{"id":1374,"date":"2020-12-25T23:38:44","date_gmt":"2020-12-25T16:38:44","guid":{"rendered":"https:\/\/lagonet.vn\/?p=1353"},"modified":"2020-12-25T23:38:44","modified_gmt":"2020-12-25T16:38:44","slug":"edgerouter-modifying-the-default-ipsec-site-to-site-vpn","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1374","title":{"rendered":"EdgeRouter &#8211; Modifying the Default IPsec Site-to-Site VPN"},"content":{"rendered":"<header class=\"article__header\">\n<h1 class=\"article__body--header\">EdgeRouter &#8211; Modifying the Default IPsec Site-to-Site VPN<\/h1>\n<\/header>\n<div class=\"article-body markdown\">\n<h1 class=\"article__body--header\">Overview<\/h1>\n<p>Readers will learn how to modify the default Site-to-Site IPsec VPN settings using the Command Line Interface (CLI).<\/p>\n<div class=\"article-notice-box box--green\">\n<div id=\"note-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>NOTES &amp; REQUIREMENTS:<\/strong><\/span><\/div>\n<ul>\n<li class=\"node--body\">Applicable to the latest EdgeOS firmware on all EdgeRouter models.<\/li>\n<li class=\"node--body\">Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<h2 class=\"article__body--header\">Table of Contents<\/h2>\n<ol>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN#1\" target=\"_self\" rel=\"noopener\">Frequently Asked Questions (FAQ)<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN#2\" target=\"_self\" rel=\"noopener\">Configuring a Policy-Based VPN Using the Web UI<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN#3\" target=\"_self\" rel=\"noopener\">Modifying the VPN Settings Using the CLI<\/a><\/li>\n<li><a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN#4\" target=\"_self\" rel=\"noopener\">Related Articles<\/a><\/li>\n<\/ol>\n<p><a name=\"1\"><\/a><\/p>\n<h2 class=\"article__body--header\">Frequently Asked Questions (FAQ)<\/h2>\n<div class=\"table-wrapper-outer\">\n<div class=\"table-wrapper\">\n<table class=\"faq-table\">\n<tbody>\n<tr>\n<td>\n<div class=\"faq--header active\">What site-to-site IPsec VPN types can be configured on EdgeOS?<\/div>\n<div class=\"faq--body active\">\n<p>The following IPsec VPN types can be configured on EdgeOS:<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Policy-Based<\/li>\n<li>Route-Based (VTI)<\/li>\n<li>GRE over IPsec<\/li>\n<\/ul>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<div class=\"table-wrapper-outer\">\n<div class=\"table-wrapper\">\n<table class=\"faq-table\">\n<tbody>\n<tr>\n<td>\n<div class=\"faq--header active\">What are the available encryption and hashing options (Security Associations \/ SAs) for Phase 1 (IKE) and Phase 2 (ESP)?<\/div>\n<div class=\"faq--body active\">\n<p><strong>Encryption<\/strong><\/p>\n<ul>\n<li>AES128<\/li>\n<li>AES256<\/li>\n<li>AES128GCM128<\/li>\n<li>AES256GCM128<\/li>\n<li>3DES<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Hashing<\/strong><\/p>\n<ul>\n<li>MD5<\/li>\n<li>SHA1<\/li>\n<li>SHA2-256<\/li>\n<li>SHA2-384<\/li>\n<li>SHA2-512<\/li>\n<\/ul>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><a name=\"2\"><\/a><\/p>\n<h2 class=\"article__body--header\">Configuring a Policy-Based VPN Using the Web UI<\/h2>\n<div class=\"article-notice-box box--orange\">\n<div id=\"attention-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>ATTENTION:<\/strong><\/span>This article is for advanced users that are familiar with the EdgeOS command line. If you are intending to set up a simple VPN using the Web UI, refer to the\u00a0<a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115012831287\" target=\"_blank\" rel=\"noopener\">Policy-Based Site-to-Site IPsec VPN<\/a>\u00a0article instead.