EdgeRouter - Modifying the Default IPsec Site-to-Site VPN
Overview
Readers will learn how to modify the default Site-to-Site IPsec VPN settings using the Command Line Interface (CLI).
- Applicable to the latest EdgeOS firmware on all EdgeRouter models.
- Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required.
Table of Contents
- Frequently Asked Questions (FAQ)
- Configuring a Policy-Based VPN Using the Web UI
- Modifying the VPN Settings Using the CLI
- Related Articles
Frequently Asked Questions (FAQ)
What site-to-site IPsec VPN types can be configured on EdgeOS?
The following IPsec VPN types can be configured on EdgeOS:
|
What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?
Encryption
Hashing
|
Configuring a Policy-Based VPN Using the Web UI
The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.
Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:
1. Define the IPsec peer and hashing/encryption methods.
VPN > IPsec Site-to-Site > +Add Peer
- Check: Show advanced options
- Uncheck: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24
2. Apply the changes.
1. Define the IPsec peer and the hashing/encryption methods.
VPN > IPsec Site-to-Site > +Add Peer
- Check: Show advanced options
- Uncheck: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 192.0.2.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24
2. Apply the changes.
Modifying the VPN Settings Using the CLI
Modifying the default VPN settings through the command line may be necessary in some environments. For example, if you wish to disable the PFS (Perfect Forward Secrecy) feature or if you want to manually create the firewall and NAT rules that control the traffic that is passed over the VPN.
In enabled previously, the Automatic Firewall/NAT checkbox adds the following rules to the iptables firewall in the background:
-
UBNT_VPN_IPSEC_FW_HOOK
Allow UDP port 500 (IKE), UDP port 4500 (NAT-T) and ESP in the local direction. -
UBNT_VPN_IPSEC_FW_IN_HOOK
Allow IPsec traffic from the remote subnet to the local subnet in the local and inbound direction. -
UBNT_VPN_IPSEC_SNAT_HOOK
Exclude all traffic from the local subnet to the remote subnet from NAT.
You can verify these firewall and NAT rules by running the following commands on both routers:
sudo iptables -L -v -n
Chain UBNT_VPN_IPSEC_FW_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
Chain UBNT_VPN_IPSEC_FW_IN_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.1.0/24 172.16.1.0/24
sudo iptables -t nat -L -vn
Chain UBNT_VPN_IPSEC_SNAT_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.1.0/24 172.16.1.0/24
The iptables firewall entries are not automatically cleared when the feature is disabled (if it was enabled previously). In order to clear the rules, reboot the device or manually delete the entries with the iptables commands below:
sudo iptables -D UBNT_VPN_IPSEC_FW_HOOK 1
sudo iptables -D UBNT_VPN_IPSEC_FW_HOOK 1
sudo iptables -D UBNT_VPN_IPSEC_FW_IN_HOOK 1
sudo iptables -t nat -D UBNT_VPN_IPSEC_SNAT_HOOK 1
Because we did not enable the Automatic Firewall/NAT checkbox in the Web UI section above, manual IPsec firewall and NAT rules need to be created. Follow the steps below to add the rules to both routers:
1. Enter configuration mode.
configure
2. Add firewall rules that allow IKE and ESP in the local direction.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
3. Add firewall rules that allows IPsec traffic between the remote and local subnet in the inbound and local direction.
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 source address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description ipsec
set firewall name WAN_IN rule 30 destination address 192.168.1.0/24
set firewall name WAN_IN rule 30 source address 172.16.1.0/24
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 ipsec match-ipsec
4. Prevent the traffic between the remote and local subnets from being translated by NAT.
set service nat rule 5000 description ipsec-exclude
set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 exclude
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
5. Modify the default encryption and hashing settings.
Display the current IPsec VPN configuration (only relevant output is shown).
[edit]
ubnt@EdgeRouter# show vpn
ipsec {
auto-firewall-nat-exclude disable
esp-group FOO0 {
lifetime 3600
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
}
...
By default, the IKE and ESP groups use the same hashing and encryption settings (AES128/SHA1 in this example). We can customize the groups using the commands below:
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256
set vpn ipsec ike-group FOO0 lifetime 86400
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5
set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 pfs disable
6. Change the IKE Key Exchange from version 1 to version 2.
set vpn ipsec ike-group FOO0 key-exchange ikev2
7. Enable Dead Peer Detection (DPD).
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 30
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120
8. Commit the changes and save the configuration.
commit ; save
1. Enter configuration mode.
configure
2. Add firewall rules that allow IKE and ESP in the local direction.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
3. Add firewall rules that allows IPsec traffic between the remote and local subnet in the inbound and local direction.
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 destination address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 source address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description ipsec
set firewall name WAN_IN rule 30 destination address 172.16.1.0/24
set firewall name WAN_IN rule 30 source address 192.168.1.0/24
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 ipsec match-ipsec
4. Prevent the traffic between the remote and local subnets from being translated by NAT.
set service nat rule 5000 description ipsec-exclude
set service nat rule 5000 destination address 192.168.1.0/24
set service nat rule 5000 exclude
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 source address 172.16.1.0/24
set service nat rule 5000 type masquerade
5. Modify the default encryption and hashing settings.
Display the current IPsec VPN configuration (only relevant output is shown).
[edit]
ubnt@EdgeRouter# show vpn
ipsec {
auto-firewall-nat-exclude disable
esp-group FOO0 {
lifetime 3600
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
}
...
By default, the IKE and ESP groups use the same hashing and encryption settings (AES128/SHA1 in this example). We can customize the groups using the commands below:
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256
set vpn ipsec ike-group FOO0 lifetime 86400
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5
set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 pfs disable
6. Change the IKE Key Exchange from version 1 to version 2.
set vpn ipsec ike-group FOO0 key-exchange ikev2
7. Enable Dead Peer Detection (DPD).
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 30
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120
8. Commit the changes and save the configuration.
commit ; save
You can verify the VPN, firewall rules and NAT statistics with the following commands:
show firewall name WAN_LOCAL statistics
show firewall name WAN_IN statistics
show nat statistics
show vpn ipsec sa
show vpn log
Related Articles
EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs
EdgeRouter - Route-Based Site-to-Site IPsec VPN
EdgeRouter - Policy-Based Site-to-Site IPsec VPN
Intro to Networking - How to Establish a Connection Using SSH