{"id":1369,"date":"2020-12-25T23:33:57","date_gmt":"2020-12-25T16:33:57","guid":{"rendered":"https:\/\/lagonet.vn\/?p=1343"},"modified":"2020-12-25T23:33:57","modified_gmt":"2020-12-25T16:33:57","slug":"edgerouter-route-based-site-to-site-ipsec-vpn","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1369","title":{"rendered":"EdgeRouter &#8211; Route-Based Site-to-Site IPsec VPN"},"content":{"rendered":"<header class=\"article__header\">\n<h1 class=\"article__body--header\">EdgeRouter &#8211; Route-Based Site-to-Site IPsec VPN<\/h1>\n<\/header>\n<div class=\"article-body markdown\">\n<p><a name=\"top\"><\/a><\/p>\n<h1 class=\"article__body--header\">Overview<\/h1>\n<p>Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between two EdgeRouters.<\/p>\n<div class=\"article-notice-box box--green\">\n<div id=\"note-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>NOTES &amp; REQUIREMENTS:<\/strong><\/span><\/div>\n<div class=\"node--body\">Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the\u00a0<a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN#3\">Related Articles<\/a>\u00a0below for more information.<\/div>\n<div class=\"node--body\"><\/div>\n<div class=\"node--body\">Device used in this article:<\/div>\n<div class=\"node--body\">\n<div class=\"node--body\">\n<ul>\n<li><a href=\"https:\/\/www.ui.com\/edgemax\/edgerouter-4\/\" target=\"_blank\" rel=\"noopener\">EdgeRouter-4 (ER-4)<\/a><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h2 class=\"article__body--header\">Table of Contents<\/h2>\n<ol>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN#1\">Frequently Asked Questions (FAQ)<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN#2\">Configuring a Route-Based VPN<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011377588-EdgeRouter-Route-Based-Site-to-Site-IPsec-VPN#3\">Related Articles<\/a><\/li>\n<\/ol>\n<p><a name=\"1\"><\/a><\/p>\n<h2 class=\"article__body--header\">Frequently Asked Questions (FAQ)<\/h2>\n<div class=\"table-wrapper-outer\">\n<div class=\"table-wrapper\">\n<table class=\"faq-table\">\n<tbody>\n<tr>\n<td>\n<p class=\"faq--header active\">What site-to-site IPsec VPN types can be configured on EdgeOS?<\/p>\n<div class=\"faq--body active\">\n<p>The following IPsec VPN types can be configured on EdgeOS:<\/p>\n<ul>\n<li>Policy-Based<\/li>\n<li>Route-Based (VTI)<\/li>\n<li>GRE over IPsec<\/li>\n<\/ul>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<div class=\"table-wrapper-outer\">\n<div class=\"table-wrapper\">\n<table class=\"faq-table\">\n<tbody>\n<tr>\n<td>\n<p class=\"faq--header active\">What are the available encryption and hashing options (Security Associations \/ SAs) for Phase 1 (IKE) and Phase 2 (ESP)?<\/p>\n<div class=\"faq--body active\">\n<p><strong>Encryption<\/strong><\/p>\n<ul>\n<li>AES128<\/li>\n<li>AES256<\/li>\n<li>AES128GCM128<\/li>\n<li>AES256GCM128<\/li>\n<li>3DES<\/li>\n<\/ul>\n<p><strong>Hashing<\/strong><\/p>\n<ul>\n<li>MD5<\/li>\n<li>SHA1<\/li>\n<li>SHA2-256<\/li>\n<li>SHA2-384<\/li>\n<li>SHA2-512<\/li>\n<\/ul>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><a name=\"2\"><\/a><\/p>\n<h2 class=\"article__body--header\">Configuring a Route-Based VPN<\/h2>\n<p class=\"wysiwyg-text-align-center\"><img decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help.ui.com\/hc\/article_attachments\/360031810533\/topology.png\" alt=\"topology.png\" \/><\/p>\n<p class=\"wysiwyg-text-align-center\"><em>The 192.168.1.0\/24 and 172.16.1.0\/24 networks will be allowed to communicate with each other over the VPN.<\/em><\/p>\n<p>Follow the steps below to configure the Route-Based Site-to-Site IPsec VPN on both EdgeRouters:<\/p>\n<div class=\"article-notice-box box--purple\">\n<div id=\"gui-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>CLI:<\/strong>\u00a0Access the Command Line Interface on ER-L.You can do this using the CLI button in the GUI or by using a program such as PuTTY.<\/span><\/div>\n<\/div>\n<\/div>\n<p>1. Enter configuration mode.<\/p>\n<pre>configure<\/pre>\n<p>2. Enable the\u00a0<strong>auto-firewall-nat-exclude\u00a0<\/strong>feature which automatically creates the IPsec firewall\/NAT policies in the\u00a0<code>iptables<\/code>\u00a0firewall.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec auto-firewall-nat-exclude enable<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>3. Create the IKE \/ Phase 1 (P1) Security Associations (SAs).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 lifetime 28800\nset vpn ipsec ike-group FOO0 proposal 1 dh-group 14\nset vpn ipsec ike-group FOO0 proposal 1 encryption aes128\nset vpn ipsec ike-group FOO0 proposal 1 hash sha1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>4. Create the ESP \/ Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec esp-group FOO0 lifetime 3600\nset vpn ipsec esp-group FOO0 pfs enable\nset vpn ipsec esp-group FOO0 proposal 1 encryption aes128\nset vpn ipsec esp-group FOO0 proposal 1 hash sha1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>5. Define the remote peering address (replace\u00a0<code>&lt;secret&gt;<\/code>\u00a0with your desired passphrase).