<\/div>\n<\/div>\n<\/div>\n<p class=\"wysiwyg-text-align-center\"><img decoding=\"async\" class=\"article__image--border\" src=\"https:\/\/help.ui.com\/hc\/article_attachments\/360030005154\/topology.png\" alt=\"topology.png\" \/><\/p>\n<p class=\"wysiwyg-text-align-center\"><em>The 192.168.1.0\/24 and 172.16.1.0\/24 networks will be allowed to communicate with each other over the VPN.<\/em><\/p>\n<p>Follow the steps below to configure the Policy-Based Site-to-Site IPsec VPN on both EdgeRouters:<\/p>\n<div class=\"article-notice-box box--purple\">\n<div id=\"gui-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>GUI:\u00a0<\/strong><\/span>Access the Web UI on ER-L.<\/div>\n<\/div>\n<\/div>\n<p>1. Define the IPsec peer and hashing\/encryption methods.<\/p>\n<p><strong>VPN &gt; IPsec Site-to-Site &gt; +Add Peer<\/strong><\/p>\n<ul>\n<li><strong>Check:<\/strong>\u00a0Show advanced options<\/li>\n<li><strong>Uncheck:<\/strong>\u00a0Automatically open firewall and exclude from NAT<\/li>\n<\/ul>\n<pre><strong>Peer:<\/strong> 192.0.2.1\n<strong>Description:<\/strong> ipsec\n<strong>Local IP:<\/strong> 203.0.113.1\n<strong>Encryption:<\/strong> AES-128\n<strong>Hash:<\/strong> SHA1\n<strong>DH Group:<\/strong> 14\n<strong>Pre-shared Secret:<\/strong> &lt;secret&gt;\n<strong>Local subnet:<\/strong> 192.168.1.0\/24\n<strong>Remote subnet:<\/strong> 172.16.1.0\/24<\/pre>\n<p>2. Apply the changes.<\/p>\n<div class=\"article-notice-box box--purple\">\n<div id=\"gui-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>GUI:\u00a0<\/strong><\/span>Access the Web UI on ER-R.<\/div>\n<\/div>\n<\/div>\n<p>1. Define the IPsec peer and the hashing\/encryption methods.<\/p>\n<p><strong>VPN &gt; IPsec Site-to-Site &gt; +Add Peer<\/strong><\/p>\n<ul>\n<li><strong>Check:<\/strong>\u00a0Show advanced options<\/li>\n<li><strong>Uncheck:<\/strong>\u00a0Automatically open firewall and exclude from NAT<\/li>\n<\/ul>\n<pre><strong>Peer:<\/strong> 203.0.113.1\n<strong>Description:<\/strong> ipsec\n<strong>Local IP:<\/strong> 192.0.2.1\n<strong>Encryption:<\/strong> AES-128\n<strong>Hash:<\/strong> SHA1\n<strong>DH Group:<\/strong> 14\n<strong>Pre-shared Secret:<\/strong> &lt;secret&gt;\n<strong>Local subnet:<\/strong> 172.16.1.0\/24\n<strong>Remote subnet<\/strong>: 192.168.1.0\/24<\/pre>\n<p>2. Apply the changes.<\/p>\n<p><a name=\"3\"><\/a><\/p>\n<h2 class=\"article__body--header\">Modifying the VPN Settings Using the CLI<\/h2>\n<p>Modifying the default VPN settings through the command line may be necessary in some environments. For example, if you wish to disable the PFS (Perfect Forward Secrecy) feature or if you want to manually create the firewall and NAT rules that control the traffic that is passed over the VPN.<\/p>\n<div class=\"article-notice-box box--orange\">\n<div id=\"attention-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>ATTENTION:<\/strong><\/span>\u00a0Do\u00a0<strong>not<\/strong>\u00a0change the VPN configuration through the GUI after adding your own custom modifications through the CLI. Doing so will reset all settings back to the defaults.<\/div>\n<\/div>\n<\/div>\n<p>In enabled previously, the\u00a0<strong>Automatic Firewall\/NAT<\/strong>\u00a0checkbox adds the following rules to the\u00a0<strong>iptables<\/strong>\u00a0firewall in the background:<\/p>\n<ul>\n<li><code>UBNT_VPN_IPSEC_FW_HOOK<\/code>\u00a0Allow UDP port 500 (IKE), UDP port 4500 (NAT-T) and ESP in the local direction.<\/li>\n<li><code>UBNT_VPN_IPSEC_FW_IN_HOOK<\/code>\u00a0Allow IPsec traffic from the remote subnet to the local subnet in the local and inbound direction.<\/li>\n<li><code>UBNT_VPN_IPSEC_SNAT_HOOK<\/code>\u00a0Exclude all traffic from the local subnet to the remote subnet from NAT.