'' * ''Show advanced options'' * ''Automatically open firewall and exclude from NAT'' * ''+ Add Peer'' * ''Peer'' > FQDN of remote router e.g. ''vpn.site-r.com'' * ''Description'' > ''ipsec'' * ''Local'' IP > ''0.0.0.0'' * ''Encryption'' > ''AES-128'' * ''Hash'' > ''SHA1'' * ''DH Group'' > ''14'' * ''Pre-shared Secret'' > '''' * ''Local subnet'' > e.g. ''10.0.0.0/24'' * ''Remote subnet'' > e.g. ''10.0.1.0/24'' * Even using the ''Automatically open firewall and exclude from NAT'' option doesn't allow the ER LAN interface to be reachable through the VPN, this fixes that: * ''Firewall/NAT'' > ''Firewall Policies'' > ''WAN_LOCAL'' > ''Actions'' > ''Edit Ruleset'' > ''Add New Rule'' * ''Basic'' > ''Description'' > ''ipsec'' * ''Advanced'' > ''IPsec'' > ''Match inbound IPsec packets'' * ''Source'' > ''Address'' > Remote subnet e.g. ''10.0.1.0/24'' * ''Destination'' > ''Address'' > Local subnet e.g. ''10.0.0.0/24'' * ''Save'' * The above should give a working site-to-site VPN connection, the commands below are for extra useful features * Run the following on each of the routers, replacing hostnames as appropriate (This shows commands for er-l): # Run this generate command on each of the routers first and copy the public key to paste into the others settings generate vpn rsa-key configure # IPsec hardware offloading set system offload ipsec enable # Use domain-specific DNS across the VPN set service dns forwarding listen-on eth0 # (Or pppoe0 if using PPPoE) set service dns forwarding options server=/example.com/ set service dns forwarding options server=/vpn.example.com/# # Change hashing and encryption settings set vpn ipsec ike-group FOO0 proposal 1 encryption aes256 set vpn ipsec ike-group FOO0 proposal 1 hash sha256 set vpn ipsec ike-group FOO0 lifetime 86400 set vpn ipsec esp-group FOO0 proposal 1 encryption aes128 set vpn ipsec esp-group FOO0 proposal 1 hash md5 set vpn ipsec esp-group FOO0 lifetime 43200 set vpn ipsec esp-group FOO0 pfs disable # Change IKE Key Exchange from version 1 to version 2 set vpn ipsec ike-group FOO0 key-exchange ikev2 # Enable Dead Peer Detection (DPD) set vpn ipsec ike-group FOO0 dead-peer-detection action restart set vpn ipsec ike-group FOO0 dead-peer-detection interval 30 set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120 # Authentication IDs set vpn ipsec site-to-site peer er-r.ubnt.com authentication id @er-l.ubnt.com set vpn ipsec site-to-site peer er-r.ubnt.com authentication remote-id @er-r.ubnt.com # RSA Authentication set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key set vpn rsa-keys rsa-key-name er-r rsa-key delete vpn ipsec site-to-site peer er-r.ubnt.com authentication mode delete vpn ipsec site-to-site peer er-r.ubnt.com authentication pre-shared-secret set vpn ipsec site-to-site peer er-r.ubnt.com authentication mode rsa set vpn ipsec site-to-site peer er-r.ubnt.com authentication rsa-key-name er-r commit; save * One of the routers was behind PPPoE so it needed ''TCP MSS clamping'' enabling on both routers to get HTTPS sites working through the VPN: * ''Wizards'' > ''TCP MSS clamping'' * ''Enable'' * On the router with PPPoE: * Deselect ''All'' * Select ''PPPoE'' * ''MSS'' > ''1382'' * Or in the cli: configure # On the router with PPPoE: set firewall options mss-clamp interface-type PPPoE # On the router without PPPoE: set firewall options mss-clamp interface-type all set firewall options mss-clamp mss 1382 commit save ===Notes:=== * Reconnect to VPN using ''restart vpn'' or ''clear vpn ipsec-peer '' * Tail (show last few lines and watch for more) the VPN logs using ''show vpn log tail'' * Sources: * https://help.ubnt.com/hc/en-us/articles/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN * https://help.ubnt.com/hc/en-us/articles/115011373628-EdgeRouter-Dynamic-Site-to-Site-IPsec-VPN-using-FQDNs