Setting up site-to-site on Ubiquiti EdgeRouter / EdgeMax
  • 2 Minutes to read

Setting up site-to-site on Ubiquiti EdgeRouter / EdgeMax


Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

  • Replace 'DEDICATED_SERVER_IP' with the IP of your NordLayer dedicated server;
  • LOCAL_IP_ADDRESS - with the static public IP of your site (place where a router resides);

Ubiquity EdgeRouter - Client side

  1. On the EdgeRouter/Edgemax device go to the CLI and enter configuration mode
configure
  1. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall
set vpn ipsec auto-firewall-nat-exclude enable
  1. Create the IKE / Phase 1 (P1) Security Associations (SAs)
set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 3600
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256
  1. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS)
set vpn ipsec esp-group FOO0 lifetime 28800
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha256
  1. Define the remote peering address (replace with your pre-shared passphrase)
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP authentication mode pre-shared-secret
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP description ipsec
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP local-address LOCAL_IP_ADDRESS
  1. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0)
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP ike-group FOO0
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP vti bind vti0
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP vti esp-group FOO0
  1. Configure the virtual tunnel interface (vti0) and assign it an IP address
set interfaces vti vti0 address 10.255.12.1/30
  1. Create a static route for the remote subnet
set protocols static interface-route 10.6.0.0/20 next-hop-interface vti0
  1. Commit the changes and save the configuration
commit ; save

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Was this article helpful?