<\/li>\n<\/ul>\n<p>You can verify these firewall and NAT rules by running the following commands on both routers:<\/p>\n<pre><strong>sudo iptables -L -v -n<\/strong>\nChain UBNT_VPN_IPSEC_FW_HOOK (1 references)\n\u00a0pkts bytes target\u00a0\u00a0\u00a0\u00a0 prot opt in\u00a0\u00a0\u00a0\u00a0 out\u00a0\u00a0\u00a0\u00a0 source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ACCEPT\u00a0\u00a0\u00a0\u00a0 udp\u00a0 --\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.0.0.0\/0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.0.0.0\/0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 multiport dports 500,4500\n\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ACCEPT\u00a0\u00a0\u00a0\u00a0 esp\u00a0 --\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.0.0.0\/0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.0.0.0\/0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n\nChain UBNT_VPN_IPSEC_FW_IN_HOOK (1 references)\n\u00a0pkts bytes target\u00a0\u00a0\u00a0\u00a0 prot opt in\u00a0\u00a0\u00a0\u00a0 out\u00a0\u00a0\u00a0\u00a0 source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.1.0\/24\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 172.16.1.0\/24\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n\n<strong>sudo iptables -t nat -L -vn<\/strong>\nChain UBNT_VPN_IPSEC_SNAT_HOOK (1 references)\n\u00a0pkts bytes target\u00a0\u00a0\u00a0\u00a0 prot opt in\u00a0\u00a0\u00a0\u00a0 out\u00a0\u00a0\u00a0\u00a0 source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0 0 ACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 --\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0 *\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.1.0\/24\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 172.16.1.0\/24<\/pre>\n<div class=\"article-notice-box box--green\">\n<div id=\"note-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>NOTE:<\/strong><\/span>The\u00a0<strong>Automatic Firewall\/NAT<\/strong>\u00a0checkbox applies to\u00a0<strong>all<\/strong>\u00a0Site-to-Site VPN connections active on the router.<\/div>\n<\/div>\n<\/div>\n<p>The\u00a0<strong>iptables<\/strong>\u00a0firewall entries are\u00a0<strong>not<\/strong>\u00a0automatically cleared when the feature is disabled (if it was enabled previously). In order to clear the rules, reboot the device or manually delete the entries with the\u00a0<strong>iptables<\/strong>\u00a0commands below:<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">sudo iptables -D UBNT_VPN_IPSEC_FW_HOOK 1\nsudo iptables -D UBNT_VPN_IPSEC_FW_HOOK 1\nsudo iptables -D UBNT_VPN_IPSEC_FW_IN_HOOK 1\nsudo iptables -t nat -D UBNT_VPN_IPSEC_SNAT_HOOK 1<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>Because we did not enable the\u00a0<strong>Automatic Firewall\/NAT<\/strong>\u00a0checkbox in the Web UI\u00a0<a href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/216771078-EdgeRouter-Modifying-the-Default-IPsec-Site-to-Site-VPN#2\" target=\"_self\" rel=\"noopener\">section<\/a>\u00a0above, manual IPsec firewall and NAT rules need to be created. Follow the steps below to add the rules to both routers:<\/p>\n<div class=\"article-notice-box box--dark-gray\">\n<div id=\"cli-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>CLI:<\/strong><\/span>Access the Command Line Interface on ER-L.<\/div>\n<\/div>\n<\/div>\n<p>1. Enter configuration mode.<\/p>\n<pre>configure<\/pre>\n<p>2. Add firewall rules that allow IKE and ESP in the\u00a0<strong>local<\/strong>\u00a0direction.