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret\nset vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret &lt;secret&gt;\nset vpn ipsec site-to-site peer 192.0.2.1 description ipsec\nset vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0\nset vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0\nset vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>7. Configure the virtual tunnel interface (vti0) and assign it an IP address.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set interfaces vti vti0 address 10.255.12.1\/30<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>8. Create a static route for the remote subnet.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set protocols static interface-route 172.16.1.0\/24 next-hop-interface vti0<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>9. Commit the changes and save the configuration.<\/p>\n<pre>commit ; save<\/pre>\n<div class=\"article-notice-box box--dark-gray\">\n<div id=\"cli-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>CLI:<\/strong>\u00a0Access the Command Line Interface on ER-R.<\/span><\/div>\n<\/div>\n<\/div>\n<p>1. Enter configuration mode.<\/p>\n<pre>configure<\/pre>\n<p>2. Enable the\u00a0<strong>auto-firewall-nat-exclude\u00a0<\/strong>feature which automatically creates the IPsec firewall\/NAT policies in the\u00a0<code>iptables<\/code>\u00a0firewall.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec auto-firewall-nat-exclude enable<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>3. Create the IKE \/ Phase 1 (P1) Security Associations (SAs).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 lifetime 28800\nset vpn ipsec ike-group FOO0 proposal 1 dh-group 14\nset vpn ipsec ike-group FOO0 proposal 1 encryption aes128\nset vpn ipsec ike-group FOO0 proposal 1 hash sha1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>4. Create the ESP \/ Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec esp-group FOO0 lifetime 3600\nset vpn ipsec esp-group FOO0 pfs enable\nset vpn ipsec esp-group FOO0 proposal 1 encryption aes128\nset vpn ipsec esp-group FOO0 proposal 1 hash sha1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>5. Define the remote peering address (replace\u00a0<code>&lt;secret&gt;<\/code>\u00a0with your desired passphrase).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret\nset vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret &lt;secret&gt;\nset vpn ipsec site-to-site peer 203.0.113.1 description ipsec\nset vpn ipsec site-to-site peer 203.0.113.1 local-address 192.0.2.1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec site-to-site peer 203.0.113.1 ike-group FOO0\nset vpn ipsec site-to-site peer 203.0.113.1 vti bind vti0\nset vpn ipsec site-to-site peer 203.0.113.1 vti esp-group FOO0<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>7. Configure the virtual tunnel interface (vti0) and assign it an IP address.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set interfaces vti vti0 address 10.255.12.2\/30<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>8. Create a static route for the remote subnet.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set protocols static interface-route 192.168.1.0\/24 next-hop-interface vti0<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>9. Commit the changes and save the configuration.<\/p>\n<pre>commit ; save<\/pre>\n<p><a name=\"3\"><\/a><\/p>\n<h2 class=\"article__body--header\">Related Articles<\/h2>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011373628\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Dynamic Site-to-Site IPsec VPN using FQDNs<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115012831287\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Policy-Based Site-to-Site IPsec VPN<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/218850057\" target=\"_blank\" rel=\"noopener\">Intro to Networking &#8211; How to Establish a Connection Using SSH<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>EdgeRouter &#8211; Route-Based Site-to-Site IPsec VPN Overview Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between two [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6,12,15],"tags":[],"class_list":["post-1369","post","type-post","status-publish","format-standard","hentry","category-networking","category-vpn","category-uncategories"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1369"}],"version-history":[{"count":0,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1369\/revisions"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}