Journalist
Edgerouter vpn site to site: comprehensive guide to setting up IPsec site-to-site VPNs on EdgeRouter devices, best practices, troubleshooting, and performance tips
Edgerouter vpn site to site. This guide walks you through setting up a reliable IPsec site-to-site VPN between EdgeRouter devices, including practical CLI and GUI steps, security hardening, testing, and troubleshooting. You’ll learn about topology options, recommended encryption and authentication settings, how to handle NAT and dynamic IPs, and how to verify tunnels are up and passing traffic. If you’re also browsing for extra privacy tools to complement your remote work, you might want to check this NordVPN offer — it’s a handy companion when you’re working outside the office, especially on public networks.
Useful resources you might keep handy as you follow along:
– EdgeRouter Documentation – ubnt.com
– IPsec Overview – https://en.wikipedia.org/wiki/IPsec
– Ubiquiti Community Forums – https://community.ubnt.com
– Networking Security Best Practices – https://www.cisco.com
– NordVPN deal affiliate – http://get.affiliatescn.net/aff_c?offer_id=153&aff_id=132441&url_id=754&aff_sub=070326
Understanding EdgeRouter site-to-site VPN
A site-to-site VPN creates an encrypted tunnel between two networks, so devices on one LAN can reach devices on the other LAN as if they were locally connected. EdgeRouter devices from Ubiquiti run EdgeOS, which provides a robust set of VPN options, including IPsec-based site-to-site tunnels. The core concepts you’ll use here are:
– IKE Internet Key Exchange phase 1: establishes the tunnel security parameters.
– IPsec ESP Encapsulating Security Payload phase 2: handles the actual encrypted data transfer.
– Local and remote subnets: define which networks are allowed to traverse the tunnel.
– Tunnel groups IKE/ESP: define the cryptographic suites for the connection.
– NAT traversal and firewall rules: ensure the tunnel can form and allow traffic across the VPN.
In practice, most EdgeRouter site-to-site setups use IPsec with a pre-shared key PSK or cert-based authentication, with AES-256 or AES-128 encryption and SHA-256 for integrity. IKEv2 is generally preferred for better performance and reliability, but older EdgeRouter firmware often uses IKEv1. You’ll typically configure:
– A pair of EdgeRouter devices, each with a WAN IP or dynamic IP with a dynamic DNS setup.
– Each side’s LAN subnet for example, 192.168.1.0/24 on Site A and 10.10.0.0/24 on Site B.
– A secure PSK or a certificate-based identity on each peer.
– Matching IKE/ESP proposals and a tunnel that maps local and remote subnets.
Data shows the global VPN market continues to grow as more organizations adopt site-to-site IPsec for branch connectivity, with IPsec remaining the most widely deployed VPN technology across enterprises. For individuals, using a VPN alongside site-to-site tunnels helps cover remote workers and mobile endpoints when they’re on other networks, though the site-to-site tunnel keeps the main inter-site traffic secured.
Prerequisites
– Two EdgeRouter devices EdgeRouter X, EdgeRouter 4, or higher connected to the internet with public IPs or dynamic IPs with DNS.
– Each site’s LAN subnet clearly defined and non-overlapping e.g., Site A 192.168.1.0/24, Site B 10.10.0.0/24.
– Administrative access to both EdgeRouter devices CLI or GUI.
– A shared PSK or digital certificates if you prefer certificate-based authentication.
– Basic firewall rules on both sides allowing VPN traffic as needed especially ESP, IKE, and UDP 500/4500 for IKEv2 with NAT-T.
– If you have dynamic IPs, a Dynamic DNS service for the WAN IP on both sides or at least on the primary site.
Optional but recommended:
– A stable, predictable hostname for each site if you’re not using static IPs.
– A plan for NAT and routing so your VPN traffic doesn’t get dropped by misconfigured rules.
– Documentation of the exact subnets you’re using, to avoid accidental overlaps.
Choosing your topology and tunnel settings
EdgeRouter can support either gateway-to-gateway site-to-site with route-based or policy-based VPNs. For most home, SME, or branch scenarios, a classic route-based IPsec tunnel is simplest and effective. The key choices:
– Authentication: pre-shared key PSK or certificates. PSK is simpler to set up. certificates are more scalable and secure but require a PKI.
– IKE version: IKEv2 preferred for newer devices or IKEv1 common on older firmware.
– Encryption/Integrity: AES-256 or AES-128 with SHA-256. DH group 14 2048-bit or higher.