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set firewall name WAN_LOCAL rule 30 action accept\nset firewall name WAN_LOCAL rule 30 description ike\nset firewall name WAN_LOCAL rule 30 destination port 500\nset firewall name WAN_LOCAL rule 30 log disable\nset firewall name WAN_LOCAL rule 30 protocol udp\n\nset firewall name WAN_LOCAL rule 40 action accept\nset firewall name WAN_LOCAL rule 40 description esp\nset firewall name WAN_LOCAL rule 40 log disable\nset firewall name WAN_LOCAL rule 40 protocol esp\n\nset firewall name WAN_LOCAL rule 50 action accept\nset firewall name WAN_LOCAL rule 50 description nat-t\nset firewall name WAN_LOCAL rule 50 destination port 4500\nset firewall name WAN_LOCAL rule 50 log disable\nset firewall name WAN_LOCAL rule 50 protocol udp<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>3. Add firewall rules that allows IPsec traffic between the remote and local subnet in the\u00a0<strong>inbound<\/strong>\u00a0and\u00a0<strong>local<\/strong>\u00a0direction.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set firewall name WAN_LOCAL rule 60 action accept\nset firewall name WAN_LOCAL rule 60 description ipsec\nset firewall name WAN_LOCAL rule 60 destination address 192.168.1.0\/24\nset firewall name WAN_LOCAL rule 60 source address 172.16.1.0\/24\nset firewall name WAN_LOCAL rule 60 log disable\nset firewall name WAN_LOCAL rule 60 ipsec match-ipsec\n\nset firewall name WAN_IN rule 30 action accept\nset firewall name WAN_IN rule 30 description ipsec\nset firewall name WAN_IN rule 30 destination address 192.168.1.0\/24\nset firewall name WAN_IN rule 30 source address 172.16.1.0\/24\nset firewall name WAN_IN rule 30 log disable\nset firewall name WAN_IN rule 30 ipsec match-ipsec<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>4. Prevent the traffic between the remote and local subnets from being translated by NAT.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set service nat rule 5000 description ipsec-exclude\nset service nat rule 5000 destination address 172.16.1.0\/24\nset service nat rule 5000 exclude\nset service nat rule 5000 outbound-interface eth0\nset service nat rule 5000 protocol all\nset service nat rule 5000 source address 192.168.1.0\/24\nset service nat rule 5000 type masquerade<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<div class=\"article-notice-box box--green\">\n<div id=\"note-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>NOTE:<\/strong>\u00a0This rule must be inserted in front of any NAT masquerade rules.<\/span><\/div>\n<\/div>\n<\/div>\n<p>5.\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help-center-assets.ubnt.com\/optional.svg\" width=\"66\" height=\"17\" \/>\u00a0Modify the default encryption and hashing settings.<\/p>\n<p>Display the current IPsec VPN configuration (only relevant output is shown).<\/p>\n<pre><strong>[edit]\nubnt@EdgeRouter# show vpn<\/strong>\nipsec {\n   auto-firewall-nat-exclude disable\n   esp-group FOO0 {\n       lifetime 3600\n       pfs enable\n       proposal 1 {\n           encryption aes128\n           hash sha1\n       }\n   }\n   ike-group FOO0 {\n       lifetime 28800\n       proposal 1 {\n           dh-group 14\n           encryption aes128\n           hash sha1\n       }\n   }\n}\n...<\/pre>\n<p>By default, the IKE and ESP groups use the same hashing and encryption settings (AES128\/SHA1 in this example). We can customize the groups using the commands below:<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 proposal 1 encryption aes256\nset vpn ipsec ike-group FOO0 proposal 1 hash sha256\nset vpn ipsec ike-group FOO0 lifetime 86400\n\nset vpn ipsec esp-group FOO0 proposal 1 encryption aes128\nset vpn ipsec esp-group FOO0 proposal 1 hash md5\nset vpn ipsec esp-group FOO0 lifetime 43200\nset vpn ipsec esp-group FOO0 pfs disable<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>6.\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help-center-assets.ubnt.com\/optional.svg\" width=\"66\" height=\"17\" \/>\u00a0Change the IKE Key Exchange from version 1 to version 2.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 key-exchange ikev2<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>7.