New Member
Posts: 4
Registered: ‎06-28-2017
Accepted Solution

Site-to-Site VPN

Hi everyone,

 

I am hoping someone here can help with our VPN set up.

 

We have a an EdgeMax Router at our main office and want to set up a VPN for a remote user. This user will have their own modem/router provided by their ISP. We want to give them an Edge Router Lite that they would hook into their network. Any devices that are pluged into the Edge Router we would like to route through the VPN.

 

I have an example network diagram below. The goal is for Work Computer 2 to be able to talk to Work Computer 2.

 

Screen Shot 2017-06-28 at 10.09.09 AM.png

 

We set up the correct IPs and the shared secret but haven't had any luck getting the VPN to initialize. Any thoughts?


Accepted Solutions
Ubiquiti Employee
Posts: 3,064
Registered: ‎05-08-2017
Kudos: 546
Solutions: 430

Re: Site-to-Site VPN

Apologies, but that article needs to be updated to reflect the latest firmware.The following commands are deprecated and no longer needed, which is why they are not added when you create a VPN via the GUI:

  ipsec-interfaces Interface to use for VPN (DEPRECATED)
  nat-networks  Network Address Translation (NAT) networks (DEPRECATED)
  nat-traversal Network Address Translation (NAT) traversal (DEPRECATED)

 

I talk about this too in this topic:

https://community.ubnt.com/t5/EdgeMAX/Edgemax-L2TP-Server-Setup-For-Client-Use/m-p/1969445#M165356

 

Looking at your setup. I believe the issue is caused by NAT.

 

I am assuming the left site has a static IP address in place?

vpn {
    ipsec {
        site-to-site {
            peer 77.77.77.77 {
                local-address any

In that case you can set the local-address to be the WAN static IP address. We recommend using local-addresss 0.0.0.0 over local-address any if the device should respond on multiple interfaces (or you are using PPPoE). You can change this on the right site as well.

 

If the right site is behind NAT, you can configure the peer address to 0.0.0.0 on the left site.The left router will not initiate any tunnels (because the router doesn’t know who the peer is), but will respond to any requests. In your case I think the left router is trying to peer with the modem, and not the EdgeRouter.

 

You can verify the arrivial of IPsec traffic with:

sudo tcpdump -i ethx -n udp dst port 500 or port 4500

And view the logs with:

show vpn log | no-more

Please attach this output if you are still experiencing issues.

 

Ben

 


 

Ben Pin | Ubiquiti Support

View solution in original post


All Replies
Senior Member
Posts: 2,744
Registered: ‎04-21-2015
Kudos: 406
Solutions: 108

Re: Site-to-Site VPN

Please post the "show configuration commands" output here (preferably from the both sites). Without the logs and config files we will not be able to help you
Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 4
Registered: ‎06-28-2017

Re: Site-to-Site VPN

Here is the vpn section of both configs. I can post the whole config if that is more helpful.

** Main **

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        site-to-site {
            peer 77.77.77.77 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description "Roku Office"
                ike-group FOO0
                local-address any
                tunnel 1 {
                    esp-group FOO0
                    local {
                        prefix 10.1.1.0/24
                    }
                    remote {
                        prefix 10.1.2.0/24
                    }
                }
            }
        }
    }
}
** Remote **

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        site-to-site {
            peer 66.66.66.66 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description "Roku Office"
                ike-group FOO0
                ikev2-reauth inherit
                local-address any
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 10.1.2.0/24
                    }
                    remote {
                        prefix 10.1.1.0/24
                    }
                }
            }
        }
    }
}
Senior Member
Posts: 2,744
Registered: ‎04-21-2015
Kudos: 406
Solutions: 108

Re: Site-to-Site VPN

Router from the right side seems behind the NAT? Is so, you have to use NA-T option from the both sides. I also don't see any interface associated with IPSec
Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 4
Registered: ‎06-28-2017

Re: Site-to-Site VPN

Gotcha, that makes sense.

 

I found this artical.

https://help.ubnt.com/hc/en-us/articles/216771078-EdgeRouter-IPSec-VPN-CLI-Commands

 

I should be trying to follow the section labeled IPSec with NAT-T right?

Ubiquiti Employee
Posts: 3,064
Registered: ‎05-08-2017
Kudos: 546
Solutions: 430

Re: Site-to-Site VPN

Apologies, but that article needs to be updated to reflect the latest firmware.The following commands are deprecated and no longer needed, which is why they are not added when you create a VPN via the GUI:

  ipsec-interfaces Interface to use for VPN (DEPRECATED)
  nat-networks  Network Address Translation (NAT) networks (DEPRECATED)
  nat-traversal Network Address Translation (NAT) traversal (DEPRECATED)

 

I talk about this too in this topic:

https://community.ubnt.com/t5/EdgeMAX/Edgemax-L2TP-Server-Setup-For-Client-Use/m-p/1969445#M165356

 

Looking at your setup. I believe the issue is caused by NAT.

 

I am assuming the left site has a static IP address in place?

vpn {
    ipsec {
        site-to-site {
            peer 77.77.77.77 {
                local-address any

In that case you can set the local-address to be the WAN static IP address. We recommend using local-addresss 0.0.0.0 over local-address any if the device should respond on multiple interfaces (or you are using PPPoE). You can change this on the right site as well.

 

If the right site is behind NAT, you can configure the peer address to 0.0.0.0 on the left site.The left router will not initiate any tunnels (because the router doesn’t know who the peer is), but will respond to any requests. In your case I think the left router is trying to peer with the modem, and not the EdgeRouter.

 

You can verify the arrivial of IPsec traffic with:

sudo tcpdump -i ethx -n udp dst port 500 or port 4500

And view the logs with:

show vpn log | no-more

Please attach this output if you are still experiencing issues.

 

Ben

 


 

Ben Pin | Ubiquiti Support

Senior Member
Posts: 2,744
Registered: ‎04-21-2015
Kudos: 406
Solutions: 108

Re: Site-to-Site VPN

Good to know! I think configuration of VPN becomes easier and easier ))
Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Highlighted
New Member
Posts: 4
Registered: ‎06-28-2017

Re: Site-to-Site VPN

Thanks Ben!

 

I'll give that a try a little later and report back.