EdgeRouter - Route-Based Site-to-Site IPsec VPN
Overview
Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between two EdgeRouters.
Table of Contents
Frequently Asked Questions (FAQ)
What site-to-site IPsec VPN types can be configured on EdgeOS? The following IPsec VPN types can be configured on EdgeOS:
|
What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)? Encryption
Hashing
|
Configuring a Route-Based VPN
The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.
Follow the steps below to configure the Route-Based Site-to-Site IPsec VPN on both EdgeRouters:
1. Enter configuration mode.
configure
2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables
firewall.
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs).
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the remote peering address (replace <secret>
with your desired passphrase).
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0
7. Configure the virtual tunnel interface (vti0) and assign it an IP address.
set interfaces vti vti0 address 10.255.12.1/30
8. Create a static route for the remote subnet.
set protocols static interface-route 172.16.1.0/24 next-hop-interface vti0
9. Commit the changes and save the configuration.
commit ; save
1. Enter configuration mode.
configure
2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables
firewall.
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs).
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the remote peering address (replace <secret>
with your desired passphrase).
set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 203.0.113.1 description ipsec
set vpn ipsec site-to-site peer 203.0.113.1 local-address 192.0.2.1
6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer 203.0.113.1 ike-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 vti bind vti0
set vpn ipsec site-to-site peer 203.0.113.1 vti esp-group FOO0
7. Configure the virtual tunnel interface (vti0) and assign it an IP address.
set interfaces vti vti0 address 10.255.12.2/30
8. Create a static route for the remote subnet.
set protocols static interface-route 192.168.1.0/24 next-hop-interface vti0
9. Commit the changes and save the configuration.
commit ; save
Related Articles
EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs
EdgeRouter - Policy-Based Site-to-Site IPsec VPN
Intro to Networking - How to Establish a Connection Using SSH