ubnt:ipsec_site-to-site_vpn
Ipsec Site-to-site Vpn
Guide to set up a site-to-site VPN between two Ubiquiti Edgerouters
- Generate a temporary passphrase to use as the pre-shared secret
- Setup vpn.site-l.com and vpn.site-r.com as CNAMEs to the root domain for the sites and use those as the peer names
- On each of the routers, configure the VPN as below switching the FQDN and subnets as required
VPN>IPsec Site-to-SiteShow advanced optionsAutomatically open firewall and exclude from NAT+ Add PeerPeer> FQDN of remote router e.g.vpn.site-r.comDescription>ipsecLocalIP >0.0.0.0Encryption>AES-128Hash>SHA1DH Group>14Pre-shared Secret><secret>Local subnet> e.g.10.0.0.0/24Remote subnet> e.g.10.0.1.0/24
- Even using the
Automatically open firewall and exclude from NAToption doesn't allow the ER LAN interface to be reachable through the VPN, this fixes that: Firewall/NAT>Firewall Policies>WAN_LOCAL>Actions>Edit Ruleset>Add New RuleBasic>Description>ipsecAdvanced>IPsec>Match inbound IPsec packetsSource>Address> Remote subnet e.g.10.0.1.0/24Destination>Address> Local subnet e.g.10.0.0.0/24Save
- The above should give a working site-to-site VPN connection, the commands below are for extra useful features
- Run the following on each of the routers, replacing hostnames as appropriate (This shows commands for er-l):
# Run this generate command on each of the routers first and copy the public key to paste into the others settings generate vpn rsa-key configure # IPsec hardware offloading set system offload ipsec enable # Use domain-specific DNS across the VPN set service dns forwarding listen-on eth0 # (Or pppoe0 if using PPPoE) set service dns forwarding options server=/example.com/<remote subnet(e.g. 10.0.1.1)> set service dns forwarding options server=/vpn.example.com/# # Change hashing and encryption settings set vpn ipsec ike-group FOO0 proposal 1 encryption aes256 set vpn ipsec ike-group FOO0 proposal 1 hash sha256 set vpn ipsec ike-group FOO0 lifetime 86400 set vpn ipsec esp-group FOO0 proposal 1 encryption aes128 set vpn ipsec esp-group FOO0 proposal 1 hash md5 set vpn ipsec esp-group FOO0 lifetime 43200 set vpn ipsec esp-group FOO0 pfs disable # Change IKE Key Exchange from version 1 to version 2 set vpn ipsec ike-group FOO0 key-exchange ikev2 # Enable Dead Peer Detection (DPD) set vpn ipsec ike-group FOO0 dead-peer-detection action restart set vpn ipsec ike-group FOO0 dead-peer-detection interval 30 set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120 # Authentication IDs set vpn ipsec site-to-site peer er-r.ubnt.com authentication id @er-l.ubnt.com set vpn ipsec site-to-site peer er-r.ubnt.com authentication remote-id @er-r.ubnt.com # RSA Authentication set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key set vpn rsa-keys rsa-key-name er-r rsa-key <er-r public key> delete vpn ipsec site-to-site peer er-r.ubnt.com authentication mode delete vpn ipsec site-to-site peer er-r.ubnt.com authentication pre-shared-secret set vpn ipsec site-to-site peer er-r.ubnt.com authentication mode rsa set vpn ipsec site-to-site peer er-r.ubnt.com authentication rsa-key-name er-r commit; save
- One of the routers was behind PPPoE so it needed
TCP MSS clampingenabling on both routers to get HTTPS sites working through the VPN:Wizards>TCP MSS clampingEnable- On the router with PPPoE:
- Deselect
All - Select
PPPoE
MSS>1382
- Or in the cli:
configure # On the router with PPPoE: set firewall options mss-clamp interface-type PPPoE # On the router without PPPoE: set firewall options mss-clamp interface-type all set firewall options mss-clamp mss 1382 commit save
Notes:
- Reconnect to VPN using
restart vpnorclear vpn ipsec-peer <peername> - Tail (show last few lines and watch for more) the VPN logs using
show vpn log tail
- Sources:
ubnt/ipsec_site-to-site_vpn.txt · Last modified: 2024/09/22 19:51 (external edit)
