Reply
New Member
Posts: 11
Registered: ‎10-18-2018
Accepted Solution

IPSec Site-to-Site VPN with dynamic IP addresses

Long story short. I have tried to get this working several times, and used 10hrs+ with chat-support. I am quite close to give ut, but i cannot find any other products that can give me the same all in one package that i need.

My case is that i am going to install ip-cameraes at different locations, connected to an zyxel vpn box in our datacenter. The zyxel box i have "total" control over with static ip etc. But it is in use with sevral other costumers, so it is a critical unit that cannot be replaced\messed with. 
On the client side i want to use an ERpoe5 with vpn. The client side must be dynamic meaning i cannot input the client site WAN ip anywhere. It can be changed\moved at any time. I do not control the "remote site" in any way - meaning the ERpoe5 can be moved to different networks, routers, adresses and so on. 

I have this working perfectly on an zyxel router, but this is only for testing. I have not done anything with port forwarding etc on the working unit or done anything with the router to adapt the system. Under testing we moved the zyxel(client) to different networks, behind several routers etc and this works. 

BUT Ubiquiti support insist that this is NOT POSSIBLE and are unable to help me with this. We are close to scrapping Ubnt products all over, but i want to try one more desperate time.

Can anyone help here? Suggestions? guides that actully work?

 


Accepted Solutions
Ubiquiti Employee
Posts: 2,296
Registered: ‎05-08-2017
Kudos: 416
Solutions: 343

Re: IPSec Site-to-Site VPN with dynamic IP addresses


And right now no traffic\connection attempts show in the log: meaning the ER doesnt even try to contact the zyxel..  If it did try even with wrong settings it would appear in the log.


Are you sending relevant traffic over the link to establish the VPN? For example, a ping from a device behind the EdgeRouter to a device behind the Zyxel.

 

-Ben


Ben Pin - EdgeMAX Support

View solution in original post


All Replies
Regular Member
Posts: 587
Registered: ‎01-06-2017
Kudos: 126
Solutions: 52

Re: IPSec Site-to-Site VPN with dynamic IP addresses

[ Edited ]

 

A question about setting up a dynamic VPN between multiple vendors' routers is very complex and outside the scope of any manufacturer's tech support, especially unpaid tech support.  You should not expect tech support to be able to give you an answer.   If they spent 10 hours with you, they went above and beyond what should be expected.

 

I believe it should be possible, but implementation would depend on how the Zyxel VPN works.  You would setup the Zyxel as a "responder" and the remote router as an "initiator" in the VPN config.  The Zyxel would need to be able to specify peers using some type of non-IP identifier, such as a domain name. (Some brands of routers cannot do this easily.) You would also need to enable NAT-Traversal in the VPN setup if you might be behind another router.

 

Assuming you used domain names, you would need a unique domain name and a unique subnet for each remote router.

 

In the remote Edgerouter, you would setup the peer using the static public IP (or domain name) of the Zyxel.  In the Zyxel, you would need a peer config for each remote Edgerouter, specifying its unique dynamic domain name and subnet.

 

You would need a dynamic dns client on each remote network, and you would need to ensure it resolved to the public WAN IP of the remote network.

 

There are probably other approaches.

 

These links should help.

 

https://help.ubnt.com/hc/en-us/articles/115011373628

https://help.ubnt.com/hc/en-us/articles/204952234-EdgeRouter-Built-in-Dynamic-DNS

New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

Hi,

 

i actully agree 100% with you, that this might be over-and beond the normal tec-support.  

 

That it works is without any doubts, i have a system up and running with zyxel products, but they are more expensive and not as suitable.

 

On the excisiting system i have not used dyndns nor any other similar services. The remote unit is on static ip and works like a charm.

 

I would gladly pay UBNT for direct support with 2\3line tec, but they said that they priovide free support, and every time i contact them its a new person, that try(they really do) but dont succed.

This beeing the type of product it is, it's quite hard to work with for a person with "mid range" skills. I cannot use my it-consultant at 120usd\hr rates.  Not when they have to go through 1'st line every time. 

 

If you know of anybody with extensive knowledge that i can contact and get direct-paied support i will gladly do so. We are planning on using this in a quite large scale if this is successful, so if i need to throw money on somone to help me - so be it Man Happy
thanks for taking time to answer!

Senior Member
Posts: 3,937
Registered: ‎05-15-2014
Kudos: 1416
Solutions: 269

Re: IPSec Site-to-Site VPN with dynamic IP addresses

What kind of VPN does the ZyXEL support? On what VPN do you have your test case setup today?

New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

Hi,

This is the settings and the export from the zyxel:

VPN Server:

WAN: x.x.x.x

LAN 10.10.10.0/24

 

 

## Edit this shell script according to

## the comments before using it in the remote gateway.

## Check the peer-ip interface.

## Check the local-ip interface.

## Edit the WIZ_VPN_LOCAL address-object.

## Then remove the following line.

PLEASE REMOVE THIS LINE

configure terminal

isakmp policy WIZ_VPN

## If this device's wan1 IP is dynamic,

## consider using DDNS and changing

## the peer-ip listed here to a domain name.

peer-ip x.x.x.x.x

## Use the correct interface name in the

## next command line and remove the "#".

# local-ip interface wan1

authentication pre-share

keystring xxxxxxx

mode main

transform-set AES128-sha

group1

lifetime 86400

natt

dpd

xauth type server default deactivate

local-id type ip 0.0.0.0

exit

## Specify the correct local policy for the

## WIZ_VPN_LOCAL address object.

## For example: change 0.0.0.0 0.0.0.0 to

## 192.168.1.0 255.255.255.0

## Then remove the "#".

# address-object WIZ_VPN_LOCAL 0.0.0.0 255.255.255.0

address-object WIZ_VPN_REMOTE 10.10.10.0 255.255.255.0

crypto map WIZ_VPN

ipsec-isakmp WIZ_VPN

encapsulation tunnel

transform-set esp-AES128-sha

set security-association lifetime seconds 86400

set pfs none

no nail-up

local-policy WIZ_VPN_LOCAL

remote-policy WIZ_VPN_REMOTE

no replay-detection

no netbios-broadcast

exit

zone IPSec_VPN

crypto WIZ_VPN

exit

Emerging Member
Posts: 440
Registered: ‎09-13-2018
Kudos: 69
Solutions: 26

Re: IPSec Site-to-Site VPN with dynamic IP addresses

[ Edited ]

I don't know how many sites you are talking about, but are you sure the existing central vpn server is going to be able to handle the video feeds from multiple sites with its current connection?  Has anyone done any bandwidth testing?  The point is that if you start dumping large video feeds to the vpn server, you may affect the other "customers".

 

Since the video feed is going to be very asymmetrical traffic, you many want to consider getting another circuit dedicated to handling the video feeds from the remote sites.  Then you can put whatever equipment is appropriate (it won't need to be zyxel).  You many want to put a PC running something like pfsense if the bandwidth is going to exceed what you can do with a ubiquiti.  You have left out a lot of details; it a very different problem if you have 2 video feeds sending updates only when motion is detected, vs 25 sites trying to send HD feeds.  Do the remote sites have NVRs (Network Video Recorders), and you only need to be able to review?

 

Spending some money upfront with a consultant that has experience will probably be a good investment, it is going to be a small amount compared to your yearly costs of ownership.  Or at least talking with other people that have done similar things. And, no I don't know anyone to recommend.

 

Jon

 

Depending on your needs you may even want to host at a colo that has good connectivity options.

New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

Hi,

Currently we are able to use about 900mbps on one dedicated line. And we can expant to several gbps lines if neededMan Happy

The vpn on the server-site will be upgraded when needed.

 

We will lock the feed on 3\4mpbs with h265, this gives us the perfect balance between quality and banwith.

 

We have only tested this on a smaller scale for now, this becourse i need my four ER's up and running so that i can test on several sitesMan Happy Cant use the zyxel's for this as they are 4 times the price if the ER's.

The server is a blade server soulution with virtual machine(s). This gives us "unlimited" scalabilityMan Happy

 

If we where to aim for "mid to high" solutions we could easily use more expencive stuff like the zyxels, but atleast in the beginning our main costumer base will be small 1-5 camera solutions, and we must keep it as low-cost and streamlined as possible.
made sence?

Senior Member
Posts: 3,937
Registered: ‎05-15-2014
Kudos: 1416
Solutions: 269

Re: IPSec Site-to-Site VPN with dynamic IP addresses

Sorry, I know we've not answered your question yet, but two more questions before we get there:

  • What cameras are you using? Are the cameras capable of stream encryption or stream over https? ...in such case VPN is not needed
  • Does your VPN concentrator (ZyXEL) support openVPN? ...openVPN is best suited for this job if you desire maximum portability and firewall/NAT interoperability.
New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

Reg cameras i ant anwer in more detail, this is a project under development and is you know... BUT i can say that there will be several vendors of cameras, so we need to use vpnMan Happy

Reg to open vpn, ill have a chat with my tec guy...
Ubiquiti Employee
Posts: 2,296
Registered: ‎05-08-2017
Kudos: 416
Solutions: 343

Re: IPSec Site-to-Site VPN with dynamic IP addresses

Hi @magnusborgen,

 

This type of setup is definitely possible on the EdgeRouter. Like @stshaw mentioned, the Zyxel device will respond to the IPsec negotiation request from the EdgeRouter behind NAT. There is no need to forward any ports from the modem to the EdgeRouter.

 

What does need to happen is setting the authentication ID on either the Zyxel or the EdgeRouter. We have an article on this topic here. I recommend using dynamic DNS hostnames instead of IP addresses in this scenario. This means that you will also need to set up a DynDNS service on the EdgeRouter. We have an article on this as well here.

 

Note that Policy-Based VPNs are only initiated when relevant traffic is sent over the link. In this case, that would be a ping from a device behind the ER to a device behind the Zyxel.

 

Hope that helps!

 

-Ben


Ben Pin - EdgeMAX Support

New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

Hi,

the ip adress on the server-site is connected to a sub domain camera.supersecretadress.com.

 

Ill give the negotion request a try thanksMan Happy

 

 

Reg

Magnus

 

New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

[ Edited ]

thanks for helps but still no luck.

 

what i did now was:

reset unit

restart unit

login go through wizard where following was changed: bridge lan, keep excisting users.

then i login, go to vpn ipsec site to site

peer: camera.xxx.com

descriiption camera

local ip: any
enc aes128

hash sha2

dh 2

pre sheared key xxxxx

local subnet 192.168.1.0/24

remote subnet 10.10.10.0/24
apply

 

----

 

open cli

configure

 set vpn ipsec esp-group FOO0 pfs disable

 

THEN i am a bit unsure. But i have tried both..

Is the unit i am testing with er-L or ER-R?

EDIT: i have NOT configured dyndns. I wish to not use this if possible. And it should be since i am using this setup withoud. 
What i just cannot understand is why this does not work "out of the box" with the settings i input. With the same settings it works perfectly stright away with the USG50 zyxel unit that i testet with. There must be one setting somewhere i cant find.. //cry

Ubiquiti Employee
Posts: 2,296
Registered: ‎05-08-2017
Kudos: 416
Solutions: 343

Re: IPSec Site-to-Site VPN with dynamic IP addresses

If I am reading the Zyxel configuration correctly, there is an authentication ID set as well:

 

local-id type ip 0.0.0.0

 

If you can provide us the (sanitized) IPsec configuration (screenshot / cli) of both Zyxel devices, we can try matching the settings on the EdgeRouter.

 

The router that is behind NAT is ER-R. In your setup, the settings would be:

Peer: camera.xxx.com
Local IP: 0.0.0.0
Encryption: AES-128
Hash: SHA1
DH Group: 2
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 10.10.10.0/24
configure
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec site-to-site peer camera.xxx.com authentication id <id>
commit ; save

 

-Ben


Ben Pin - EdgeMAX Support

New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

[ Edited ]

My sysadmin wasnt wery keen on using the auth id.

 

But i was able to gain access to the other side. meaning i can access the logs. And right now no traffic\connection attempts show in the log: meaning the ER doesnt even try to contact the zyxel..  If it did try even with wrong settings it would appear in the log.

I guess this altso ir related to why i dont get any info with the command "show vpn ipsec sa"..

 

suggestions?

 

 

edit: Just to be clear. the Zyxel is set to accept all ip's regarding the auth id.  Meaning limiting this will make the config more complex..

Ubiquiti Employee
Posts: 2,296
Registered: ‎05-08-2017
Kudos: 416
Solutions: 343

Re: IPSec Site-to-Site VPN with dynamic IP addresses


And right now no traffic\connection attempts show in the log: meaning the ER doesnt even try to contact the zyxel..  If it did try even with wrong settings it would appear in the log.


Are you sending relevant traffic over the link to establish the VPN? For example, a ping from a device behind the EdgeRouter to a device behind the Zyxel.

 

-Ben


Ben Pin - EdgeMAX Support

New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

good question.. short answer: no.

 

But the vpn should try to connect anyway? when the config is stored and ready, it will make a connection? or not?

 

Reg

Magnus

 

New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

[ Edited ]

Jesus fuc** mother of all that is unholy!

 

The ER wont connect unless there is traffic trying to connect...

countless hrs.. OMG... I will now shoot myself..

 

 

 

Edit: kneeling for the almighty Ben!

Ubiquiti Employee
Posts: 2,296
Registered: ‎05-08-2017
Kudos: 416
Solutions: 343

Re: IPSec Site-to-Site VPN with dynamic IP addresses

Hah! Yes, the relevant traffic part is a big gotcha.

 

The same rules will apply when there is no more traffic going over the link, meaning that the VPN will time out. We can add a ping script to make sure that the VPN is always online and established. There is a example in the topic here. Another option is to simply set up a continuous ping between two hosts behind the routers.

 

-Ben


Ben Pin - EdgeMAX Support

Highlighted
New Member
Posts: 11
Registered: ‎10-18-2018

Re: IPSec Site-to-Site VPN with dynamic IP addresses

As far as i have been able to read up on i think that if i use IKEv2 there is a bulldt in stay alive feautre - so this will eliminate my problems. I will quite soon change the sentral vpn unit - it isnt quite as powerful as my it guy said so six seven cameras at full quality makes it scream for its motherMan Happy

 

btw, as promised to whoever fixes the issue(bet you that is a first..):

 

flower.jpg

Reply