###Initial Setup### On hard reset IP is 192.168.1.1, no DHCP server Default user/pass is ubnt/ubnt. On EdgeRouterX/EdgeRouter Lite initial access is via eth0. Use Wizard and choose: WAN+2LAN2 ->eth0 = WAN, all others LAN(s) Set Time/Date (Note: if using for a VPN server only, add gateway and nameservers pointing to existing router) ###GRE over IPSEC### https://help.ubnt.com/hc/en-us/articles/204961754-EdgeRouter-EoGRE-Layer-2-Tunnel EoGRE over IPsec 1. Enter configuration mode. configure 2. Create the bridged (br0) interface. set interfaces bridge br0 3. Optional: Assign an IP address to the br0 interface. set interfaces bridge br0 address 192.168.1.1/24 4. Create a loopback interface that will be used for the local and remote tunnel endpoints. set interfaces loopback lo address 10.255.12.1/32 5. Create the tunnel interface and define the local and remote tunnel endpoints. set interfaces tunnel tun0 local-ip 10.255.12.1 set interfaces tunnel tun0 remote-ip 10.255.12.2 6. Define the tunnel encapsulation method. set interfaces tunnel tun0 encapsulation gre-bridge 7. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge. set interfaces tunnel tun0 bridge-group bridge br0 set interfaces ethernet eth1 bridge-group bridge br0 8. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints. set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec esp-group ESP-EUSU1 lifetime 3600 set vpn ipsec esp-group ESP-EUSU1 pfs enable set vpn ipsec esp-group ESP-EUSU1 proposal 1 encryption aes256 set vpn ipsec esp-group ESP-EUSU1 proposal 1 hash sha256 set vpn ipsec ike-group IKE-EUSU1 lifetime 28800 set vpn ipsec ike-group IKE-EUSU1 proposal 1 dh-group 14 set vpn ipsec ike-group IKE-EUSU1 proposal 1 encryption aes256 set vpn ipsec ike-group IKE-EUSU1 proposal 1 hash sha256 set vpn ipsec site-to-site peer 50.245.163.173 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 50.245.163.173 authentication pre-shared-secret SomeSuperSecretPassword###HashHashHashPoundPoundPound set vpn ipsec site-to-site peer 50.245.163.173 description ipsec set vpn ipsec site-to-site peer 50.245.163.173 ike-group IKE-EUSU1 set vpn ipsec site-to-site peer 50.245.163.173 local-address 50.245.163.172 (Optional: Use DNS name for the ER-L router IPSEC connection) delete vpn ipsec site-to-site peer 50.245.163.173 local-address set vpn ipsec site-to-site peer 50.245.163.173 dhcp-interface eth0 the dns name of this router (50.245.163.172) is testing-left.haddentech.com (done) set vpn ipsec site-to-site peer 50.245.163.173 tunnel 1 esp-group ESP-EUSU1 set vpn ipsec site-to-site peer 50.245.163.173 tunnel 1 local prefix 10.255.12.1/32 set vpn ipsec site-to-site peer 50.245.163.173 tunnel 1 remote prefix 10.255.12.2/32 9. Commit the changes and save the configuration. commit ; save exit CLI: Access the command line interface on ER-R. You can do this using the CLI button in the GUI or by using a program such as PuTTY. 1. Enter configuration mode. configure 2. Create the bridged (br0) interface. set interfaces bridge br0 3. Optional: Assign an IP address to the br0 interface. set interfaces bridge br0 address 192.168.1.2/24 4. Create a loopback interface that will be used for the local and remote tunnel endpoints. set interfaces loopback lo address 10.255.12.2/32 5. Create the tunnel interface and define the local and remote tunnel endpoints. set interfaces tunnel tun0 local-ip 10.255.12.2 set interfaces tunnel tun0 remote-ip 10.255.12.1 6. Define the tunnel encapsulation method. set interfaces tunnel tun0 encapsulation gre-bridge 7. Add the tunnel interface (tun0) and the LAN interface (eth1) to the bridge. set interfaces tunnel tun0 bridge-group bridge br0 set interfaces ethernet eth1 bridge-group bridge br0 8. Create the IPsec VPN and define the local and remote subnets that correspond with the tunnel endpoints. set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec esp-group ESP-EUSU1 lifetime 3600 set vpn ipsec esp-group ESP-EUSU1 pfs enable set vpn ipsec esp-group ESP-EUSU1 proposal 1 encryption aes256 set vpn ipsec esp-group ESP-EUSU1 proposal 1 hash sha256 set vpn ipsec ike-group IKE-EUSU1 lifetime 28800 set vpn ipsec ike-group IKE-EUSU1 proposal 1 dh-group 14 set vpn ipsec ike-group IKE-EUSU1 proposal 1 encryption aes256 set vpn ipsec ike-group IKE-EUSU1 proposal 1 hash sha256 set vpn ipsec site-to-site peer 50.245.163.172 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 50.245.163.172 authentication pre-shared-secret SomeSuperSecretPassword###HashHashHashPoundPoundPound set vpn ipsec site-to-site peer 50.245.163.172 description ipsec set vpn ipsec site-to-site peer 50.245.163.172 ike-group IKE-EUSU1 set vpn ipsec site-to-site peer 50.245.163.172 local-address 50.245.163.173 set vpn ipsec site-to-site peer 50.245.163.172 tunnel 1 esp-group ESP-EUSU1 set vpn ipsec site-to-site peer 50.245.163.172 tunnel 1 local prefix 10.255.12.2/32 set vpn ipsec site-to-site peer 50.245.163.172 tunnel 1 remote prefix 10.255.12.1/32 (Optional: Connect to DNS named peer instead of static IP) set vpn ipsec site-to-site peer testing-left.haddentech.com authentication mode pre-shared-secret set vpn ipsec site-to-site peer testing-left.haddentech.com authentication pre-shared-secret SomeSuperSecretPassword###HashHashHashPoundPoundPound set vpn ipsec site-to-site peer testing-left.haddentech.com description ipsec set vpn ipsec site-to-site peer testing-left.haddentech.com ike-group IKE-EUSU1 set vpn ipsec site-to-site peer testing-left.haddentech.com local-address 50.245.163.173 set vpn ipsec site-to-site peer testing-left.haddentech.com tunnel 1 esp-group ESP-EUSU1 set vpn ipsec site-to-site peer testing-left.haddentech.com tunnel 1 local prefix 10.255.12.2/32 set vpn ipsec site-to-site peer testing-left.haddentech.com tunnel 1 remote prefix 10.255.12.1/32 (done) 9. Commit the changes and save the configuration. commit ; save exit ###Check Status of IPSEC and GRE### 1. Show IPSEC VPN status show vpn ipsec sa 2. Show GRE tunnel status show interfaces tunnel tun0 show interfaces tunnel tun0 brief ###Find correct MTU and MSS clamping value### If an incorrect value is set, things like ping and telnet will work but if you try to browse to a website or use FTP it won't load or will be extremely slow. 1. How to find correct MTU here: https://kb.netgear.com/19863/Ping-Test-to-determine-Optimal-MTU-Size-on-Router Your MSS clamping value should be 40 less than your MTU. 2. Set your values (these were found using Comcast to Comcast cable connections) set interfaces tunnel tun0 mtu 1340 set firewall options mss-clamp interface-type all set firewall options mss-clamp mss 1300 set system offload ipv4 forwarding enable set system offload ipv4 gre enable set system offload ipv4 vlan enable set system offload ipv6 forwarding enable set system offload ipv6 vlan enable set system offload ipsec enable