Differences

This shows you the differences between two versions of the page.

--- ubnt:ipsec_site-to-site_vpn [2019/01/31 17:44]
derek
+++ ubnt:ipsec_site-to-site_vpn [2024/09/22 19:51] (current)
@@ Line 1: / Line 1: @@
 =====Ipsec Site-to-site Vpn=====
+Guide to set up a site-to-site VPN between two Ubiquiti Edgerouters
-  * Reconnect to VPN using ''clear vpn ipsec-peer <peername>''
+  * Generate a temporary passphrase to use as the pre-shared secret
+  * Setup vpn.site-l.com and vpn.site-r.com as CNAMEs to the root domain for the sites and use those as the peer names
-Check to make sure IPsec hardware offloading is enabled using ''show ubnt offload''.
-Use ''set system offload ipsec enable'' in the cli if not.
-  * Generate a passphrase to use as the pre-shared secret
   * On each of the routers, configure the VPN as below switching the FQDN and subnets as required
   * ''VPN'' > ''IPsec Site-to-Site''
@@ Line 12: / Line 9: @@
     * ''Automatically open firewall and exclude from NAT''
     * ''+ Add Peer''
-      * ''Peer'' > FQDN of remote router e.g. ''er-l.ubnt.com''
+      * ''Peer'' > FQDN of remote router e.g. ''vpn.site-r.com''
       * ''Description'' > ''ipsec''
       * ''Local'' IP > ''0.0.0.0''
@@ Line 19: / Line 16: @@
       * ''DH Group'' > ''14''
       * ''Pre-shared Secret'' > ''<secret>''
-      * ''Local subnet'' > e.g. ''192.168.1.0/24''
+      * ''Local subnet'' >  e.g. ''10.0.0.0/24''
-      * ''Remote subnet'' > e.g. ''172.16.1.0/24''
+      * ''Remote subnet'' > e.g. ''10.0.1.0/24''
   * Even using the ''Automatically open firewall and exclude from NAT'' option doesn't allow the ER LAN interface to be reachable through the VPN, this fixes that:
@@ Line 26: / Line 23: @@
   * ''Basic'' > ''Description'' > ''ipsec''
   * ''Advanced'' > ''IPsec'' > ''Match inbound IPsec packets''
-  * ''Source'' > ''Address'' > Remote subnet e.g. ''10.0.0.0/24''
+  * ''Source'' > ''Address'' > Remote subnet e.g. ''10.0.1.0/24''
-  * ''Destination'' > ''Address'' > Local subnet e.g. ''10.0.1.0/24''
+  * ''Destination'' > ''Address'' > Local subnet e.g. ''10.0.0.0/24''
   * ''Save''
-  * FIXME: TODO Change from pre-shared key to certificate-based authentication.
+  * The above should give a working site-to-site VPN connection, the commands below are for extra useful features
+  * Run the following on each of the routers, replacing hostnames as appropriate (This shows commands for er-l):
 <code>
+# Run this generate command on each of the routers first and copy the public key to paste into the others settings
 generate vpn rsa-key
 configure
+# IPsec hardware offloading
+set system offload ipsec enable
+# Use domain-specific DNS across the VPN
+set service dns forwarding listen-on eth0 # (Or pppoe0 if using PPPoE)
+set service dns forwarding options server=/example.com/<remote subnet(e.g. 10.0.1.1)>
+set service dns forwarding options server=/vpn.example.com/#
+# Change hashing and encryption settings
+set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
+set vpn ipsec ike-group FOO0 proposal 1 hash sha256
+set vpn ipsec ike-group FOO0 lifetime 86400
+set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
+set vpn ipsec esp-group FOO0 proposal 1 hash md5
+set vpn ipsec esp-group FOO0 lifetime 43200
+set vpn ipsec esp-group FOO0 pfs disable
+# Change IKE Key Exchange from version 1 to version 2
+set vpn ipsec ike-group FOO0 key-exchange ikev2
+# Enable Dead Peer Detection (DPD)
+set vpn ipsec ike-group FOO0 dead-peer-detection action restart
+set vpn ipsec ike-group FOO0 dead-peer-detection interval 30
+set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120
+# Authentication IDs
+set vpn ipsec site-to-site peer er-r.ubnt.com authentication id @er-l.ubnt.com
+set vpn ipsec site-to-site peer er-r.ubnt.com authentication remote-id @er-r.ubnt.com
+# RSA Authentication
 set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
-set vpn rsa-keys rsa-key-name er-l rsa-key <er-l public key>
+set vpn rsa-keys rsa-key-name er-r rsa-key <er-r public key>
+delete vpn ipsec site-to-site peer er-r.ubnt.com authentication mode
+delete vpn ipsec site-to-site peer er-r.ubnt.com authentication pre-shared-secret
-delete vpn ipsec site-to-site peer er-l.ubnt.com authentication mode
+set vpn ipsec site-to-site peer er-r.ubnt.com authentication mode rsa
-delete vpn ipsec site-to-site peer er-l.ubnt.com authentication pre-shared-secret
+set vpn ipsec site-to-site peer er-r.ubnt.com authentication rsa-key-name er-r
-set vpn ipsec site-to-site peer er-l.ubnt.com authentication mode rsa
+commit; save
-set vpn ipsec site-to-site peer er-l.ubnt.com authentication rsa-key-name er-l
 </code>
@@ Line 50: / Line 83: @@
     * ''Wizards'' > ''TCP MSS clamping''
       * ''Enable''
-      * Deselect ''All''
+      * On the router with PPPoE:
-      * Select ''PPPoE''
+        * Deselect ''All''
+        * Select ''PPPoE''
       * ''MSS'' > ''1382''
   * Or in the cli:
 <code>
 configure
+# On the router with PPPoE:
+set firewall options mss-clamp interface-type PPPoE
+# On the router without PPPoE:
 set firewall options mss-clamp interface-type all
 set firewall options mss-clamp mss 1382
@@ Line 62: / Line 99: @@
 </code>
+===Notes:===
+  * Reconnect to VPN using ''restart vpn'' or ''clear vpn ipsec-peer <peername>''
+  * Tail (show last few lines and watch for more) the VPN logs using ''show vpn log tail''
-  * FIXME TODO:
+  * Sources:
-    * Get DNS across the VPN working (Possibly using DNS-views)
+  * https://help.ubnt.com/hc/en-us/articles/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN
-    * Change the P1 and P2 Security Associations.
+  * https://help.ubnt.com/hc/en-us/articles/115011373628-EdgeRouter-Dynamic-Site-to-Site-IPsec-VPN-using-FQDNs
-    * Change the IKE Key Exchange from version 1 to version 2?
-    * https://help.ubnt.com/hc/en-us/articles/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN

Guides

User Tools

Site Tools

Differences

Page Tools