I recently moved and now have servers in two locations across the country (NY and AR)! Both networks’ edge routers are the EdgeRouter Lite (see what I did there) made by Ubiquiti. These routers run a modified version of Vyatta with a web GUI. Typically all CLI commands are cross compatible, but there are a few circumstances where they aren’t.
I set up a site-to-site VPN between the two in addition to L2TP/IPSec PSK Authentication on one of the EdgeRouters. This is how I set it up.
First and foremost, to prevent us from having to deal with too much firewall configuration, lets set up auto firewall and nat exclude:
Set the VPN auto update to 1 minute:
Configure the ESP Group. Note that “ESP-1W” is an arbitrarily chosen name:
Configure the IKE Group. Again, “IKE-1W” is arbitrarily chosen:
Lets configure dead peer detection. This allows the VPN to detect if there is a dead IKE peer and restart the connection:
Set the appropriate IPSec interface (Typically the WAN interface):
Set the VPN to enable NAT traversal. This allows IPSec packets to traverse any NAT points on our network:
Setup the site to site connection with a pre shared secret:
One side needs to initiate the connection, the other side needs to respond. We’ll set this side to initiaite. Just make sure to set the other side to respond:
Set ESP and IKE groups and IKEv2 reauth & local-address policy:
Finally, set up the tunnel:
You can also add more than one tunnel if you have more local or remote destinations.
This needs to be done on both sides, while changing the appropriate values depending on what side you’re on.
For debugging purposes, on the EdgeRouter Lite you can log in via SSH and run
sudo swanctl --log as well as
show vpn log which will output VPN logs and any errors. A few other commands that you could use to check on the status of the VPN are,
show vpn ipsec sa | state | status | policy
I’ll add another post for L2TP set up.