EdgeRouter - Site-to-Site IPsec VPN to USG
Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a USG.
NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models.
Devices used in this article:
FAQ
1. What site-to-site IPsec VPN types can be configured on EdgeOS?The following IPsec VPN types can be configured on EdgeOS:
|
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?Encryption
Hashing
|
Setting up a Policy-Based VPN
The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.
GUI: Access the EdgeRouter Web UI.
1. Define the IPsec peer and hashing/encryption methods.
VPN > IPsec Site-to-Site > +Add Peer
- Check: Show advanced options
- Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24
2. Apply the changes.
GUI: Access the UniFi Controller Web Portal.
1. Navigate to the Settings to create a new IPsec network using a custom profile.
Settings > Networks > +Create New Network
Name: ipsec
Purpose: Site-to-Site VPN
VPN Type: Manual IPsec
Enabled: Enable this Site-to-Site VPN
Remote Subnets: 192.168.1.0/24
Peer IP: 203.0.113.1
Local WAN IP: 192.0.2.1
Pre-Shared Key: <secret>
IPsec Profile: Customized
Expand (+) Advanced Options
Key Exchange Version: IKEv1
Encryption: AES-128
HASH: SHA1
DH Group: 14
PFS: Enable Perfect Forward Secrecy / Check
Dynamic Routing: Disable / Uncheck
NOTE: The USG will use the all corporate networks as the local subnet(identifiers)for the IPsec connection.
2. Apply the changes.