Help Center Help Articles Community RMA & Warranty Downloads Tech Specs

EdgeRouter - Route-Based Site-to-Site IPsec VPN

Translated by AI

Overview

Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between two EdgeRouters.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
Device used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Configuring a Route-Based VPN
  3. Related Articles

Frequently Asked Questions (FAQ)

Back to Top

What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec

What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Configuring a Route-Based VPN

Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.

Follow the steps below to configure the Route-Based Site-to-Site IPsec VPN on both EdgeRouters:

CLI: Access the Command Line Interface on ER-L.You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs).

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the remote peering address (replace <secret> with your desired passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0

7. Configure the virtual tunnel interface (vti0) and assign it an IP address.

set interfaces vti vti0 address 10.255.12.1/30

8. Create a static route for the remote subnet.

set protocols static interface-route 172.16.1.0/24 next-hop-interface vti0

9. Commit the changes and save the configuration.

commit ; save
CLI: Access the Command Line Interface on ER-R.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs).

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the remote peering address (replace <secret> with your desired passphrase).

set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 203.0.113.1 description ipsec
set vpn ipsec site-to-site peer 203.0.113.1 local-address 192.0.2.1

6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).

set vpn ipsec site-to-site peer 203.0.113.1 ike-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 vti bind vti0
set vpn ipsec site-to-site peer 203.0.113.1 vti esp-group FOO0

7. Configure the virtual tunnel interface (vti0) and assign it an IP address.

set interfaces vti vti0 address 10.255.12.2/30

8. Create a static route for the remote subnet.

set protocols static interface-route 192.168.1.0/24 next-hop-interface vti0

9. Commit the changes and save the configuration.

commit ; save

Related Articles

Back to Top

EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
0 out of 0 found this helpful