EdgeRouter 4: IPSec, S2S vpn

FATeknollogee

For all you ER experts...
Trying to replace one of my Meraki MX with an ER4.
Also trying to configure a few S2S vpn (w multiple subnets on both sides)- ER4 <--> Meraki MX.

So far not having good results.
I was able to connect ER4 <--> USG Pro 4
Anytime I add a new peer, it takes down the existing connection & the only way I can bring it back up, is by issuing sudo ipsec up <connection_name>

I'm sure some will correct my wrongful ways...I'll go sit in the corner & wait for you guys to respond!!

Dashrender

can you post a sanitized config? I'm sure that will help @JaredBusch

FATeknollogee

@Dashrender It's all new, so I deleted what I started with.
I'm just using the GUI.

JaredBusch

@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:

@Dashrender It's all new, so I deleted what I started with.
I'm just using the GUI.

EdgeOS VPN in the GUI sucks big donkey balls.

JaredBusch

@Dashrender said in EdgeRouter 4: IPSec, S2S vpn:

can you post a sanitized config? I'm sure that will help @JaredBusch

I'm generally busy alreadythis evening, but I can get a config later, or int he mornign from any number of routers using IPSEC.

FATeknollogee

@JaredBusch said in EdgeRouter 4: IPSec, S2S vpn:

@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:

@Dashrender It's all new, so I deleted what I started with.
I'm just using the GUI.

EdgeOS VPN in the GUI sucks big donkey balls.

ROFL :thumbs_up:

FATeknollogee

@JaredBusch said in EdgeRouter 4: IPSec, S2S vpn:

@Dashrender said in EdgeRouter 4: IPSec, S2S vpn:

can you post a sanitized config? I'm sure that will help @JaredBusch

I'm generally busy alreadythis evening, but I can get a config later, or int he mornign from any number of routers using IPSEC.

Much appreciated!

FATeknollogee

@JaredBusch I also have multiple subnets on both sides of the VPN.

gtech

HI guys

I too moving from Meraki to ER4. Meraki MX60 works but its under powered so my internet speeds and VPN sucks. Is there anyway to easily move configurations from Meraki to ER4?

scottalanmiller

@gtech said in EdgeRouter 4: IPSec, S2S vpn:

Is there anyway to easily move configurations from Meraki to ER4?

Nope

gtech

@scottalanmiller Yeah I search for a while found nothing. What are your suggestions for VPN on the ER4. Should I have a VPN Vlan or could I just drop in on my main network? Thanks

JaredBusch

@gtech I'm on a call, but I will have a config for oyu in a bit.

FATeknollogee

@JaredBusch Any good news?

JaredBusch

@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:

@JaredBusch Any good news?

These are the same on all routers.

# Set up the firewall to allow the traffic needed for IPSEC.
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description 'Allow IKE'
set firewall name WAN_LOCAL rule 50 destination port 500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description 'Allow ESP'
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol esp
set firewall name WAN_LOCAL rule 70 action accept
set firewall name WAN_LOCAL rule 70 description 'Allow NAT-T'
set firewall name WAN_LOCAL rule 70 destination port 4500
set firewall name WAN_LOCAL rule 70 log disable
set firewall name WAN_LOCAL rule 70 protocol udp
set firewall name WAN_LOCAL rule 80 action accept
set firewall name WAN_LOCAL rule 80 description 'Allow new IPSEC connections'
set firewall name WAN_LOCAL rule 80 ipsec match-ipsec
set firewall name WAN_LOCAL rule 80 log disable
set firewall name WAN_LOCAL rule 80 protocol all
set firewall name WAN_LOCAL rule 80 state established disable
set firewall name WAN_LOCAL rule 80 state invalid disable
set firewall name WAN_LOCAL rule 80 state new enable
set firewall name WAN_LOCAL rule 80 state related disable

# Don't NAT IPSEC traffic.
set service nat rule 5000 description 'Exclude IPSEC from NAT'
set service nat rule 5000 destination group network-group IPSEC_Remote_Subnets
set service nat rule 5000 exclude
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade

