EdgeRouter IPsec site-to-site config example – one site static IP, another site dynamic Internet IP and behind NAT

I’ve been using OpenVPN for years and enjoy the convenience that OpenVPN only require one TCP or UDP port, which is fairly easy to set up even when one of the site is behind NAT or having dynamic IP. In comparison, setup IPsec is more complicated in this case.

However, EdgeRouter hardware offloading does not support OpenVPN. In this example, we will set up IPsec site-to-site using EdgeRouter, with one site having static IP, another site is using dynamic Internet IP and behind a NAT device (e.g. ISP-provided router). In my case, the ISP-provided router is an Optus/Sagemcom router, and the example config is available in another article. If your environment is not that complicated, refer to Ubiquiti help articles.

Environment

Site “S” with static IP

  • WAN (Internet) IP is 1.2.3.4
  • EdgeRouter LAN 192.168.11.254/24

Site “D” with dynamic IP

  • Internet IP: dynamic, DDNS site-d-ddns-host-name.kaosy.org
  • EdgeRouter WAN 192.168.0.2
  • EdgeRouter LAN 192.168.12.254/24
[      Site S      ]                [                      Site D                      ]
====================                ====================================================
LAN ----- EdgeRouter ----- Internet ----- ISP-provided router ----- EdgeRouter ----- LAN
         |          |                    |                   |     |          |
192.168.11.254/24   |                    |                   |  192.168.0.2  192.168.12.254/24
                    |                    |                   |
                    |                    |           192.168.0.1
                    |                    |
                  1.2.3.4      site-d-ddns-host-name.kaosy.org

Prerequisites:

IPsec VPN config

Site “S” with static IP

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            pfs dh-group14
            proposal 1 {
                encryption aes256
                hash sha256
            }
        }
        ike-group FOO0 {
            key-exchange ikev2
            proposal 1 {
                dh-group 14
                encryption aes256
                hash sha256
            }
        }
        site-to-site {
            peer site-d-ddns-host-name.kaosy.org {
                authentication {
                    id 1.2.3.4
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id 192.168.0.2
                }
                connection-type initiate
                description auer
                ike-group FOO0
                local-address 1.2.3.4
                tunnel 1 {
                    esp-group FOO0
                    local {
                        prefix 192.168.11.0/24
                    }
                    remote {
                        prefix 192.168.12.0/24
                    }
                }
            }
        }
    }
}

Site “D” with dynamic IP behind NAT

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            pfs dh-group14
            proposal 1 {
                encryption aes256
                hash sha256
            }
        }
        ike-group FOO0 {
            key-exchange ikev2
            proposal 1 {
                dh-group 14
                encryption aes256
                hash sha256
            }
        }
        site-to-site {
            peer 1.2.3.4 {
                authentication {
                    id 192.168.0.2
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id 1.2.3.4
                }
                connection-type initiate
                description twer
                dhcp-interface eth0
                ike-group FOO0
                tunnel 1 {
                    esp-group FOO0
                    local {
                        prefix 192.168.12.0/24
                    }
                    remote {
                        prefix 192.168.11.0/24
                    }
                }
            }
        }
    }
}

WAN_LOCAL rules

To allow the EdgeRouter to be reachable (e.g. via HTTPS or SSH for remote management) from another site, consider adding the following WAN_LOCAL rules.

Site “S” with static IP

firewall {
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 99 {
            action accept
            description "Allow IPsec to EdgeRouter"
            destination {
                address 192.168.11.254
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol all
            source {
                address 192.168.12.0/24
            }
        }
    }
}

Site “D” with dynamic IP behind NAT

firewall {
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 99 {
            action accept
            description "Allow IPsec to EdgeRouter"
            destination {
                address 192.168.12.254
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol all
            source {
                address 192.168.11.0/24
            }
        }
    }
}

Leave a Reply

Your email address will not be published. Required fields are marked *