\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help-center-assets.ubnt.com\/optional.svg\" width=\"66\" height=\"17\" \/>\u00a0Enable Dead Peer Detection (DPD).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 dead-peer-detection action restart\nset vpn ipsec ike-group FOO0 dead-peer-detection interval 30\nset vpn ipsec ike-group FOO0 dead-peer-detection timeout 120<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>8. Commit the changes and save the configuration.<\/p>\n<pre>commit ; save<\/pre>\n<div class=\"article-notice-box box--dark-gray\">\n<div id=\"cli-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>CLI:<\/strong>\u00a0Access the Command Line Interface on ER-R.<\/span><\/div>\n<\/div>\n<\/div>\n<p>1. Enter configuration mode.<\/p>\n<pre>configure<\/pre>\n<p>2. Add firewall rules that allow IKE and ESP in the\u00a0<strong>local<\/strong>\u00a0direction.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set firewall name WAN_LOCAL rule 30 action accept\nset firewall name WAN_LOCAL rule 30 description ike\nset firewall name WAN_LOCAL rule 30 destination port 500\nset firewall name WAN_LOCAL rule 30 log disable\nset firewall name WAN_LOCAL rule 30 protocol udp\n\nset firewall name WAN_LOCAL rule 40 action accept\nset firewall name WAN_LOCAL rule 40 description esp\nset firewall name WAN_LOCAL rule 40 log disable\nset firewall name WAN_LOCAL rule 40 protocol esp\n\nset firewall name WAN_LOCAL rule 50 action accept\nset firewall name WAN_LOCAL rule 50 description nat-t\nset firewall name WAN_LOCAL rule 50 destination port 4500\nset firewall name WAN_LOCAL rule 50 log disable\nset firewall name WAN_LOCAL rule 50 protocol udp<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>3. Add firewall rules that allows IPsec traffic between the remote and local subnet in the\u00a0<strong>inbound<\/strong>\u00a0and\u00a0<strong>local<\/strong>\u00a0direction.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set firewall name WAN_LOCAL rule 60 action accept\nset firewall name WAN_LOCAL rule 60 description ipsec\nset firewall name WAN_LOCAL rule 60 destination address 172.16.1.0\/24\nset firewall name WAN_LOCAL rule 60 source address 192.168.1.0\/24\nset firewall name WAN_LOCAL rule 60 log disable\nset firewall name WAN_LOCAL rule 60 ipsec match-ipsec\n\nset firewall name WAN_IN rule 30 action accept\nset firewall name WAN_IN rule 30 description ipsec\nset firewall name WAN_IN rule 30 destination address 172.16.1.0\/24\nset firewall name WAN_IN rule 30 source address 192.168.1.0\/24\nset firewall name WAN_IN rule 30 log disable\nset firewall name WAN_IN rule 30 ipsec match-ipsec<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>4. Prevent the traffic between the remote and local subnets from being translated by NAT.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set service nat rule 5000 description ipsec-exclude\nset service nat rule 5000 destination address 192.168.1.0\/24\nset service nat rule 5000 exclude\nset service nat rule 5000 outbound-interface eth0\nset service nat rule 5000 protocol all\nset service nat rule 5000 source address 172.16.1.0\/24\nset service nat rule 5000 type masquerade<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<div class=\"article-notice-box box--green\">\n<div id=\"note-icon\" class=\"note-table__cell-icon\"><\/div>\n<div class=\"note-table--text\">\n<div class=\"node--head\"><span class=\"node--head-title\"><strong>NOTE:<\/strong>\u00a0This rule must be inserted in front of any NAT masquerade rules.<\/span><\/div>\n<\/div>\n<\/div>\n<p>5.\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help-center-assets.ubnt.com\/optional.svg\" width=\"66\" height=\"17\" \/>\u00a0Modify the default encryption and hashing settings.