Ubiquiti edgerouter site to site vpn complete setup guide for ipsec tunnels between two remote networks on edgerouter: Easy Steps, Tips, and Best Practices

Ubiquiti edgerouter site to site vpn complete setup guide for ipsec tunnels between two remote networks on edgerouter. Quick fact: Site-to-site VPNs create a secure bridge between two separate networks over the internet, letting devices on either side talk as if they’re on the same local network.

• Quick-start overview:
  1. Gather network details LAN subnets, public IPs, and WAN interfaces for both sides.
  2. Choose PSK or certificate-based authentication.
  3. Configure IPsec tunnel settings, including phase 1 IKE and phase 2 ESP parameters.
  4. Create firewall rules to allow VPN traffic and enforce security.
  5. Test connectivity and verify tunnel status.
• Why this matters: A reliable site-to-site VPN on Edgerouter helps you securely extend your network to a remote office or home lab without exposing devices to the public internet.
• What you’ll get in this guide: step-by-step commands, screenshots-like descriptions, troubleshooting tips, performance considerations, and a handy FAQ section at the end.

Useful resources and references text only:
Apple Website – apple.com, Artificial Intelligence Wikipedia – en.wikipedia.org/wiki/Artificial_intelligence, Ubiquiti Community – community.ubiquiti.com, Edgeroute Documentation – help.ubiquiti.com, VPN Security Best Practices – nist.gov, Netgate Site-to-Site VPN Guide – docs.netgate.com, Juniper VPN Fundamentals – www.juniper.net, Cisco VPN Basics – www.cisco.com, IPsec Overview – en.wikipedia.org/wiki/IPsec

Table of contents

• Why use EdgeRouter for site-to-site VPNs
• Prerequisites and planning
• Understanding IPsec concepts for EdgeRouter
• Step-by-step: site-to-site VPN with manual IPsec on EdgeRouter
• Alternative: using VPN Services or Cloud SSO options
• Security hardening tips
• Monitoring and maintenance
• Troubleshooting common issues
• Performance considerations
• FAQ

Why use EdgeRouter for site-to-site VPNs
EdgeRouter devices from Ubiquiti are popular for small to medium networks because they offer a robust IPsec implementation, flexible firewall rules, and a straightforward command-line interface. A well-configured site-to-site VPN lets two remote networks communicate securely, with traffic encrypted in transit and no need for a third-party VPN service. The benefits include:

• Direct private network connectivity across sites
• Lower latency and better control compared to some VPN services
• Scalable configurations for growing networks
• Rich logging and monitoring options to diagnose issues quickly

Prerequisites and planning
Before you begin, collect these details for both sides:

• Public IP addresses or dynamic DNS names for each EdgeRouter WAN interface
• Local LAN subnets on each side for example, 192.168.10.0/24 and 192.168.20.0/24
• Desired IPsec parameters: encryption, hash, DH group, and SA lifetimes
• Authentication method: pre-shared key PSK or certificates
• Firewall zone names and existing rules that may affect VPN traffic
• Hostnames or device names for easier management

Common defaults you’ll see:

• Encryption: AES-256 or AES-128, depending on hardware capability
• Hash: SHA-256
• DH group: 14 2048-bit or 19/20 256- or 384-bit
• ESP tunnel mode with PFS enabled on many setups
• SA lifetimes: 28800 seconds 8 hours or 3600 seconds 1 hour, adjust to match the other side

Understanding IPsec concepts for EdgeRouter

• Phase 1 IKE: Establishes a secure channel to negotiate later keys. Config options include encryption, hashing, authentication method, and DH group.
• Phase 2 IPsec SA: Defines how traffic is encrypted between the sites. Includes tunnel mode, perfect forward secrecy PFS, and SA lifetimes.
• Traffic selectors: What subnets are allowed through the tunnel on each side.
• NAT traversal NAT-T: If either side sits behind a NAT, NAT-T helps keep ESP working.
• Firewall interaction: VPN traffic requires allow rules on both sides to pass through.

Step-by-step: site-to-site VPN with manual IPsec on EdgeRouter
Note: Commands assume two sites: Site A EdgeRouter A and Site B EdgeRouter B. Replace placeholders with your actual values.

