https://help.ui.com/hc/en-us/articles/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf
This is for setting up a route based IPsec VPN connection between sites. It will also include OSPF routes.
Note: IPSEC hardware acceleration only works up to AES-256 and SHA1 dh-group 14; aes256gcm128 and sha512 as used in the example below won't be hardware offloaded so if performance is bad you'll want to switch it to an offload supported protocol though SHA1 is considered acceptable but not recommended for critical infrastructure/data.
This automatically creates the IPsec firewall/NAT policies in the iptables firewall.
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec ike-group FOO0 key-exchange ikev2 set vpn ipsec ike-group FOO0 lifetime 28800 set vpn ipsec ike-group FOO0 proposal 1 dh-group 21 set vpn ipsec ike-group FOO0 proposal 1 encryption aes256gcm128 set vpn ipsec ike-group FOO0 proposal 1 hash sha512
set vpn ipsec esp-group FOO0 lifetime 3600 set vpn ipsec esp-group FOO0 pfs enable set vpn ipsec esp-group FOO0 proposal 1 encryption aes256gcm128 set vpn ipsec esp-group FOO0 proposal 1 hash sha512
Replace <secret> with your desired passphrase, make it between from 100 to 128 alphanumeric characters.
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret> set vpn ipsec site-to-site peer 192.0.2.1 description ipsec set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0 set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0 set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0
set interfaces vti vti0 address 10.255.12.1/30
set protocols static interface-route 172.16.1.0/24 next-hop-interface vti0
commit ; save
https://help.ui.com/hc/en-us/articles/205204050-EdgeRouter-OSPF-Routing
This is ideal as it will advertise your local routes across the VPN so a bunch of static routes are needed nor need to be maintained.
set interfaces vti vti0 ip ospf network point-to-point
Here I use the Management LAN IPV4 address of the main router in the OSPF area.
set protocols ospf parameters router-id 0.0.0.4
For the area number I combine the 2 site ID numbers that I arbitrarily assigned to each site. So if I'm setting this up between site 49 and 50 my area would be 4950.
set protocols ospf area 4950 network 10.255.12.0/30
Set all interfaces to passive, with the exception of interfaces that should form adjacencies with other OSPF routers; this will ensure it's not broadcasting advertisements to unneeded routers.
set protocols ospf passive-interface default set protocols ospf passive-interface-exclude vti0 set protocols ospf passive-interface-exclude eth1
Sometimes a reboot doesn't fix things for these Edgerouter IPSEC VPN connections… Try:
sudo su show vpn log restart vpn clear vpn ipsec-peer PEERNAME (which might be the IP of the peer)
Note: to determine optimal MTU: https://forum.peplink.com/t/how-to-determine-the-optimal-mtu-and-mss-size/7895 If you don't set the optimal MTU you're network access to the resources over the VPN will be laggy, unresponsive, etc…
In Windows open a command prompt and run ping some.server.on.the.other.side.of.the.vpn.that.responds.to.ping -f -l 1472 If you get "Packet needs to be fragmented but DF set.” then lower the packet size (the 1472) until you get a regular ping response. Then add 28 and this is the MTU you should use. The MSS clamp value is the MTU minus 40