Ubiquiti edgerouter site to site vpn: complete setup guide for IPsec tunnels between two remote networks on EdgeRouter

Ubiquiti Edgerouter site-to-site VPN is a method to securely connect two remote networks over the internet using IPsec tunnels. This guide walks you through everything from planning and prerequisites to GUI and CLI setup, testing, troubleshooting, and best practices. Whether you’re linking a branch office to a datacenter or two regional offices, you’ll find practical steps, real-world tips, and checklists you can reuse. If you’re looking for extra privacy while you test or manage remote access, consider this VPN deal: . Also, here are some useful resources to bookmark as you implement this:

• Ubiquiti EdgeRouter IPsec site-to-site docs – help.ubiquiti.com
• EdgeRouter User Guide – docs.ubiquiti.com
• Ubiquiti Community forums – community.ui.com
• EdgeOS CLI reference – help.ubiquiti.com
• General IPsec VPN best practices – en.wikipedia.org/wiki/IPsec

Introduction overview

• What you’ll learn in this guide: a practical, step-by-step path to configuring a reliable site-to-site VPN between two EdgeRouter devices, with GUI and CLI options, testing steps, troubleshooting tips, and security considerations.
• Quick-start plan: define networks and public IPs, choose your IKE and ESP proposals, create the peer, enable NAT exemptions for VPN traffic, verify the tunnel, and test end-to-end connectivity.
• Real-world tips: plan for NAT traversal if either site is behind a ISP gateway, use strong PSKs, and pin down subnets to avoid overlap.

What a site-to-site VPN does for you

• It creates a secure, encrypted tunnel between two networks, so devices on one side can reach devices on the other side as if they were locally connected.
• It protects data in transit over the public internet, which is essential for sensitive corporate workloads, inter-office backups, and remote site management.
• It’s typically more scalable than client VPN for fixed remote networks, since devices on each side don’t need individual user credentials.

Prerequisites and planning

• Two EdgeRouter devices EdgeRouter X, 4, 6, or higher with EdgeOS installed.
• Public IPs static is ideal on both sides. If you’re behind a CGNAT or a dynamic IP, you’ll want a DDNS entry and a plan to refresh tunnels when IPs change.
• Subnets that don’t overlap between sites for example, 192.168.1.0/24 on Site A and 10.1.0.0/24 on Site B.
• Administrative access to both EdgeRouters GUI or CLI.
• Firewall rules that allow IPsec traffic UDP 500, UDP 4500, and IPsec ESP as needed.
• A plan for monitoring and troubleshooting logging enabled, know where to look for IPsec events.

Planning notes

• Subnet design: keep your internal networks simple and non-overlapping. If you must merge overlapping networks, you’ll need to do NAT or VPN routing caveats, which complicate things.
• Redundancy: for mission-critical links, consider configuring two site-to-site tunnels to different public IPs for failover.
• IPv4 vs IPv6: IPsec tunnels usually work primarily with IPv4 in many off-the-shelf setups. plan IPv6 routing separately if needed.
• NAT exemption: traffic between the two sites should typically bypass NAT so that the remote subnet can be reached directly.
• Authentication: pick a strong pre-shared key PSK and rotate it periodically. If you’re comfortable with certificates, you can also use certificate-based authentication, depending on firmware capabilities.

GUI setup walkthrough EdgeRouter UI

1. Gather peer information

• Remote peer public IP address the other site’s EdgeRouter public IP.
• Local subnet the network behind this EdgeRouter you want to reach from the other site, e.g., 192.168.1.0/24.
• Remote subnet the network behind the other EdgeRouter, e.g., 10.1.0.0/24.
• A strong pre-shared key PSK for IPsec.

2. Open the EdgeRouter UI

• Navigate to VPN > IPsec > Site-to-Site or IPsec if your firmware labels it that way.

3. Create a new peer

• Peer IP or hostname: enter the remote site’s public IP.
• Authentication: set to Pre-Shared Key and paste in your PSK.
• IKE Group: choose a modern group for example, IKE-1 with AES256/SHA256. if available, use IKEv2-compatible profiles.
• ESP Group: choose an ESP proposal with AES256/SHA256 e.g., ESP-1.
• Local Subnet: enter your local network, e.g., 192.168.1.0/24.
• Remote Subnet: enter the remote network, e.g., 10.1.0.0/24.
• Enable the site-to-site tunnel.

4. Save and apply

• Save changes, then Apply. The UI will attempt to establish the tunnel. If it doesn’t come up immediately, you’ll see status indicators and logs you can view.