1. Define variables Site A example

• WAN_IP_A = 203.0.113.1
• LAN_A = 192.168.10.0/24
• WAN_IF_A = eth0
• PSK_A = “yoursharedkey”

2. Define variables Site B example

• WAN_IP_B = 198.51.100.2
• LAN_B = 192.168.20.0/24
• WAN_IF_B = eth0
• PSK_B = “yoursharedkey” use the same PSK if using PSK method

3. On Site A EdgeRouter, enter configuration mode
   configure

4. Configure IKE Phase 1 proposal
   set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes128
   set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
   set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group 14
   set vpn ipsec ike-group IKE-GROUP lifetime 3600

5. Configure ESP Phase 2 proposal
   set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes128
   set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
   set vpn ipsec esp-group ESP-GROUP lifetime 3600
   set vpn ipsec esp-group ESP-GROUP pfs enable

6. Create the IPsec VPN tunnel
   set vpn ipsec site-to-site peer SITE-B peer-address 198.51.100.2
   set vpn ipsec site-to-site peer SITE-B authentication mode pre-shared-secret
   set vpn ipsec site-to-site peer SITE-B authentication pre-shared-secret ‘yoursharedkey’
   set vpn ipsec site-to-site peer SITE-B ike-group IKE-GROUP
   set vpn ipsec site-to-site peer SITE-B esp-group ESP-GROUP
   set vpn ipsec site-to-site peer SITE-B local-address 203.0.113.1
   set vpn ipsec site-to-site peer SITE-B tunnel 1 allow-nat-traversal

7. Define local and remote networks for the tunnel
   set vpn ipsec site-to-site peer SITE-B tunnel 1 local prefix 192.168.10.0/24
   set vpn ipsec site-to-site peer SITE-B tunnel 1 remote prefix 192.168.20.0/24

8. Apply and commit
   commit
   save

9. Create firewall rules to allow VPN traffic

• Allow IPsec:
  set firewall name WAN local-ip 203.0.113.1 rule 10 action accept
  set firewall name WAN local-ip 203.0.113.1 rule 10 protocol 50
  set firewall name WAN local-ip 203.0.113.1 rule 10 description “IPsec IKE”

• Enable NAT-T passthrough for VPN if needed
  set vpn ipsec ipsec-interfaces interface eth0
  commit
  save

10. Verify the tunnel

• Check status:
  show vpn ipsec sa
  show vpn ipsec sa detail
  ping 192.168.20.1 from a host in LAN_A to test connectivity

11. Troubleshooting tips

• If the tunnel stays in a “connecting” state, verify:
  • PSK matches on both sides
  • Public IPs are reachable no firewall blocking UDP 500/4500
  • Subnets do not overlap
  • The local and remote addresses are correctly configured
• Logs can be viewed with:
  show log vpn
  show logfirewall

12. Optional: dynamic DNS and remote connectivity
    If you’re using a dynamic public IP on either side, configure a dynamic DNS hostname and set the peer-address to the hostname instead of a fixed IP:
    set vpn ipsec site-to-site peer SITE-B peer-address your-dns-name.example.com
    Ensure DNS resolution from the EdgeRouter is working and update as needed.

Alternative: using VPN Services or Cloud SSO options

• Some setups may use a cloud-managed VPN service for simpler management, but direct IPsec on EdgeRouter provides low latency and full control.
• If you’re integrating with a cloud network or VPC, you might run a similar IPsec tunnel from the cloud gateway side, matching the same IKE/ESP proposals and subnets.

Security hardening tips

• Use strong PSK or certificates. If possible, move to certificate-based authentication for scalability.
• Enforce strict firewall rules that only allow VPN traffic from the remote peer.
• Regularly rotate keys and monitor tunnel uptime.
• Enable device hardening on EdgeRouter: disable unused services, keep firmware updated, and enable logging for VPN events.
• Consider enabling DNS security to prevent leaks or MITM scenarios.

Monitoring and maintenance

• Regularly check tunnel status and uptime.
• Monitor latency and jitter; significant degradations may indicate path issues or misconfiguration.
• Review logs after changes to confirm that connections are stable.
• Schedule firmware updates during maintenance windows to minimize disruption.

Performance considerations

• Hardware capabilities: EdgeRouter models vary in CPU and RAM, impacting the number of concurrent tunnels and throughput.
• Encryption settings: AES-256 provides stronger security but may impact throughput on some devices. If you hit performance limits, consider AES-128 with SHA-256 as a balanced option.
• MTU and fragmentation: Ensure MTU is set correctly to minimize fragmentation on IPsec traffic.
• WAN uplink: If you’re using a slow upload link, consider reducing the tunnel’s SA lifetimes slightly to keep rekeying crisp without interruption.