# Don't let the router make magic firewall exceptions
set vpn ipsec auto-firewall-nat-exclude disable

# Setup the ESP and IKE rules you need.These have to match on all devices.
# So you will likely need to make something that matches the Meraki.
set vpn ipsec esp-group myesp compression disable
set vpn ipsec esp-group myesp lifetime 3600
set vpn ipsec esp-group myesp mode tunnel
set vpn ipsec esp-group myesp pfs enable
set vpn ipsec esp-group myesp proposal 1 encryption aes256
set vpn ipsec esp-group myesp proposal 1 hash sha1
set vpn ipsec ike-group myike ikev2-reauth no
set vpn ipsec ike-group myike key-exchange ikev1
set vpn ipsec ike-group myike lifetime 28800
set vpn ipsec ike-group myike proposal 1 dh-group 19
set vpn ipsec ike-group myike proposal 1 encryption aes256
set vpn ipsec ike-group myike proposal 1 hash sha1

# Add the RSA keys
set vpn rsa-keys rsa-key-name brancha rsa-key >>>>>>snip big long keytext<<<<<<<
set vpn rsa-keys rsa-key-name hqoffice rsa-key >>>>>>snip big long keytext<<<<<<<
set vpn rsa-keys rsa-key-name branchb rsa-key >>>>>>snip big long keytext<<<<<<<

This is only on the HQ side.

# Using RSA keys and not pre-shared key. If the remote end needs a PSK, the config is different.

# Firewall group for reomte subnets, used by NAT rule
set firewall group network-group IPSEC_Remote_Subnets description 'Remote IPSEC Networks'
set firewall group network-group IPSEC_Remote_Subnets network 10.202.30.0/24
set firewall group network-group IPSEC_Remote_Subnets network 10.202.32.0/24
set firewall group network-group IPSEC_Remote_Subnets network 10.254.103.0/24

# Branch A has a static IP set to a FQDN.
# Initiate connection to Branch A if the tunnel is not up and traffic needs to move.
set vpn ipsec site-to-site peer brancha.domain.com authentication id @hqoffice
set vpn ipsec site-to-site peer brancha.domain.com authentication mode rsa
set vpn ipsec site-to-site peer brancha.domain.com authentication remote-id @brancha
set vpn ipsec site-to-site peer brancha.domain.com authentication rsa-key-name brancha
set vpn ipsec site-to-site peer brancha.domain.com connection-type initiate
set vpn ipsec site-to-site peer brancha.domain.com description 'HQ to Branch A'
set vpn ipsec site-to-site peer brancha.domain.com ike-group myike
set vpn ipsec site-to-site peer brancha.domain.com ikev2-reauth inherit
set vpn ipsec site-to-site peer brancha.domain.com local-address 123.123.123.123
# Branch A has two subnets that you want routed each is its own tunnel
set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 esp-group myesp
set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 local prefix 10.202.0.0/21
set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 remote prefix 10.202.30.0/24
set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 allow-nat-networks disable
set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 allow-public-networks disable
set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 esp-group myesp
set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 local prefix 10.202.0.0/21
set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 remote prefix 10.202.32.0/24

# Branch B has a constantly changing IP, so only respond. Don't initiate.
# Also match the peer on the RSA key instead of an IP.
set vpn ipsec site-to-site peer @branchb authentication id @hqoffice
set vpn ipsec site-to-site peer @branchb authentication mode rsa
set vpn ipsec site-to-site peer @branchb authentication remote-id @branchb
set vpn ipsec site-to-site peer @branchb authentication rsa-key-name branchb
set vpn ipsec site-to-site peer @branchb connection-type respond
set vpn ipsec site-to-site peer @branchb description 'Branch B to HQ'
set vpn ipsec site-to-site peer @branchb ike-group myike
set vpn ipsec site-to-site peer @branchb ikev2-reauth inherit
set vpn ipsec site-to-site peer @branchb local-address 123.123.123.123
set vpn ipsec site-to-site peer @branchb tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer @branchb tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer @branchb tunnel 1 esp-group myesp
set vpn ipsec site-to-site peer @branchb tunnel 1 local prefix 10.202.0.0/21
set vpn ipsec site-to-site peer @branchb tunnel 1 remote prefix 10.254.103.0/24

This is only on the Branch A side.

