===Routed IPsec VPN on Edgerouter===
https://help.ui.com/hc/en-us/articles/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN \\
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf
This is for setting up a route based IPsec VPN connection between sites. It will also include OSPF routes.
====Router A====
Note: IPSEC hardware acceleration only works up to AES-256 and SHA1 dh-group 14; aes256gcm128 and sha512 as used in the example below won't be hardware offloaded so if performance is bad you'll want to switch it to an offload supported protocol though SHA1 is considered acceptable but not recommended for critical infrastructure/data.
==Enable the auto-firewall-nat-exclude feature==
This automatically creates the IPsec firewall/NAT policies in the iptables firewall.
set vpn ipsec auto-firewall-nat-exclude enable
==Create the IKE / Phase 1 (P1) Security Associations (SAs)==
set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 21
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256gcm128
set vpn ipsec ike-group FOO0 proposal 1 hash sha512
==Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS)==
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256gcm128
set vpn ipsec esp-group FOO0 proposal 1 hash sha512
==Define the remote peering address==
Replace with your desired passphrase, make it between from 100 to 128 alphanumeric characters.
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
==Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0)==
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0
==Configure the virtual tunnel interface (vti0) and assign it an IP address==
set interfaces vti vti0 address 10.255.12.1/30
==Create a static route for the remote subnet==
set protocols static interface-route 172.16.1.0/24 next-hop-interface vti0
==Commit the changes and save the configuration==
commit ; save
==Setup OSPF (Optional)==
https://help.ui.com/hc/en-us/articles/205204050-EdgeRouter-OSPF-Routing
This is ideal as it will advertise your local routes across the VPN so a bunch of static routes are needed nor need to be maintained.
==Define the OSPF network type for the vti0 interface==
set interfaces vti vti0 ip ospf network point-to-point
==Define a custom OSPF router ID==
Here I use the Management LAN IPV4 address of the main router in the OSPF area.
set protocols ospf parameters router-id 0.0.0.4
==Enable the OSPF routing process on the relevant interfaces and define the OSPF area number==
For the area number I combine the 2 site ID numbers that I arbitrarily assigned to each site. So if I'm setting this up between site 49 and 50 my area would be 4950.
set protocols ospf area 4950 network 10.255.12.0/30
==Configure OSPF Interface Adjacencies==
Set all interfaces to passive, with the exception of interfaces that should form adjacencies with other OSPF routers; this will ensure it's not broadcasting advertisements to unneeded routers.
set protocols ospf passive-interface default
set protocols ospf passive-interface-exclude vti0
set protocols ospf passive-interface-exclude eth1
==Troubleshooting==
Sometimes a reboot doesn't fix things for these Edgerouter IPSEC VPN connections...
Try:
sudo su
show vpn log
restart vpn
clear vpn ipsec-peer PEERNAME (which might be the IP of the peer)
Note: to determine optimal MTU: https://forum.peplink.com/t/how-to-determine-the-optimal-mtu-and-mss-size/7895
If you don't set the optimal MTU you're network access to the resources over the VPN will be laggy, unresponsive, etc...
In Windows open a command prompt and run
ping some.server.on.the.other.side.of.the.vpn.that.responds.to.ping -f -l 1472
If you get "Packet needs to be fragmented but DF set.” then lower the packet size (the 1472) until you get a regular ping response.
Then add 28 and this is the MTU you should use.
The MSS clamp value is the MTU minus 40