ubnt:ipsec_site-to-site

Ipsec Site-to-site Vpn

Guide to set up a site-to-site VPN between two Ubiquiti Edgerouters

Generate a temporary passphrase to use as the pre-shared secret
Setup vpn.site-l.com and vpn.site-r.com as CNAMEs to the root domain for the sites and use those as the peer names
On each of the routers, configure the VPN as below switching the FQDN and subnets as required
VPN > IPsec Site-to-Site
- Show advanced options
- Automatically open firewall and exclude from NAT
- + Add Peer
  - Peer > FQDN of remote router e.g. vpn.site-r.com
  - Description > ipsec
  - Local IP > 0.0.0.0
  - Encryption > AES-128
  - Hash > SHA1
  - DH Group > 14
  - Pre-shared Secret > <secret>
  - Local subnet > e.g. 10.0.0.0/24
  - Remote subnet > e.g. 10.0.1.0/24

Even using the Automatically open firewall and exclude from NAT option doesn't allow the ER LAN interface to be reachable through the VPN, this fixes that:
Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Edit Ruleset > Add New Rule
Basic > Description > ipsec
Advanced > IPsec > Match inbound IPsec packets
Source > Address > Remote subnet e.g. 10.0.1.0/24
Destination > Address > Local subnet e.g. 10.0.0.0/24
Save

The above should give a working site-to-site VPN connection, the commands below are for extra useful features
Run the following on each of the routers, replacing hostnames as appropriate (This shows commands for er-l):

# Run this generate command on each of the routers first and copy the public key to paste into the others settings
generate vpn rsa-key

configure

# IPsec hardware offloading
set system offload ipsec enable

# Use domain-specific DNS across the VPN
set service dns forwarding listen-on eth0 # (Or pppoe0 if using PPPoE)
set service dns forwarding options server=/example.com/<remote subnet(e.g. 10.0.1.1)>
set service dns forwarding options server=/vpn.example.com/#

# Change hashing and encryption settings
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256
set vpn ipsec ike-group FOO0 lifetime 86400

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5
set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 pfs disable

# Change IKE Key Exchange from version 1 to version 2
set vpn ipsec ike-group FOO0 key-exchange ikev2

# Enable Dead Peer Detection (DPD)
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 30
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120

# Authentication IDs
set vpn ipsec site-to-site peer er-r.ubnt.com authentication id @er-l.ubnt.com
set vpn ipsec site-to-site peer er-r.ubnt.com authentication remote-id @er-r.ubnt.com

# RSA Authentication
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name er-r rsa-key <er-r public key>

delete vpn ipsec site-to-site peer er-r.ubnt.com authentication mode
delete vpn ipsec site-to-site peer er-r.ubnt.com authentication pre-shared-secret

set vpn ipsec site-to-site peer er-r.ubnt.com authentication mode rsa
set vpn ipsec site-to-site peer er-r.ubnt.com authentication rsa-key-name er-r

commit; save

One of the routers was behind PPPoE so it needed TCP MSS clamping enabling on both routers to get HTTPS sites working through the VPN:
- Wizards > TCP MSS clamping
  - Enable
  - On the router with PPPoE:
    - Deselect All
    - Select PPPoE
  - MSS > 1382
Or in the cli:

configure
# On the router with PPPoE:
set firewall options mss-clamp interface-type PPPoE
# On the router without PPPoE:
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1382
commit
save

Notes:

Reconnect to VPN using restart vpn or clear vpn ipsec-peer <peername>
Tail (show last few lines and watch for more) the VPN logs using show vpn log tail