– NAT traversal: enable NAT-T if one or both sides sit behind NAT.
– Subnets: avoid overlap. define the local and remote subnets clearly for correct routing.
Table of recommended defaults use as a starting point. adjust for your hardware and security policy:
– IKE group: IKEv2 with AES-256, SHA-256, DH group 14
– ESP group: AES-256, SHA-256
– PFS perfect forward secrecy: enabled DH group 14
– NAT-T: enabled
– Dead Peer Detection DPD: on
– Lifetime: IKE 3600 seconds, ESP 3600 seconds adjust if you see mismatch timeouts
Now, let’s walk through the actual setup.
Step-by-step setup GUI and CLI
Note: The exact naming and layout can vary slightly by EdgeOS version, but the commands and flows are the same.
# Step 1: Prepare both sites
– Confirm WAN IPs or dynamic DNS names for both sites.
– Confirm LAN subnets Site A: 192.168.1.0/24, Site B: 10.10.0.0/24 as examples.
– Decide on the authentication method PSK vs certs. For quick setups, PSK is fine.
# Step 2: Configure IKE and ESP groups CLI example
On Site A EdgeRouter replace with your values:
– IKE group:
– set vpn ipsec ike-group IKE-GROUP-1 lifetime 3600
– set vpn ipsec ike-group IKE-GROUP-1 proposal 1 encryption aes256
– set vpn ipsec ike-group IKE-GROUP-1 proposal 1 hash sha256
– set vpn ipsec ike-group IKE-GROUP-1 proposal 1 dh-group 14
– ESP group:
– set vpn ipsec esp-group ESP-GROUP-1 lifetime 3600
– set vpn ipsec esp-group ESP-GROUP-1 proposal 1 encryption aes256
– set vpn ipsec esp-group ESP-GROUP-1 proposal 1 hash sha256
– Interface for IPsec:
– set vpn ipsec interface eth0 or the relevant interface, e.g., eth1
– Site-to-site peer Site B as 203.0.113.2, example:
– set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
– set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret ‘YourPSKHere’
– set vpn ipsec site-to-site peer 203.0.113.2 ike-group IKE-GROUP-1
– set vpn ipsec site-to-site peer 203.0.113.2 default-esp-group ESP-GROUP-1
– set vpn ipsec site-to-site peer 203.0.113.2 local-subnet 192.168.1.0/24
– set vpn ipsec site-to-site peer 203.0.113.2 remote-subnet 10.10.0.0/24
– If using tunnel 1 EdgeRouter uses tunnels:
– set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 local prefix 192.168.1.0/24
– set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 remote prefix 10.10.0.0/24
– Enable the IPsec interface:
– set vpn ipsec interface re0? use the correct interface name for your device, often eth0
– commit and save
Note: Some EdgeRouter versions use the “local-subnet” and “remote-subnet” syntax, others use “tunnel 1 local prefix” style. Pick the syntax your firmware uses and keep it consistent on both sides.
# Step 3: Configure on Site B mirror the settings
– Create the same IKE/ESP groups IKE-GROUP-1, ESP-GROUP-1 with identical proposals.
– Peer: IP address of Site A’s EdgeRouter e.g., 203.0.113.1.
– PSK: same pre-shared secret.
– Local-subnet: 10.10.0.0/24
– Remote-subnet: 192.168.1.0/24
– Local WAN: 203.0.113.2 or the actual IP to remote
– Local interface and tunnels as per the device.
# Step 4: Configure on-site routing and firewall rules
– Ensure routes to the remote network are present:
– On Site A: route to 10.10.0.0/24 via the VPN tunnel
– On Site B: route to 192.168.1.0/24 via the VPN tunnel
– Firewall:
– Allow IPsec UDP 500 and UDP 4500 for NAT-T for IKE and IPsec
– Allow ESP protocol 50 and AH protocol 51 if used ESP is common. AH is less common
– Allow traffic from VPN to remote LAN subnets
– In many cases, EdgeRouter default rules allow IPsec. you may still need to open necessary ports on the WAN firewall.
