×

EdgeRouter - Site-to-Site VPN Behind NAT

Overview

Readers will learn how to configure a Site-to-Site VPN between two EdgeRouters, where one of the devices is located behind NAT.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Device used in this article:

Table of Contents

  1. Configuring the Policy-Based VPN
  2. Adding Authentication IDs
  3. Related Articles

Configuring the Policy-Based VPN

Back to Top

topology.png

ER-R is located behind the ISP modem and does not have its own routable public IP address.

Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:

GUI: Access the Web UI on ER-L.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

GUI: Access the Web UI on ER-R.

1. Define the IPsec peer and the hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: ipsec
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 192.168.1.0/24

2. Apply the changes.

Adding Authentication IDs

Back to Top

The next step is to add an IPsec authentication ID on either ER-L or ER-R. This option influences which IP addresses will be used in the IPsec authentication process. Because ER-R is located behind a modem performing NAT services, the source IP address of the VPN (10.0.0.2) is translated to the 192.0.2.1 address. Choose either of the two following options to change the IPsec authentication IDs:

Set the private IP address (10.0.0.2) of ER-R as the remote Authentication ID on ER-L.

CLI: Access the Command Line Interface on ER-L.

1. Enter configuration mode.

configure

2. Configure the remote-id on ER-L using the private IP address value of ER-R (10.0.0.2).

set vpn ipsec site-to-site peer 192.0.2.1 authentication remote-id 10.0.0.2

3. Commit the changes and save the configuration.

commit ; save

Set the public IP address (192.0.2.1) of the modem as the local Authentication ID on ER-R.

CLI: Access the Command Line Interface on ER-R.

1. Enter configuration mode.

configure

2. Configure the (local) id on ER-R using the public IP address value of the ISP modem (192.0.2.1).

set vpn ipsec site-to-site peer 203.0.113.1 authentication id 192.0.2.1

3. Commit the changes and save the configuration.

commit ; save

Related Articles

Back to Top

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
4 out of 6 found this helpful
Can't find what you're looking for?
Visit our worldwide community of Ubiquiti experts for more answers
Visit the Ubiquiti Community
Can't find what you're looking for?