FAQ

What is a site-to-site VPN on EdgeRouter?

A site-to-site VPN on EdgeRouter creates an encrypted tunnel between two separate networks over the internet, allowing devices on both networks to communicate securely as if they were on a single LAN.

Do I need a public IP on both sides?

Yes, both sides typically need reachable public IPs or resolvable DNS names so the tunnels can establish and maintain.

Can I use a dynamic DNS hostname for the peer?

Yes, if you’re using dynamic IPs, you can configure the peer-address as a dynamic DNS hostname and update periodically.

What authentication methods are available?

You can use pre-shared keys PSK or certificates. Certificates provide better security and scalability for larger deployments.

How do I test the VPN tunnel?

Ping a host on the remote LAN from a host on the local LAN. Use the EdgeRouter’s VPN status commands to verify IPsec SA status.

What if the tunnel is down after a reboot?

Ensure the tunnel configuration is saved, and that the firewall rules persist across reboots. Check for conflicting rules or services that start after the VPN.

How do I handle NAT with the VPN?

If either side is behind a NAT device, enable NAT-T UDP 4500 and ensure the remote peer supports NAT-T.

Can I run multiple site-to-site VPN tunnels on a single EdgeRouter?

Yes, many EdgeRouter devices support multiple IPsec tunnels. Create separate peer definitions and tunnel sections for each remote site, keeping track of unique local/remote prefixes.

How do I secure management access to the EdgeRouter?

Limit management access to trusted IPs, use strong passwords, enable two-factor authentication where possible, and keep firmware up to date.

How can I improve reliability of the VPN?

Use redundant paths if possible, monitor tunnel health with periodic pings, and configure dead peer detection DPD to quickly recover from outages.

Notes

• This guide provides a practical, practical approach to setting up IPsec site-to-site VPNs on EdgeRouter. Your exact commands may vary slightly depending on your EdgeRouter model and firmware version.
• If you’re wiring up a more complex network with multiple subnets or hairpin routing, plan the traffic selectors carefully to avoid routing issues.
• Always perform changes during a maintenance window if possible, and back up your configuration before making changes.

Ubiquiti edgerouter site to site vpn complete setup guide for ipsec tunnels between two remote networks on edgerouter is all about getting two separate networks to talk securely over the internet using IPsec tunnels managed by an EdgeRouter. This guide breaks down the process into practical, step-by-step actions you can follow, with real-world tips and common pitfalls to avoid. If you’re new to Edgerouter gear, don’t worry — we’ll keep things clear and actionable, with hands-on instructions you can apply right away.

Quick fact: A site-to-site IPsec VPN creates an encrypted tunnel between two gateways so devices on one side can reach devices on the other side as if they were on the same local network.

Introduction: what you’ll learn

• Understand the basics of site-to-site IPsec on EdgeRouter devices
• Prepare both networks with predictable IP ranges and public endpoints
• Configure phase 1 and phase 2 proposals, keys, and policies
• Test the tunnel, verify traffic flow, and troubleshoot common issues
• Optimize for reliability and security with recommended practices

Useful URLs and Resources text only

• EdgeRouter official docs – edgerouter documentation
• Ubiquiti forums – community.ubiquiti.com
• IPsec basics – en.wikipedia.org/wiki/IPsec
• RFC 4301 – en.wikipedia.org/wiki/IPsec
• IPv4 subnet planning – en.wikipedia.org/wiki/Subnetting
• NAT traversal basics – wiki.weaknetlabs.com/NAT-T
• Public DNS lookup tips – developer.mozilla.org/en-US/docs/Glossary/DNS
• DNS leak considerations – noc.org.uk/dnsleak
• Basic firewall concepts – ciscoschool.net/firewall-basics
• IPv6 site-to-site VPN concepts – ipv6.foundation
• Ping and traceroute basics – mxtoolbox.com/traceroute.aspx

Table of contents

• Prerequisites and planning
• Network topology examples
• Prerequisites and security considerations
• Step-by-step: primary site Site A
• Step-by-step: remote site Site B
• Phase 1: IKE configuration
• Phase 2: IPsec configuration
• Network address translation NAT and firewall rules
• Testing the VPN
• Troubleshooting common issues
• Best practices and maintenance
• FAQ