# Step 5: Testing the tunnel
– Check status:
– show vpn ipsec sa
– show vpn tunnel
– show vpn detail
– Test with ping:
– From a host on Site A 192.168.1.0/24 ping a host on Site B 10.10.0.0/24
– If you don’t see traffic, verify:
– PSK matches
– Subnet definitions don’t overlap
– NAT-T is enabled if either side is behind NAT
– IKE/ESP groups match on both sides
– Firewall rules permit traffic to and from the tunnel
# Step 6: Optional GUI setup EdgeRouter UI
– Log in to EdgeRouter UI
– Go to VPN > IPsec or Security > IPsec, depending on firmware
– Create IKE Group with lifetime 3600, AES-256, SHA-256, DH group 14
– Create ESP Group with similar settings
– Add a Peer for Site B with:
– Authentication: Pre-shared key
– PSK: same as Site A
– Local Subnet: Site A LAN
– Remote Subnet: Site B LAN
– IKE Group: IKE-GROUP-1
– ESP Group: ESP-GROUP-1
– Repeat on Site B for the peer pointing to Site A
– Apply changes and test connectivity as above
Security best practices and optimization
– Use AES-256 and SHA-256 for encryption and integrity. prefer stronger DH groups DH-14 or higher for Phase 1.
– Use IKEv2 when possible for better resilience to network changes and faster reconnects.
– Enable Dead Peer Detection DPD so a broken tunnel is detected quickly and re-established.
– Use unique Pre-Shared Keys per site pair or consider certificates for scalable deployments.
– Keep firmware updated to reduce vulnerability exposure and ensure compatibility with newer IKEv2 features.
– Consider enabling route-based VPN instead of policy-based for more flexible routing and easier scaling.
– Limit VPN traffic to only the necessary subnets don’t route the entire LAN unless required.
NAT, dynamic IPs, and remote endpoints
– If either site has a dynamic public IP, set up Dynamic DNS DDNS on that edge router and use the DDNS hostname in the peer configuration.
– For NAT environments, ensure NAT-T NAT Traversal is enabled on the IPsec settings.
– If both sides sit behind NAT, ensure the tunnel keeps a consistent keepalive DPD and proper lifetime values to prevent connection drops.
Performance considerations
– CPU and memory on EdgeRouter devices matter for IPsec throughput. higher-end devices handle VPN traffic more efficiently.
– AES-256 uses more CPU than AES-128. if performance is an issue, lower to AES-128 with SHA-256, or upgrade to a device with a higher VPN throughput rating.
– VPN tunnel count impacts performance. If you’re running multiple site-to-site tunnels, ensure your EdgeRouter has headroom.
– Check for firmware updates to improve VPN performance and stability.
Troubleshooting common issues
– Tunnel won’t establish:
– PSK mismatch, IKE/ESP group mismatch, or subnet mismatch
– Make sure the local and remote subnets don’t overlap
– Verify that the correct WAN IPs are reachable from each side
– Traffic not passing through the tunnel:
– Ensure routing is correct static routes to remote subnet via VPN
– Re-check firewall rules allow VPN traffic and ensure NAT posture doesn’t shadow the tunnel
– Tunnel drops after a few minutes:
– Check IKE SA lifetime, ESP lifetime, and DPD settings
– Confirm there’s stable internet on both sides
– Connectivity if behind NAT:
– Ensure NAT-T is enabled and you’re using the correct ports 500/4500
– If you’re using dynamic IPs:
– Confirm the DDNS updates successfully and that peers use the DDNS hostname
– Logs and diagnostic commands:
– show vpn ipsec tunnel
– show log | include IPsec
– tcpdump on the VPN interfaces to inspect traffic
Advanced topics
– Failover with multiple WANs: use multiple IPsec peers with policy-based routing to switch to a backup WAN if the primary goes down.
– Redundancy: consider setting up a secondary tunnel with a different remote peer for resilience.
– Split tunneling vs full tunnel: route only necessary subnets through the VPN to reduce overhead, or route all site traffic if centralized management or security policies require it.
– Certificates vs PSK: large deployments benefit from PKI-based authentication. you’ll set up a private CA, issue leaf certificates to each EdgeRouter, and configure certificate-basedIKE authentication.
Real-world tips and best practices
– Document everything: keep a clear diagram of the topology, the subnets, and the PSK or certificate details, plus the site addresses and the WAN IPs.
– Start with a simple tunnel and gradually add more sites. this makes troubleshooting easier.
– Regularly test failover scenarios to ensure you’re ready for WAN outages.
– Consider logging VPN events to a central log server so you can spot patterns like repeated rekeys or dropped connections.
Case studies and use cases
– Small office to remote branch: a single IPsec tunnel bridging two LANs, enabling printers, file shares, and internal services to be accessible across sites.
