EdgeRouter - Site-to-Site VPN Behind NAT
Overview
Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters, where one of the devices is located behind NAT.
Table of Contents
Configuring the Policy-Based VPN
ER-R is located behind the ISP modem and does not have its own routable public IP address.
Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:
1. Define the IPsec peer and hashing/encryption methods.
VPN > IPsec Site-to-Site > +Add Peer
- Check: Show advanced options
- Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24
2. Apply the changes.
1. Define the IPsec peer and the hashing/encryption methods.
VPN > IPsec Site-to-Site > +Add Peer
- Check: Show advanced options
- Check: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24
2. Apply the changes.
Adding Authentication IDs
The next step is to add an IPsec authentication ID on either ER-L or ER-R. This option influences which IP addresses will be used in the IPsec authentication process. Because ER-R is located behind a modem performing NAT services, the source IP address of the VPN (10.0.0.2) is translated to the 192.0.2.1 address. Choose either of the two following options to change the IPsec authentication IDs:
Set the private IP address (10.0.0.2) of ER-R as the remote Authentication ID on ER-L. CLI: Access the Command Line Interface on ER-L.
1. Enter configuration mode. configure 2. Configure the remote-id on ER-L using the private IP address value of ER-R (10.0.0.2). set vpn ipsec site-to-site peer 192.0.2.1 authentication remote-id 10.0.0.2 3. Commit the changes and save the configuration. commit ; save |
Set the public IP address (192.0.2.1) of the modem as the local Authentication ID on ER-R. CLI: Access the Command Line Interface on ER-R.
1. Enter configuration mode. configure 2. Configure the (local) id on ER-R using the public IP address value of the ISP modem (192.0.2.1). set vpn ipsec site-to-site peer 203.0.113.1 authentication id 192.0.2.1 3. Commit the changes and save the configuration. commit ; save |
Related Articles
EdgeRouter - Policy-Based Site-to-Site IPsec VPN
Intro to Networking - How to Establish a Connection Using SSH