5. NAT and firewall adjustments

• Ensure NAT is not translating traffic between the two VPN subnets. In many setups, you’ll add a NAT exemption or create firewall rules that allow VPN-to-VPN traffic to pass untouched.
• Make sure the WAN interface firewall allows the IPsec-related traffic protocol 50 ESP, UDP 500, UDP 4500 for NAT-T, etc..

6. Verify connectivity

• From a host on Site A, try pinging a host on Site B. If ICMP is blocked by a firewall, use a test host’s open port or a simple traceroute.
• Check the IPsec status in the UI: you should see a “UP” state for the site-to-site peer.

7. Optional routing tweaks

• If you’re using multiple subnets, you may want to set static routes so that traffic to the remote subnet flows through the VPN tunnel. In EdgeRouter, this is usually handled via policy-based routing or static routes pointing to the VPN interface.

CLI setup walkthrough EdgeOS
If you prefer the CLI, here’s a generic pattern you can adapt to your own addresses and PSK. Replace the placeholders with your actual values.

• Define IKE and ESP groups
  set vpn ipsec ike-group IKE-1 proposal 1 encryption aes256
  set vpn ipsec ike-group IKE-1 proposal 1 hash sha256
  set vpn ipsec ike-group IKE-1 proposal 1 dh-group 14
  set vpn ipsec ike-group IKE-1 enable

  Set vpn ipsec esp-group ESP-1 proposal 1 encryption aes256
  set vpn ipsec esp-group ESP-1 proposal 1 hash sha256

• Configure the peer
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP authentication mode pre-shared-secret
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP authentication pre-shared-secret ‘yourStrongPSK’
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP ike-group IKE-1
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP default-esp-group ESP-1
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP local-subnet 192.168.1.0/24
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP remote-subnet 10.1.0.0/24

• Optional: enable Dead Peer Detection, PFS, or adjust lifetimes
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP enable
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP ikev2 enable if your version supports it
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP pfs enable

• NAT exemption avoid NAT between VPN subnets
  Note: Exact commands may vary by version. In GUI terms, you’re exempting VPN-to-VPN traffic from NAT.
  If you’re configuring via CLI, make sure that traffic between 192.168.1.0/24 and 10.1.0.0/24 doesn’t get NATed.

• Save and apply
  commit
  save

• Verification
  show vpn ipsec sa
  show vpn ipsec status
  show log | grep ipsec

Testing and validation

• Basic checks

  • Confirm the tunnel shows as UP on both ends.
  • Ping across subnets from host to host on opposite sides.
  • If ICMP is blocked, test with a simple TCP/UDP check e.g., ping to a host with ICMP allowed, or use a service you know is listening on both sides.

• Troubleshooting tips

  • Double-check peer IPs and PSKs for both sides. A mismatch here is the most common failure.
  • Confirm that local and remote subnets don’t overlap.
  • Ensure the public IPs are reachable from each site no ISP-level blocks, no misconfigured NAT at the gateway.
  • Verify phase 1 and phase 2 settings IKE group and ESP group match on both sides.
  • Check firewalls to ensure IPsec traffic is allowed and that inter-site traffic is not blocked.

Common pitfalls and quick fixes

• Mismatched subnets: verify both local-subnet and remote-subnet, and avoid any overlapping addresses.
• Incorrect PSK or authentication method: ensure both sides use the same PSK and that the method is the same.
• NAT traversal issues: if one side is behind a NAT, NAT-T must be enabled. If you’re not sure, enable NAT-T on both sides.
• Firewall rules: allow IPsec ESP and IKE traffic through the appropriate interfaces. If tunnels establish but traffic doesn’t pass, zone-based or interface-level firewall settings are often the culprit.
• Dynamic IPs: if a site has a dynamic public IP, use Dynamic DNS and ensure tunnel re-establishes when IPs change.

Security best practices

• Use strong pre-shared keys and rotate them periodically.
• Prefer newer IKE and ESP configurations when your devices support them IKEv2 where possible, AES-256, SHA-256, and appropriate DH groups.
• Keep EdgeOS firmware up to date to benefit from security patches and VPN improvements.
• Limit VPN access to only what’s needed least privilege for subnets and hosts.
• Consider dividing traffic with separate tunnels for specific subnets if you have complex network needs.

Performance and maintenance tips

• Hardware limits: EdgeRouter devices have different CPU/throughput capabilities. plan VPN throughput accordingly, especially with 1 Gbps or higher links.
• Use split tunneling when appropriate: send only required subnets through the VPN and route everything else locally to optimize performance.
• Regularly review tunnel stats: monitor dropped packets, retransmits, and SA security association uptime to catch problems early.
• If you have multiple sites, a failover strategy with two tunnels and monitoring helps keep services available.

Advanced topics you may encounter

• Dual VPN tunnels for redundancy: configure two peers with different public IPs and set up both tunnels. If one goes down, the other can carry the traffic.
• Dynamic DNS with dynamic IPs: set a DDNS client on the EdgeRouter so the peer can always find you even if your public IP changes.
• Subnet planning for growth: if you intend to add more sites, plan your IP ranges with ample space to avoid future conflicts.

Frequently asked questions

What is a site-to-site VPN?

A site-to-site VPN connects two distinct networks over the internet, creating a secure tunnel so devices on one network can talk to devices on the other network as if they were on the same local network.

Does Ubiquiti EdgeRouter support IPsec site-to-site VPN?

Yes. EdgeRouter devices support IPsec-based site-to-site VPNs, and you can configure them via the GUI or the CLI.

How do I configure a site-to-site VPN on EdgeRouter using the GUI?

In the EdgeRouter UI, go to VPN > IPsec > Site-to-Site, add a new peer with the remote IP, set the PSK, choose IKE/ESP groups, specify local and remote subnets, and enable the tunnel. Save and apply, then test connectivity.

How do I configure a site-to-site VPN on EdgeRouter using the CLI?

Use the vpn ipsec commands to define IKE and ESP groups, configure the peer with the remote IP and PSK, set the local and remote subnets, and apply NAT exemption for VPN traffic. Then verify with show vpn ipsec sa and show vpn ipsec status.

How can I verify that the IPsec tunnel is up?

Check the tunnel status in the EdgeRouter UI or run commands like show vpn ipsec sa and show vpn ipsec status from the CLI. You should see the peer listed as UP and the SA renegotiations active. Super vpn owner guide: how to choose, compare, and use the best VPNs for privacy, streaming, and security in 2025

What should I do if the tunnel shows UP but I can’t reach the remote subnet?

Double-check firewall rules, NAT exemptions, and static routes. Ensure there’s no overlapping subnet, and confirm that the direction of traffic matches the remote subnet definitions.

How do I troubleshoot mismatched subnets or PSK errors?

Verify both sides have identical local-subnet and remote-subnet values, and confirm the PSK is exactly the same on both sides. Re-enter PSK if necessary and re-establish the tunnel.

Can I use dynamic DNS with IPsec site-to-site VPN on EdgeRouter?

Yes, dynamic DNS helps when your public IP changes. Configure a DDNS client on the EdgeRouter and update the remote side with the new IP address as needed.

Should I use IKEv2 or IKEv1 for EdgeRouter VPNs?

If your devices and firmware support it, IKEv2 is generally preferred for its speed and reliability. If your hardware or firmware only supports IKEv1, configure it with strong algorithms AES-256, SHA-256 and robust DH groups.

Do I need to disable NAT for VPN traffic on EdgeRouter?

Typically, yes—traffic between the two VPN subnets should bypass NAT. Use NAT exemption rules or the GUI’s built-in VPN NAT settings to ensure VPN traffic isn’t translated. Browser vpn vs vpn

How can I improve VPN reliability for a branch office?

Use two tunnels to different public IPs for failover, ensure keepalive settings or DPD are enabled if supported, and monitor tunnel health with regular checks. Consider adding a simple, lightweight monitor on each site to alert you if a tunnel goes down.

What should I do if the VPN tunnel won’t come up after a firmware update?

Firmware updates can occasionally change default settings. Re-check IKE/ESP group settings, PSK, and local/remote subnet definitions. If possible, compare working backups of the configuration to identify what changed.

Is there a performance trade-off when enabling IPsec on EdgeRouter?

Yes, encryption and decryption require CPU resources. If you’re hitting throughput limits, consider reducing the number of tunnels or adjusting the traffic you send through the VPN, and ensure you’re running firmware optimized for VPN performance.

Conclusion
This guide gives you a solid, real-world approach to configuring a site-to-site VPN with Ubiquiti EdgeRouter devices. The combination of GUI and CLI options means you can choose the path you’re most comfortable with, and the troubleshooting and best practices sections will help you keep tunnels up and secure. As with any network setup, plan carefully, document your subnet design, and test thoroughly. The result is a reliable, secure channel that makes two remote networks feel like they’re on the same LAN.

Tonvpn下载：2025年最全指南，解锁你的网络自由 Ultrasurf vpn edge