https://help.ui.com/hc/en-us/articles/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf

This is for setting up a route based IPsec VPN connection between sites. It will also include OSPF routes.

Note: IPSEC hardware acceleration only works up to AES-256 and SHA1 dh-group 14; aes256gcm128 and sha512 as used in the example below won't be hardware offloaded so if performance is bad you'll want to switch it to an offload supported protocol though SHA1 is considered acceptable but not recommended for critical infrastructure/data.

This automatically creates the IPsec firewall/NAT policies in the iptables firewall.

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 21
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256gcm128
set vpn ipsec ike-group FOO0 proposal 1 hash sha512

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256gcm128
set vpn ipsec esp-group FOO0 proposal 1 hash sha512

Replace <secret> with your desired passphrase, make it between from 100 to 128 alphanumeric characters.

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0

set interfaces vti vti0 address 10.255.12.1/30

set protocols static interface-route 172.16.1.0/24 next-hop-interface vti0

commit ; save

https://help.ui.com/hc/en-us/articles/205204050-EdgeRouter-OSPF-Routing

This is ideal as it will advertise your local routes across the VPN so a bunch of static routes are needed nor need to be maintained.

set interfaces vti vti0 ip ospf network point-to-point

Here I use the Management LAN IPV4 address of the main router in the OSPF area.

set protocols ospf parameters router-id 0.0.0.4

For the area number I combine the 2 site ID numbers that I arbitrarily assigned to each site. So if I'm setting this up between site 49 and 50 my area would be 4950.

set protocols ospf area 4950 network 10.255.12.0/30

Set all interfaces to passive, with the exception of interfaces that should form adjacencies with other OSPF routers; this will ensure it's not broadcasting advertisements to unneeded routers.

set protocols ospf passive-interface default
set protocols ospf passive-interface-exclude vti0
set protocols ospf passive-interface-exclude eth1

Sometimes a reboot doesn't fix things for these Edgerouter IPSEC VPN connections… Try:

sudo su
show vpn log
restart vpn
clear vpn ipsec-peer PEERNAME (which might be the IP of the peer)

Note: to determine optimal MTU: https://forum.peplink.com/t/how-to-determine-the-optimal-mtu-and-mss-size/7895 If you don't set the optimal MTU you're network access to the resources over the VPN will be laggy, unresponsive, etc…

In Windows open a command prompt and run
ping some.server.on.the.other.side.of.the.vpn.that.responds.to.ping -f -l 1472
If you get "Packet needs to be fragmented but DF set.” then lower the packet size (the 1472) until you get a regular ping response.
Then add 28 and this is the MTU you should use.
The MSS clamp value is the MTU minus 40