# Firewall group for reomte subnets, used by NAT rule
set firewall group network-group IPSEC_Remote_Subnets description 'Remote IPSEC Networks'
set firewall group network-group IPSEC_Remote_Subnets network 10.202.0.0/21

# Initiate connection to HQ if the tunnel is not up and traffic needs to move.
set vpn ipsec site-to-site peer vpn.domain.com authentication id @brancha
set vpn ipsec site-to-site peer vpn.domain.com authentication mode rsa
set vpn ipsec site-to-site peer vpn.domain.com authentication remote-id @hqoffice
set vpn ipsec site-to-site peer vpn.domain.com authentication rsa-key-name hqoffice
set vpn ipsec site-to-site peer vpn.domain.com connection-type initiate
set vpn ipsec site-to-site peer vpn.domain.com description 'Branch A to HQ'
set vpn ipsec site-to-site peer vpn.domain.com ike-group myike
set vpn ipsec site-to-site peer vpn.domain.com ikev2-reauth inherit
set vpn ipsec site-to-site peer vpn.domain.com local-address 124.124.124.124
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 esp-group myesp
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 local prefix 10.202.30.0/24
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 remote prefix 10.202.0.0/21
set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 allow-nat-networks disable
set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 allow-public-networks disable
set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 esp-group myesp
set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 local prefix 10.202.32.0/24
set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 remote prefix 10.202.0.0/21

This is only on the Branch B side.

# Firewall group for reomte subnets, used by NAT rule
set firewall group network-group IPSEC_Remote_Subnets description 'Remote IPSEC Networks'
set firewall group network-group IPSEC_Remote_Subnets network 10.202.0.0/21

# Initiate connection to HQ if the tunnel is not up and traffic needs to move.
set vpn ipsec site-to-site peer vpn.domain.com authentication id @branchb
set vpn ipsec site-to-site peer vpn.domain.com authentication mode rsa
set vpn ipsec site-to-site peer vpn.domain.com authentication remote-id @hqoffice
set vpn ipsec site-to-site peer vpn.domain.com authentication rsa-key-name hqoffice
set vpn ipsec site-to-site peer vpn.domain.com connection-type initiate
set vpn ipsec site-to-site peer vpn.domain.com description 'Branch B to HQ'
set vpn ipsec site-to-site peer vpn.domain.com ike-group myike
set vpn ipsec site-to-site peer vpn.domain.com ikev2-reauth inherit
set vpn ipsec site-to-site peer vpn.domain.com local-address any
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 esp-group myesp
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 local prefix 10.254.103.0/24
set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 remote prefix 10.202.0.0/21

JaredBusch

You generate the RSA key on each unit with this command.

generate vpn rsa-key bits 4096

It will output the >>>>>>snip big long keytext<<<<<<< that you need for each location.

gtech

@JaredBusch This is very detailed. I am going through it, thanks. Should have mentioned my needs, VPN for a few stuff as needed. I will be setting up few vlans namely default, phones, camera, guest, staff(internet only), IT etc. I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?

scottalanmiller

@gtech said in EdgeRouter 4: IPSec, S2S vpn:

I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?

So the question is... is the VLAN useful to you? Having a VLAN for VPN clients is perfectly fine, it gives you a chance to limit access to the entire VPN connected group of machines no a network level (basically makes three tiers... internet, VPN, and LAN.) Do you have limits that you will set, or will you simple route the VLAN to the LAN defeating its purpose?

If you are just going to route, then the VLAN serves no purpose. If you are going to treat it like a DMZ and limit the access to only a few services on the LAN, then it can be very useful.

JaredBusch

@gtech said in EdgeRouter 4: IPSec, S2S vpn:

@JaredBusch This is very detailed. I am going through it, thanks. Should have mentioned my needs, VPN for a few stuff as needed. I will be setting up few vlans namely default, phones, camera, guest, staff(internet only), IT etc. I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?

That was for site to site connections.

If you need roaming staff, then you want L2TP.

set vpn l2tp remote-access authentication local-users username usera password PasswordUserA
set vpn l2tp remote-access authentication local-users username userb password PasswordUserB
set vpn l2tp remote-access authentication local-users username userc password 'PasswordU$erC'
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication require mschap-v2
set vpn l2tp remote-access client-ip-pool start 10.254.203.2
set vpn l2tp remote-access client-ip-pool stop 10.254.203.10
set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
set vpn l2tp remote-access idle 1800
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeLongPSKGoesHere
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access ipsec-settings lifetime 3600
set vpn l2tp remote-access mtu 1492

gtech

This post is deleted!

gtech

@scottalanmiller good point