EdgeRouter - Site-to-Site IPsec VPN to USG

Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a USG.


Applicable to the latest EdgeOS firmware on all EdgeRouter models.
Devices used in this article:


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?


  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES


  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Setting up a Policy-Based VPN

Back to Top


The and networks will be allowed to communicate with each other over the VPN.

GUI: Access the EdgeRouter Web UI.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Description: ipsec
Local IP:
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet:
Remote subnet:

2. Apply the changes.

GUI: Access the UniFi Controller Web Portal.

1. Navigate to the Settings  settings.png  to create a new IPsec network using a custom profile.

Settings > Networks > +Create New Network

Name: ipsec
Purpose: Site-to-Site VPN
VPN Type: Manual IPsec
Enabled: Enable this Site-to-Site VPN
Remote Subnets:
Peer IP:
Local WAN IP:
Pre-Shared Key: <secret>
IPsec Profile: Customized

Expand (+) Advanced Options

Key Exchange Version: IKEv1
Encryption: AES-128
DH Group: 14
PFS: Enable Perfect Forward Secrecy / Check
Dynamic Routing: Disable / Uncheck
NOTE: The USG will use the all corporate networks as the local subnet(identifiers)for the IPsec connection.

2. Apply the changes.

Was this article helpful?
31 out of 64 found this helpful