Guides

User Tools

Site Tools

You are here: start » ubnt » ipsec_site-to-site_vpn
ubnt:ipsec_site-to-site_vpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
ubnt:ipsec_site-to-site_vpn [2018/12/10 09:50]
derek created 		ubnt:ipsec_site-to-site_vpn [2024/09/22 19:51] (current)
Line 1: Line 1:
 =====Ipsec Site-to-site Vpn===== =====Ipsec Site-to-site Vpn=====
 +Guide to set up a site-to-site VPN between two Ubiquiti Edgerouters
  
-Access the router CLI either through the GUI or a SSH client.+  * Generate a temporary passphrase to use as the pre-shared secret 
 +  * Setup vpn.site-l.com and vpn.site-r.com as CNAMEs to the root domain for the sites and use those as the peer names 
 +  * On each of the routers, configure the VPN as below switching the FQDN and subnets as required 
 +  * ''VPN'' > ''IPsec Site-to-Site'' 
 +    * ''Show advanced options'' 
 +    * ''Automatically open firewall and exclude from NAT'' 
 +    * ''+ Add Peer'' 
 +      * ''Peer'' > FQDN of remote router e.g. ''vpn.site-r.com'' 
 +      * ''Description'' > ''ipsec'' 
 +      * ''Local'' IP > ''0.0.0.0'' 
 +      * ''Encryption'' > ''AES-128'' 
 +      * ''Hash'' > ''SHA1'' 
 +      * ''DH Group'' > ''14'' 
 +      * ''Pre-shared Secret'' > ''<secret>'' 
 +      * ''Local subnet'' >  e.g. ''10.0.0.0/24'' 
 +      * ''Remote subnet'' > e.g. ''10.0.1.0/24''
  
-Check to make sure IPsec hardware offloading is enabled using ''show ubnt offload''+  * Even using the ''Automatically open firewall and exclude from NAT'' option doesn't allow the ER LAN interface to be reachable through the VPN, this fixes that: 
 +  * ''Firewall/NAT'' > ''Firewall Policies'' > ''WAN_LOCAL'' > ''Actions'' > ''Edit Ruleset'' > ''Add New Rule'' 
 +  * ''Basic'' > ''Description'' > ''ipsec'' 
 +  * ''Advanced'' > ''IPsec'' > ''Match inbound IPsec packets'' 
 +  * ''Source'' > ''Address'' > Remote subnet e.g. ''10.0.1.0/24'' 
 +  * ''Destination'' > ''Address'' > Local subnet e.g. ''10.0.0.0/24'' 
 +  * ''Save''
  
-  https://help.ubnt.com/hc/en-us/articles/115011373628-EdgeRouter-Dynamic-Site-to-Site-IPsec-VPN-using-FQDNs + 
-  * https://www.reddit.com/r/Ubiquiti/comments/8jpjwn/thanks_ubnt_achieved_ipsec_site_to_site_vpn+  The above should give a working site-to-site VPN connection, the commands below are for extra useful features 
 +  * Run the following on each of the routers, replacing hostnames as appropriate (This shows commands for er-l): 
 +<code> 
 +# Run this generate command on each of the routers first and copy the public key to paste into the others settings 
 +generate vpn rsa-key 
 + 
 +configure 
 + 
 +# IPsec hardware offloading 
 +set system offload ipsec enable 
 + 
 +# Use domain-specific DNS across the VPN 
 +set service dns forwarding listen-on eth0 # (Or pppoe0 if using PPPoE) 
 +set service dns forwarding options server=/example.com/<remote subnet(e.g. 10.0.1.1)> 
 +set service dns forwarding options server=/vpn.example.com/# 
 + 
 +# Change hashing and encryption settings 
 +set vpn ipsec ike-group FOO0 proposal 1 encryption aes256 
 +set vpn ipsec ike-group FOO0 proposal 1 hash sha256 
 +set vpn ipsec ike-group FOO0 lifetime 86400 
 + 
 +set vpn ipsec esp-group FOO0 proposal 1 encryption aes128 
 +set vpn ipsec esp-group FOO0 proposal 1 hash md5 
 +set vpn ipsec esp-group FOO0 lifetime 43200 
 +set vpn ipsec esp-group FOO0 pfs disable 
 + 
 +# Change IKE Key Exchange from version 1 to version 2 
 +set vpn ipsec ike-group FOO0 key-exchange ikev2 
 + 
 +# Enable Dead Peer Detection (DPD) 
 +set vpn ipsec ike-group FOO0 dead-peer-detection action restart 
 +set vpn ipsec ike-group FOO0 dead-peer-detection interval 30 
 +set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120 
 + 
 +# Authentication IDs 
 +set vpn ipsec site-to-site peer er-r.ubnt.com authentication id @er-l.ubnt.com 
 +set vpn ipsec site-to-site peer er-r.ubnt.com authentication remote-id @er-r.ubnt.com 
 + 
 +# RSA Authentication 
 +set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key 
 +set vpn rsa-keys rsa-key-name er-r rsa-key <er-r public key> 
 + 
 +delete vpn ipsec site-to-site peer er-r.ubnt.com authentication mode 
 +delete vpn ipsec site-to-site peer er-r.ubnt.com authentication pre-shared-secret 
 + 
 +set vpn ipsec site-to-site peer er-r.ubnt.com authentication mode rsa 
 +set vpn ipsec site-to-site peer er-r.ubnt.com authentication rsa-key-name er-r 
 + 
 +commit; save 
 +</code> 
 + 
 + 
 +  * One of the routers was behind PPPoE so it needed ''TCP MSS clamping'' enabling on both routers to get HTTPS sites working through the VPN: 
 +    * ''Wizards'' > ''TCP MSS clamping'' 
 +      * ''Enable'' 
 +      * On the router with PPPoE: 
 +        * Deselect ''All'' 
 +        * Select ''PPPoE'' 
 +      * ''MSS'' > ''1382'' 
 +  * Or in the cli: 
 +<code> 
 +configure 
 +# On the router with PPPoE: 
 +set firewall options mss-clamp interface-type PPPoE 
 +# On the router without PPPoE: 
 +set firewall options mss-clamp interface-type all 
 +set firewall options mss-clamp mss 1382 
 +commit 
 +save 
 +</code> 
 + 
 +===Notes:=== 
 +  * Reconnect to VPN using ''restart vpn'' or ''clear vpn ipsec-peer <peername>'' 
 +  * Tail (show last few lines and watch for more) the VPN logs using ''show vpn log tail'' 
 + 
 + 
 +  * Sources:
   * https://help.ubnt.com/hc/en-us/articles/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN   * https://help.ubnt.com/hc/en-us/articles/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN
 +  * https://help.ubnt.com/hc/en-us/articles/115011373628-EdgeRouter-Dynamic-Site-to-Site-IPsec-VPN-using-FQDNs
ubnt/ipsec_site-to-site_vpn.1544435409.txt.gz · Last modified: 2024/09/22 19:51 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki