Skip to main content

EdgeRouter IPSec site-to-site w/VTI

Tunnel Set up

Router 1

  1. Set up Firewall - Allow IKE
edit firewall name WAN_Local rule 5
set action accept
set description IKE
set destination port 500
set log disable
set protocol udp
set state established enable
set state invalid disable
set state new enable
set state related disable
  1. Set up Firewall - Allow ESP
edit firewall name WAN_Local rule 6
set action accept
set description ESP
set destination
set log disable
set protocol esp
set state established enable
set state invalid disable
set state new enable
set state related disable
  1. Set up vti0 interface.
edit interfaces vti vti0
set address 10.10.10.1/30
set description 'IPsec Tunnel to <Location>'
set mtu 1436

# Optional OSPF
set ip ospf dead-interval 40
set ip ospf hello-interval 10
set ip ospf network point-to-point
set ip ospf priority 1
set ip ospf retransmit-interval 5
set ip ospf transmit-delay 1
  1. IPSec Configuration
# ESP
edit vpn ipsec esp-group VPN
set lifetime 3600
set mode tunnel
set pfs enable
set proposal 1 encryption aes256
set proposal 1 hash sha2566

# IKE
edit vpn ipsec ike-group VPN
set dead-peer-detection action restart
set dead-peer-detection interval 15
set dead-peer-detection timeout 60
set ikev2-reauth no
set key-exchange ikev2
set lifetime 28800
set proposal 1 dh-group 20
set proposal 1 encryption aes256
set proposal 1 hash sha384

# Other
set vpn ipsec auto-update 30
set vpn ipsec auto-firewall-nat-exclude enable
  1. IPSec Peer Setup
edit vpn ipsec site-to-site peer <Router 2 WAN IP>
set authentication mode pre-shared-secret
set authentication pre-shared-secret <secret>
set connection-type respond
set description 'Tunnel to <Location>'
set ike-group VPN
set ikev2-reauth inherit
set local-address Router 1 WAN IP>
set vti bind vti0
set vti esp-group VPN
  1. Other
    • Make sure offload is enabled set system offload ipsec enable
    • Exclude vti0 from passive ospf interface (if applicable) set protocols ospf passive-interface-exclude vti0

Router 2

Repeat steps 1-4 above but change the vti0 interface IP to 10.10.10.2/30.

Use this for peer setup:

edit vpn ipsec site-to-site peer <Router 1 WAN IP>
set authentication mode pre-shared-secret
set authentication pre-shared-secret <secret>
set connection-type initiate
set description 'Tunnel to <Location>'
set ike-group VPN
set ikev2-reauth inherit
set local-address Router 2 WAN IP>
set vti bind vti0
set vti esp-group VPN

Restarting IPSec process

restart vpn

Changing peer IP

edit vpn ipsec site-to-site
rename peer <previousIP> to peer <newIP>
commit;save