Prerequisites and planning

• Two EdgeRouter devices one at each site with internet access and a public IP for each site
• Administrative access to both EdgeRouter devices CLI or UI
• Distinct private LANs on each side, for example:
  • Site A LAN: 192.168.10.0/24
  • Site B LAN: 192.168.20.0/24
• Static or dynamic public IPs? If you’re on dynamic IPs, plan for Dynamic DNS DDNS to keep the tunnel endpoints up to date
• Time synchronization: make sure both devices have accurate time NTP
• Firewall rules allowing IPsec ESP, AH, and UDP 500/4500 for NAT-T
• A basic understanding of the EdgeRouter UI and CLI you’ll see both in steps

Network topology examples

• Simple hub-to-hub: two sites connected via the internet, each site’s LAN behind its EdgeRouter
• IP addressing plan:
  • Site A: 192.168.10.0/24, EdgeRouter A public IP: a.b.c.d
  • Site B: 192.168.20.0/24, EdgeRouter B public IP: w.x.y.z
• Optional: use a dedicated VPN subnet for remote networks, such as 10.10.10.0/24, to avoid conflicts

Prerequisites and security considerations

• Use strong shared secrets or certificates for IKE authentication
• Consider using DNS names if public IPs change DDNS
• Disable unnecessary services on EdgeRouter
• Keep firmware up to date to avoid known VPN vulnerabilities
• Document your configuration and keep backups

Step-by-step: primary site Site A

• Access the EdgeRouter GUI or CLI. We’ll use CLI-style commands for precision and clarity; adapt to GUI as needed.
• Define variables for readability example values are placeholders:
  • Site A LAN: 192.168.10.0/24
  • Site B LAN: 192.168.20.0/24
  • Site A public IP: a.b.c.d
  • Site B public IP: w.x.y.z
  • VPN peer IP Site B: w.x.y.z
  • VPN local subnet: 192.168.10.0/24
  • VPN remote subnet: 192.168.20.0/24
• Configure IKE Phase 1
  • Authentication: Pre-Shared Key PSK or certificates
  • Encryption: AES-256 recommended
  • Integrity: SHA-256
  • DH group: 14 2048-bit or stronger if supported
  • Lifetime: 28800 seconds 8 hours
• Configure IPsec Phase 2
  • Transform: ESP with AES-256/SHA-256
  • PFS: group14
  • Local/remote networks: allow traffic between 192.168.10.0/24 and 192.168.20.0/24
  • Lifetime: 3600 seconds 1 hour
• NAT traversal
  • Enable NAT-T if either side sits behind NAT
• Firewall
  • Create an IPsec policy and allow traffic between the two subnets
  • Add firewall rules to permit IPsec control traffic and data traffic across the tunnel
• Save configuration and test basic connectivity locally
• Optional: enable Dead Peer Detection DPD to maintain the tunnel

Step-by-step: remote site Site B

• Mirror Site A configuration with roles reversed
• Set Site B LAN: 192.168.20.0/24
• Site B public IP: w.x.y.z
• Remote Site A subnet: 192.168.10.0/24
• Ensure the PSK or certificate matches Site A
• Configure IKE and IPsec with the same parameters but swap local/remote networks
• Apply firewall and NAT rules similarly
• Save and test connectivity from Site B to Site A

Phase 1: IKE configuration details

• Key exchange: IKEv2 preferred for modern networks
• Example conceptual:
  • ike proposal: aes256-sha256-modp2048
  • key lifetime: 28800 seconds
  • authentication: pre-shared-key or certificates
• If using UI, locate IKE settings and fill in the parameters, ensuring mutual agreement on encryption, hash, and DH group

Phase 2: IPsec configuration details

• ESP transform: esp-aes-256 esp-sha-h256
• Perfect forward secrecy: enabled group14 recommended
• P2 subnet: 192.168.10.0/24 to 192.168.20.0/24
• P2 lifetime: 3600 seconds
• Enable NAT-T if NAT is involved

NAT, firewall rules, and traffic flow

• On EdgeRouter, NAT is not usually needed for VPN traffic, but if either side uses NAT, enable NAT-T
• Firewall rules should:
  • Allow IPsec negotiation traffic UDP 500 and UDP 4500
  • Allow ESP protocol 50 and AH protocol 51 if needed
  • Allow IPsec tunnel traffic between the private subnets
• Example firewall policy:
  • Allow IPsec traffic between 192.168.10.0/24 and 192.168.20.0/24
  • Ensure no overly permissive rules expose the LAN
• Verify that both sides have identical phase 1 and phase 2 proposals

Testing the VPN

• Basic checks
  • VPN tunnel status: “up” or “active” on both EdgeRouters
  • