Reply
New Member
Posts: 4
Registered: ‎12-08-2017
Accepted Solution

Site to Site VPN between 2 EdgeRouters

Hello all,

 

I'm sure there must be something simple I'm missing, but I cannot see it. Man Tongue

 

I have two Edgerouters with public IP's. They can ping each other just fine, and the ipsec SA shows established, but I cannot get any traffic to route over the tunnel.

 

Here's the relevant config for the remote site:

 

set firewall name test default-action accept
set firewall name test rule 10 action accept
set firewall name test rule 10 protocol all

set interfaces vti vti1 mtu 1350

set protocols static interface-route 10.0.0.0/8 next-hop-interface vti1
set protocols static interface-route 172.16.0.0/12 next-hop-interface vti1
set protocols static interface-route 192.168.0.0/16 next-hop-interface vti1

set vpn ipsec auto-firewall-nat-exclude disable

set vpn ipsec esp-group esp compression disable
set vpn ipsec esp-group esp lifetime 10800
set vpn ipsec esp-group esp mode tunnel
set vpn ipsec esp-group esp pfs enable
set vpn ipsec esp-group esp proposal 1 encryption aes256
set vpn ipsec esp-group esp proposal 1 hash sha1

set vpn ipsec ike-group ike ikev2-reauth no
set vpn ipsec ike-group ike key-exchange ikev2
set vpn ipsec ike-group ike lifetime 36000
set vpn ipsec ike-group ike proposal 1 dh-group 14
set vpn ipsec ike-group ike proposal 1 encryption aes256
set vpn ipsec ike-group ike proposal 1 hash sha1

set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> authentication id <RemoteSite Public IP>
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> authentication pre-shared-secret <key>
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> connection-type initiate
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> description divovpn
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> ike-group ike
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> ikev2-reauth inherit
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> local-address <RemoteSite Public IP>
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> vti bind vti1
set vpn ipsec site-to-site peer <MainOfficeRouter Public IP> vti esp-group esp

The Main Office Router's config is the same, but the two public IP's are swapped, and the route is instead:

 

set protocols static interface-route <Remote Site Subnet> next-hop-interface vti1

I am not sure what I'm missing.


Accepted Solutions
New Member
Posts: 1
Registered: ‎04-30-2013
Solutions: 1

Re: Site to Site VPN between 2 EdgeRouters

Quick question, do your vti interfaces actually have ip addresses? (ie I'd expect that you's use a /30 for them to talk to each other)

View solution in original post


All Replies
New Member
Posts: 1
Registered: ‎04-30-2013
Solutions: 1

Re: Site to Site VPN between 2 EdgeRouters

Quick question, do your vti interfaces actually have ip addresses? (ie I'd expect that you's use a /30 for them to talk to each other)

New Member
Posts: 4
Registered: ‎12-08-2017

Re: Site to Site VPN between 2 EdgeRouters

Bah, I went back and looked at the documentation and noticed there was an IP address on the vti, but I did not put one on my config. Thank you!

Reply