Site-to-Site-IPsec-VPN-on-Ubiquiti-edge-router Site-to-Site IPsec VPN on Ubiquiti EdgeRouter Network Topology

Site A

configure
 set vpn ipsec esp-group SiteA
 set vpn ipsec esp-group SiteA mode tunnel
 set vpn ipsec esp-group SiteA pfs enable
 set vpn ipsec esp-group SiteA proposal 1
 set vpn ipsec esp-group SiteA proposal 1 encryption aes
 set vpn ipsec esp-group SiteA proposal 1 hash sha1
 set vpn ipsec esp-group SiteA lifetime 86400
 set vpn ipsec esp-group SiteA compression disable
set vpn ipsec ike-group SiteA dead-peer-detection action restart
 set vpn ipsec ike-group SiteA dead-peer-detection interval 30
 set vpn ipsec ike-group SiteA dead-peer-detection timeout 60
set vpn ipsec ike-group SiteA proposal 1
 set vpn ipsec ike-group SiteA proposal 1 encryption aes
 set vpn ipsec ike-group SiteA proposal 1 hash sha1
 set vpn ipsec ike-group SiteA lifetime 86400
 set vpn ipsec ike-group SiteA key-exchange ikev1
 set vpn ipsec ike-group SiteA proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface eth0
 set vpn ipsec auto-firewall-nat-exclude enable
 set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer 77.77.77.xx
 set vpn ipsec site-to-site peer 77.77.77.xx connection-type initiate
 set vpn ipsec site-to-site peer 77.77.77.xx authentication mode pre-shared-secret
 set vpn ipsec site-to-site peer 77.77.77.xx authentication pre-shared-secret SuperSecureXXXX
 set vpn ipsec site-to-site peer 77.77.77.xx ike-group SiteA
 set vpn ipsec site-to-site peer 77.77.77.xx local-address 66.66.66.xx
 set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1
 set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 esp-group SiteA
 set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 local prefix 10.10.10.0/24
 set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 remote prefix 10.10.20.0/24
 set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 allow-nat-networks disable
 set vpn ipsec site-to-site peer 77.77.77.xx tunnel 1 allow-public-networks disable
set vpn ipsec nat-traversal enable
 commit
 save

Site B

configure
 set vpn ipsec esp-group SiteB
 set vpn ipsec esp-group SiteB mode tunnel
 set vpn ipsec esp-group SiteB pfs enable
 set vpn ipsec esp-group SiteB proposal 1
 set vpn ipsec esp-group SiteB proposal 1 encryption aes
 set vpn ipsec esp-group SiteB proposal 1 hash sha1
 set vpn ipsec esp-group SiteB lifetime 86400
 set vpn ipsec esp-group SiteB compression disable
set vpn ipsec ike-group SiteB dead-peer-detection action restart
 set vpn ipsec ike-group SiteB dead-peer-detection interval 30
 set vpn ipsec ike-group SiteB dead-peer-detection timeout 60
set vpn ipsec ike-group SiteB proposal 1
 set vpn ipsec ike-group SiteB proposal 1 encryption aes
 set vpn ipsec ike-group SiteB proposal 1 hash sha1
 set vpn ipsec ike-group SiteB lifetime 86400
 set vpn ipsec ike-group SiteB key-exchange ikev1
 set vpn ipsec ike-group SiteB proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface eth0
 set vpn ipsec auto-firewall-nat-exclude enable
 set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer 66.66.66.xx
 set vpn ipsec site-to-site peer 66.66.66.xx connection-type initiate
 set vpn ipsec site-to-site peer 66.66.66.xx authentication mode pre-shared-secret
 set vpn ipsec site-to-site peer 66.66.66.xx authentication pre-shared-secret SuperSecureXXXX
 set vpn ipsec site-to-site peer 66.66.66.xx ike-group SiteB
 set vpn ipsec site-to-site peer 66.66.66.xx local-address 77.77.77.xx
 set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1
 set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 esp-group SiteB
 set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 local prefix 10.10.20.0/24
 set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 remote prefix 10.10.10.0/24
 set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 allow-nat-networks disable
 set vpn ipsec site-to-site peer 66.66.66.xx tunnel 1 allow-public-networks disable
set vpn ipsec nat-traversal enable
 commit
 save

Check List

  1. Create NAT rule for LAN to WAN(masquerade to eth0)
  2. Exclude IPsec traffic from default NAT rule LAN to WAN(masquerade to eth0)
    • Site A; Exclude 10.10.20.0/24
    • Site B; Exclude 10.10.10.0/24
  3. Configure firewall to allow IKE/ESP from WAN to Local