User Tools

Site Tools


ubnt:ipsec_site-to-site_vpn

Ipsec Site-to-site Vpn

  • Reconnect to VPN using restart vpn or clear vpn ipsec-peer <peername>
  • Generate a temporary passphrase to use as the pre-shared secret
  • Setup vpn.site-l.com and vpn.site-r.com as CNAMEs to the root domain for the sites and use those as the peer names
  • On each of the routers, configure the VPN as below switching the FQDN and subnets as required
  • VPN > IPsec Site-to-Site
    • Show advanced options
    • Automatically open firewall and exclude from NAT
    • + Add Peer
      • Peer > FQDN of remote router e.g. vpn.site-r.com
      • Description > ipsec
      • Local IP > 0.0.0.0
      • Encryption > AES-128
      • Hash > SHA1
      • DH Group > 14
      • Pre-shared Secret > <secret>
      • Local subnet > e.g. 10.0.0.0/24
      • Remote subnet > e.g. 10.0.1.0/24
  • Even using the Automatically open firewall and exclude from NAT option doesn't allow the ER LAN interface to be reachable through the VPN, this fixes that:
  • Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Edit Ruleset > Add New Rule
  • Basic > Description > ipsec
  • Advanced > IPsec > Match inbound IPsec packets
  • Source > Address > Remote subnet e.g. 10.0.1.0/24
  • Destination > Address > Local subnet e.g. 10.0.0.0/24
  • Save
  • The above should give a working site-to-site VPN connection, the commands below are for extra useful features
  • Run the following on each of the routers, replacing hostnames as appropriate (This shows commands for er-l):
# Run this generate command on each of the routers first and copy the public key to paste into the others settings
generate vpn rsa-key

configure

# IPsec hardware offloading
set system offload ipsec enable

# Use domain-specific DNS across the VPN
set service dns forwarding listen-on eth0 # (Or pppoe0 if using PPPoE)
set service dns forwarding options server=/example.com/<remote subnet(e.g. 10.0.1.1)>
set service dns forwarding options server=/vpn.example.com/#

# Change hashing and encryption settings
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256
set vpn ipsec ike-group FOO0 lifetime 86400

set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5
set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 pfs disable

# Change IKE Key Exchange from version 1 to version 2
set vpn ipsec ike-group FOO0 key-exchange ikev2

# Enable Dead Peer Detection (DPD)
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 30
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 120

# Authentication IDs
set vpn ipsec site-to-site peer er-r.ubnt.com authentication id @er-l.ubnt.com
set vpn ipsec site-to-site peer er-r.ubnt.com authentication remote-id @er-r.ubnt.com

# RSA Authentication
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name er-r rsa-key <er-r public key>

delete vpn ipsec site-to-site peer er-r.ubnt.com authentication mode
delete vpn ipsec site-to-site peer er-r.ubnt.com authentication pre-shared-secret

set vpn ipsec site-to-site peer er-r.ubnt.com authentication mode rsa
set vpn ipsec site-to-site peer er-r.ubnt.com authentication rsa-key-name er-r

commit; save
  • One of the routers was behind PPPoE so it needed TCP MSS clamping enabling on both routers to get HTTPS sites working through the VPN:
    • Wizards > TCP MSS clamping
      • Enable
      • On the router with PPPoE:
        • Deselect All
        • Select PPPoE
      • MSS > 1382
  • Or in the cli:
configure
# On the router with PPPoE:
set firewall options mss-clamp interface-type PPPoE
# On the router without PPPoE:
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1382
commit
save
ubnt/ipsec_site-to-site_vpn.txt · Last modified: 2019/09/17 07:53 by derek