<\/p>\n<p>Display the current IPsec VPN configuration (only relevant output is shown).<\/p>\n<pre><strong>[edit]\nubnt@EdgeRouter# show vpn<\/strong>\nipsec {\n   auto-firewall-nat-exclude disable\n   esp-group FOO0 {\n       lifetime 3600\n       pfs enable\n       proposal 1 {\n           encryption aes128\n           hash sha1\n       }\n   }\n   ike-group FOO0 {\n       lifetime 28800\n       proposal 1 {\n           dh-group 14\n           encryption aes128\n           hash sha1\n       }\n   }\n}\n...<\/pre>\n<p>By default, the IKE and ESP groups use the same hashing and encryption settings (AES128\/SHA1 in this example). We can customize the groups using the commands below:<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 proposal 1 encryption aes256\nset vpn ipsec ike-group FOO0 proposal 1 hash sha256\nset vpn ipsec ike-group FOO0 lifetime 86400\n\nset vpn ipsec esp-group FOO0 proposal 1 encryption aes128\nset vpn ipsec esp-group FOO0 proposal 1 hash md5\nset vpn ipsec esp-group FOO0 lifetime 43200\nset vpn ipsec esp-group FOO0 pfs disable<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>6.\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help-center-assets.ubnt.com\/optional.svg\" width=\"66\" height=\"17\" \/>\u00a0Change the IKE Key Exchange from version 1 to version 2.<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 key-exchange ikev2<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>7.\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"dont-touch\" src=\"https:\/\/help-center-assets.ubnt.com\/optional.svg\" width=\"66\" height=\"17\" \/>\u00a0Enable Dead Peer Detection (DPD).<\/p>\n<div class=\"pre-wrapper\">\n<pre class=\"copyable\">set vpn ipsec ike-group FOO0 dead-peer-detection action restart\nset vpn ipsec ike-group FOO0 dead-peer-detection interval 30\nset vpn ipsec ike-group FOO0 dead-peer-detection timeout 120<\/pre>\n<div class=\"copyable-code-tip active\">Click to copy<\/div>\n<\/div>\n<p>8. Commit the changes and save the configuration.<\/p>\n<pre>commit ; save<\/pre>\n<p>You can verify the VPN, firewall rules and NAT statistics with the following commands:<\/p>\n<pre>show firewall name WAN_LOCAL statistics\nshow firewall name WAN_IN statistics\nshow nat statistics\nshow vpn ipsec sa\nshow vpn log<\/pre>\n<p><a name=\"4\"><\/a><\/p>\n<h2 class=\"article__body--header\">Related Articles<\/h2>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011373628\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Dynamic Site-to-Site IPsec VPN using FQDNs<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115011377588\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Route-Based Site-to-Site IPsec VPN<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/115012831287\" target=\"_blank\" rel=\"noopener\">EdgeRouter &#8211; Policy-Based Site-to-Site IPsec VPN<\/a><\/p>\n<p class=\"article__body--border\"><a class=\"bullet\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/218850057\" target=\"_blank\" rel=\"noopener\">Intro to Networking &#8211; How to Establish a Connection Using SSH<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>EdgeRouter &#8211; Modifying the Default IPsec Site-to-Site VPN Overview Readers will learn how to modify the default Site-to-Site IPsec VPN [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[16,2,6,12],"tags":[],"class_list":["post-1374","post","type-post","status-publish","format-standard","hentry","category-courses","category-kien-thuc","category-networking","category-vpn"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1374"}],"version-history":[{"count":0,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1374\/revisions"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}