2 minutes
Setup a Site to Site VPN with Ubiquiti
I use Ubiquiti heavily in my lab environments. I have a hosted site that I keep a number of virtualization servers and storage and recently setup a formal Site to Site VPN across two ERPro-8 Ubiquiti routers. This will most likely work for anything in the Edge line.
For the sake of this configuration we’ll say this is between Router A and Router B.
Router A has the external IP of X.X.X.X and an internal subnet of 10.100.200.0/24
Router B has the external IP of Y.Y.Y.Y and an internal subnet of 10.200.200.0/24
Configuration is below:
Router A CLI:
configure
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication mode pre-shared-secret
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication pre-shared-secret YOURSUPERSECRETANDVERYUNIQUEPSK
set vpn ipsec site-to-site peer Y.Y.Y.Y description ipsec
set vpn ipsec site-to-site peer Y.Y.Y.Y local-address X.X.X.X
set vpn ipsec site-to-site peer Y.Y.Y.Y ike-group FOO0
set vpn ipsec site-to-site peer Y.Y.Y.Y vti bind vti0
set vpn ipsec site-to-site peer Y.Y.Y.Y vti esp-group FOO0
set interfaces vti vti0 address 10.255.255.1/30
set protocols static interface-route 10.200.200.0/24 next-hop-interface vti0
commit; save
Router B CLI:
configure
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer X.X.X.X authentication mode pre-shared-secret
set vpn ipsec site-to-site peer X.X.X.X authentication pre-shared-secret YOURSUPERSECRETANDVERYUNIQUEPSK
set vpn ipsec site-to-site peer X.X.X.X description ipsec
set vpn ipsec site-to-site peer X.X.X.X local-address Y.Y.Y.Y
set vpn ipsec site-to-site peer X.X.X.X ike-group FOO0
set vpn ipsec site-to-site peer X.X.X.X vti bind vti0
set vpn ipsec site-to-site peer X.X.X.X vti esp-group FOO0
set interfaces vti vti0 address 10.255.255.2/30
set protocols static interface-route 10.100.200.0/24 next-hop-interface vti0
commit; save
Read other posts