User Tools

Site Tools


ubnt:ipsec_site-to-site_vpn

Ipsec Site-to-site Vpn

  • Reconnect to VPN using clear vpn ipsec-peer <peername>

Check to make sure IPsec hardware offloading is enabled using show ubnt offload. Use set system offload ipsec enable in the cli if not.

  • Generate a passphrase to use as the pre-shared secret
  • On each of the routers, configure the VPN as below switching the FQDN and subnets as required
  • VPN > IPsec Site-to-Site
    • Show advanced options
    • Automatically open firewall and exclude from NAT
    • + Add Peer
      • Peer > FQDN of remote router e.g. er-l.ubnt.com
      • Description > ipsec
      • Local IP > 0.0.0.0
      • Encryption > AES-128
      • Hash > SHA1
      • DH Group > 14
      • Pre-shared Secret > <secret>
      • Local subnet > e.g. 10.0.0.0/24
      • Remote subnet > e.g. 10.0.1.0/24
  • Even using the Automatically open firewall and exclude from NAT option doesn't allow the ER LAN interface to be reachable through the VPN, this fixes that:
  • Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Edit Ruleset > Add New Rule
  • Basic > Description > ipsec
  • Advanced > IPsec > Match inbound IPsec packets
  • Source > Address > Remote subnet e.g. 10.0.0.0/24
  • Destination > Address > Local subnet e.g. 10.0.1.0/24
  • Save
  • FIXME: TODO Change from pre-shared key to certificate-based authentication.
generate vpn rsa-key

configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name er-l rsa-key <er-l public key>

delete vpn ipsec site-to-site peer er-l.ubnt.com authentication mode
delete vpn ipsec site-to-site peer er-l.ubnt.com authentication pre-shared-secret

set vpn ipsec site-to-site peer er-l.ubnt.com authentication mode rsa
set vpn ipsec site-to-site peer er-l.ubnt.com authentication rsa-key-name er-l
  • Use domain-specific DNS across the VPN
  • Setup vpn.example1.com and vpn.example2.com as CNAMEs to the root domain for the and use those as the peer names
  • Set the following on both routers:
  • set service dns forwarding listen-on eth0 (Or pppoe0 if using PPPoE)
  • set service dns forwarding options server=/example.com/<remote subset>
  • set service dns forwarding options server=/vpn.example.com/#
  • One of the routers was behind PPPoE so it needed TCP MSS clamping enabling on both routers to get HTTPS sites working through the VPN:
    • Wizards > TCP MSS clamping
      • Enable
      • Deselect All
      • Select PPPoE
      • MSS > 1382
  • Or in the cli:
configure
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1382
commit
save
ubnt/ipsec_site-to-site_vpn.txt · Last modified: 2019/02/01 14:09 by derek