Setting up site-to-site on Ubiquiti EdgeRouter / EdgeMax


Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

  • Replace 'DEDICATED_SERVER_IP' with the IP of your NordLayer dedicated server;
  • LOCAL_IP_ADDRESS - with the static public IP of your site (place where a router resides);

 

Ubiquity EdgeRouter - Client side

1. On the EdgeRouter/Edgemax device go to the CLI and enter configuration mode

configure

2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs)

set vpn ipsec ike-group FOO0 key-exchange ikev2
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256

4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS)

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha256

5. Define the remote peering address (replace <secret> with your pre-shared passphrase)

set vpn ipsec site-to-site peer DEDICATED_SERVER_IP authentication mode pre-shared-secret
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP description ipsec
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP local-address LOCAL_IP_ADDRESS

6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0)

set vpn ipsec site-to-site peer DEDICATED_SERVER_IP ike-group FOO0
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP vti bind vti0
set vpn ipsec site-to-site peer DEDICATED_SERVER_IP vti esp-group FOO0

7. Configure the virtual tunnel interface (vti0) and assign it an IP address

set interfaces vti vti0 address 10.255.12.1/30

8. Create a static route for the remote subnet

set protocols static interface-route 10.6.0.0/20 next-hop-interface vti0

9. Commit the changes and save the configuration

commit ; save

 

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via privnote.com

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Return to top