– Multi-branch network: a hub-and-spoke design where multiple sites connect back to a central data center. IPsec tunnels can be configured from each site to the central hub, with central routing controlling inter-site traffic.
– Temporary site setup: dynamic IPs provide a challenge, but with DDNS and auto-updating peers, you can establish tunnels quickly and maintain connectivity with minimal manual reconfiguration.
What to watch for in 2025 and beyond
– EdgeRouter firmware updates may bring new IPsec features, better IKEv2 support, and improved performance.
– The security continues to push for stronger cryptographic standards, so staying current with AES-256/ SHA-256 and modern DH groups is a good practice.
– The VPN market continues to grow, with more options for site-to-site integration and hybrid cloud connectivity. EdgeRouter remains a flexible option for on-premises networks with a strong community and support ecosystem.
Frequently Asked Questions
# What is a site-to-site VPN?
A site-to-site VPN connects two separate networks over the public internet so devices on one LAN can reach devices on the other LAN as if they were on the same network.
# What is EdgeRouter?
EdgeRouter is a line of routers from Ubiquiti that runs EdgeOS, offering advanced routing, firewall, and VPN capabilities suitable for small offices and branches.
# Is IPsec the only option for EdgeRouter site-to-site VPN?
IPsec is the most common and widely supported option for EdgeRouter site-to-site VPNs, but OpenVPN and some other protocols can also be configured in certain EdgeOS setups. However, IPsec is typically the default choice for site-to-site connections due to performance and compatibility.
# How do I configure IPsec on EdgeRouter using CLI?
You set up IKE groups, ESP groups, and then define a site-to-site peer with local and remote subnets, plus a pre-shared key or certificate. You tie the peer to the groups and apply tunnel definitions, then enable the IPsec interface and apply firewall rules. The exact commands vary by firmware version, so consult the EdgeRouter CLI reference for your version.
# Can I use dynamic DNS with EdgeRouter site-to-site VPN?
Yes, dynamic DNS is common in home office setups. You configure the DDNS name on the EdgeRouter’s WAN interface and use that hostname on the peer side when the IP isn’t static.
# How do I test VPN connectivity between sites?
Ping a host on the remote subnet from a host on the local subnet and verify the IPsec SA status with show vpn ipsec sa or the GUI’s VPN status page. Check the logs if traffic isn’t routing correctly.
# What are the differences between route-based and policy-based VPN on EdgeRouter?
Route-based VPNs route entire subnets and use a virtual tunnel interface, making it easier to manage and scale. policy-based VPNs apply VPN rules to specific traffic flows. Route-based is generally more flexible for multi-subnet setups.
# How do NAT and firewall rules affect VPN tunnels?
NAT can break VPN tunnels if IPsec is not configured for NAT Traversal. Ensure NAT-T is enabled and firewall rules allow IKE UDP 500, NAT-T UDP 4500, and ESP IP protocol 50.
# How can I improve VPN performance on EdgeRouter?
Choose strong yet efficient ciphers AES-256/AES-128 as appropriate, enable DPB or similar keepalive features, ensure the hardware can handle the expected throughput, and disable any unnecessary services that might contend for CPU resources.
# How do I handle certificate-based authentication on EdgeRouter?
Set up a PKI, issue certificates to each EdgeRouter, and configure the VPN peers to use certificate-based authentication instead of PSK. This approach scales well in larger deployments and improves security.
# Can I run multiple site-to-site VPNs on a single EdgeRouter?
Yes. EdgeRouter supports multiple VPN peers. just ensure routing and firewall rules are configured correctly for each tunnel, and that subnets do not overlap.
# What are common mistakes to avoid with EdgeRouter site-to-site VPN?
Overlapping subnets, mismatched PSKs, and mismatched IKE/ESP groups are the usual culprits. Also, misconfiguring NAT-T and firewall rules can block traffic or drop tunnels unexpectedly.
# How do I monitor VPN performance and health?
Use the EdgeRouter status pages or CLI commands to monitor IPsec SA stats, tunnel status, CPU load, and network throughput. Setting up a centralized log or SNMP monitoring can help you spot anomalies early.
If you’re ready to get your EdgeRouter site-to-site VPN up and running, start with the basic PSK-based IKEv2 setup, verify both sides can reach each other, and then gradually introduce more complex features like dynamic DNS, certificates, or additional tunnels. With careful planning and methodical testing, you’ll have a robust, scalable, and secure intersite network in no time.