Support Downloads Community

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

EdgeRouter - Dynamic Site-to-Site IPsec VPN using FQDNs

Overview

Readers will learn how to configure a site-to-site VPN between two EdgeRouters that use dynamic public IP addresses.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Devices used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Configuring a Policy-Based VPN using FQDNs
  3. Related Articles

FAQ

Back to Top

1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec

2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Configuring a Policy-Based VPN using FQDNs

Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.

Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:

GUI: Access the Web UI on ER-L.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: er-r.ubnt.com
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

GUI: Access the Web UI on ER-R.

1. Define the IPsec peer and the hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: er-l.ubnt.com
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

2. Apply the changes.

Depending on your setup, optionally add the following additional configuration:

CLI: Access the Command Line Interface on ER-L.You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Use the dhcp-interface command instead of local-address.

configure
delete vpn ipsec site-to-site peer er-r.ubnt.com local-address
set vpn ipsec site-to-site peer er-r.ubnt.com dhcp-interface eth0
commit ; save

2. Add remote and local authentication IDs.

configure
set vpn ipsec site-to-site peer er-r.ubnt.com authentication id @er-l.ubnt.com
set vpn ipsec site-to-site peer er-r.ubnt.com authentication remote-id @er-r.ubnt.com
commit ; save

3. Change from pre-shared key to certificate-based authentication.

generate vpn rsa-key

configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name er-r rsa-key <er-r public key>

delete vpn ipsec site-to-site peer er-r.ubnt.com authentication mode
delete vpn ipsec site-to-site peer er-r.ubnt.com authentication pre-shared-secret

set vpn ipsec site-to-site peer er-r.ubnt.com authentication mode rsa
set vpn ipsec site-to-site peer er-r.ubnt.com authentication rsa-key-name er-r
commit ; save
CLI: Access the Command Line Interface on ER-R.

1. Use the dhcp-interface command instead of local-address.

configure
delete vpn ipsec site-to-site peer er-l.ubnt.com local-address
set vpn ipsec site-to-site peer er-l.ubnt.com dhcp-interface eth0
commit ; save

2. Add remote and local authentication IDs.

configure
set vpn ipsec site-to-site peer er-l.ubnt.com authentication id @er-r.ubnt.com
set vpn ipsec site-to-site peer er-l.ubnt.com authentication remote-id @er-l.ubnt.com
commit ; save

3. Change from pre-shared key to certificate-based authentication.

generate vpn rsa-key

configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name er-l rsa-key <er-l public key>

delete vpn ipsec site-to-site peer er-l.ubnt.com authentication mode
delete vpn ipsec site-to-site peer er-l.ubnt.com authentication pre-shared-secret

set vpn ipsec site-to-site peer er-l.ubnt.com authentication mode rsa
set vpn ipsec site-to-site peer er-l.ubnt.com authentication rsa-key-name er-l
commit ; save

Related Articles

Back to Top

EdgeRouter - Policy-Based IPsec Site-to-Site VPN

EdgeRouter - Route-Based IPsec Site-to-Site VPN

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
21 out of 33 found this helpful