UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP
Support Resources
UniFi Help Articles UISP Help Articles Video Tutorials Community Forums UniFi Design Center UISP Design Center RMA and Warranty Contact Support
Store
Support Resources
UniFi Help Articles UISP Help Articles Video Tutorials Community Forums UniFi Design Center UISP Design Center RMA and Warranty Contact Support
UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP Store
  1. Ubiquiti Support and Help Center
  2. UISP
  3. UISP Routing and Switching
  4. EdgeRouter
  5. EdgeRouter VPN Configuration
Help Center
Back to Top

EdgeRouter - Site-to-Site IPsec VPN to USG

2023-03-07 16:05:56 UTC

Overview

Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a USG.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Devices used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Setting up a Policy-Based VPN
  3. Related Articles

FAQ

Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Setting up a Policy-Based VPN

Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.

GUI: Access the EdgeRouter Web UI.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

GUI: Access the UniFi Controller Web Portal.

1. Navigate to the Settings  settings.png  to create a new IPsec network using a custom profile.

Settings > Networks > +Create New Network

Name: ipsec
Purpose: Site-to-Site VPN
VPN Type: Manual IPsec
Enabled: Enable this Site-to-Site VPN
Remote Subnets: 192.168.1.0/24
Peer IP: 203.0.113.1
Local WAN IP: 192.0.2.1
Pre-Shared Key: <secret>
IPsec Profile: Customized

Expand (+) Advanced Options

Key Exchange Version: IKEv1
Encryption: AES-128
HASH: SHA1
DH Group: 14
PFS: Enable Perfect Forward Secrecy / Check
Dynamic Routing: Disable / Uncheck
NOTE: The USG will use the all corporate networks as the local subnet(identifiers)for the IPsec connection.

2. Apply the changes.

Related Articles

Back to Top

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

EdgeRouter - Route-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
29 out of 50 found this helpful