{"id":1370,"date":"2020-12-25T23:34:42","date_gmt":"2020-12-25T16:34:42","guid":{"rendered":"https:\/\/lagonet.vn\/?p=1345"},"modified":"2020-12-25T23:34:42","modified_gmt":"2020-12-25T16:34:42","slug":"edgerouter-policy-based-site-to-site-ipsec-vpn","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1370","title":{"rendered":"EdgeRouter &#8211; Policy-Based Site-to-Site IPsec VPN"},"content":{"rendered":"<h1 class=\"article__body--header\">Overview<\/h1>\n<p>Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN on an EdgeRouter.<\/p>\n<div class=\"article-notice-box box--green\">\n<div id=\"note-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>NOTES &amp; REQUIREMENTS:<\/strong><\/span><\/div>\n<div class=\"node--body\">Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the\u00a0<a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115012831287-EdgeRouter-Policy-Based-Site-to-Site-IPsec-VPN#3\" target=\"_self\" rel=\"noopener\">Related Articles<\/a>\u00a0below for more information.<\/div>\n<div class=\"node--body\"><\/div>\n<div class=\"node--body\">Device used in this article:<\/div>\n<div class=\"node--body\">\n<div class=\"node--body\">\n<ul>\n<li><a href=\"https:\/\/www.ui.com\/edgemax\/edgerouter-4\/\" target=\"_blank\" rel=\"noopener\">EdgeRouter 4 (ER-4)<\/a><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h2 class=\"article__body--header\">Table of Contents<\/h2>\n<ol>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115012831287-EdgeRouter-Policy-Based-Site-to-Site-IPsec-VPN#1\" target=\"_self\" rel=\"noopener\">Frequently Asked Questions (FAQ)<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115012831287-EdgeRouter-Policy-Based-Site-to-Site-IPsec-VPN#2\" target=\"_self\" rel=\"noopener\">Configuring a Policy-Based VPN<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115012831287-EdgeRouter-Policy-Based-Site-to-Site-IPsec-VPN#3\" target=\"_self\" rel=\"noopener\">Related Articles<\/a><\/li>\n<\/ol>\n<p><a name=\"1\"><\/a><\/p>\n<h2 class=\"article__body--header\">Frequently Asked Questions (FAQ)<\/h2>\n<div class=\"table-wrapper-outer\">\n<div class=\"table-wrapper\">\n<table class=\"faq-table\">\n<tbody>\n<tr>\n<td>\n<div class=\"faq--header\">1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?<\/div>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<div class=\"faq--header\">2. What are the available encryption and hashing options for IKE and ESP?<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><a name=\"2\"><\/a><\/p>\n<h2 class=\"article__body--header\">Setting up a Policy-Based VPN<\/h2>\n<p class=\"wysiwyg-text-align-center\"><img decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help.ui.com\/hc\/article_attachments\/360031590614\/topology.png\" alt=\"topology.png\" \/><\/p>\n<p class=\"wysiwyg-text-align-center\"><em>The 192.168.1.0\/24 and 172.16.1.0\/24 networks will be allowed to communicate with each other over the VPN.<\/em><\/p>\n<p>Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:<\/p>\n<div class=\"article-notice-box box--purple\">\n<div id=\"gui-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>GUI:\u00a0<\/strong><\/span>Access the Web UI on ER-L.<\/div>\n<\/div>\n<\/div>\n<p>1. Define the IPsec peer and hashing\/encryption methods.<\/p>\n<p><strong>VPN &gt; IPsec Site-to-Site &gt; +Add Peer<\/strong><\/p>\n<ul>\n<li><strong>Check:<\/strong>\u00a0Show advanced options<\/li>\n<li><strong>Check:<\/strong>\u00a0Automatically open firewall and exclude from NAT<\/li>\n<\/ul>\n<pre><strong>Peer:<\/strong> 192.0.2.1\n<strong>Description:<\/strong> ipsec\n<strong>Local IP:<\/strong> 203.0.113.1\n<strong>Encryption:<\/strong> AES-128\n<strong>Hash:<\/strong> SHA1\n<strong>DH Group:<\/strong> 14\n<strong>Pre-shared Secret:<\/strong> &lt;secret&gt;\n<strong>Local subnet:<\/strong> 192.168.1.0\/24\n<strong>Remote subnet:<\/strong> 172.16.1.0\/24<\/pre>\n<p>2. Apply the changes.<\/p>\n<div class=\"article-notice-box box--purple\">\n<div id=\"gui-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>GUI:\u00a0<\/strong><\/span>Access the Web UI on ER-R.<\/div>\n<\/div>\n<\/div>\n<p>1. Define the IPsec peer and the hashing\/encryption methods.<\/p>\n<p><strong>VPN &gt; IPsec Site-to-Site &gt; +Add Peer<\/strong><\/p>\n<ul>\n<li><strong>Check:<\/strong>\u00a0Show advanced options<\/li>\n<li><strong>Check:<\/strong>\u00a0Automatically open firewall and exclude from NAT<\/li>\n<\/ul>\n<pre><strong>Peer:<\/strong> 203.0.113.1\n<strong>Description:<\/strong> ipsec\n<strong>Local IP:<\/strong> 192.0.2.1\n<strong>Encryption:<\/strong> AES-128\n<strong>Hash:<\/strong> SHA1\n<strong>DH Group:<\/strong> 14\n<strong>Pre-shared Secret:<\/strong> &lt;secret&gt;\n<strong>Local subnet:<\/strong> 172.16.1.0\/24\n<strong>Remote subnet<\/strong>: 192.168.1.0\/24<\/pre>\n<p>2. Apply the changes.<\/p>\n<div class=\"article-notice-box box--green\">\n<div id=\"note-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>NOTE:<\/strong>There is more information on\u00a0the\u00a0<em>&#8216;<\/em><em>Automatic Firewall\/NAT&#8217;<\/em>\u00a0 feature in the\u00a0<a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/216771078#3\" target=\"_blank\" rel=\"noopener\">Modifying the Default IPsec Site-to-Site VPN<\/a>\u00a0article.<\/span><\/div>\n<\/div>\n<\/div>\n<p><a name=\"3\"><\/a><\/p>\n<h2 class=\"article__body--header\">Related Articles<\/h2>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/216771078\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Modifying the Default IPsec Site-to-Site VPN<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011373628\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Dynamic Site-to-Site IPsec VPN using FQDNs<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011377588\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Route-Based Site-to-Site IPsec VPN<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/218850057\" target=\"_blank\" rel=\"noopener\">Intro to Networking &#8211; How to Establish a Connection Using SSH<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN on an EdgeRouter. NOTES &amp; REQUIREMENTS: Applicable to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[2,6,12],"tags":[],"class_list":["post-1370","post","type-post","status-publish","format-standard","hentry","category-kien-thuc","category-networking","category-vpn"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1370"}],"version-history":[{"count":0,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1370\/revisions"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}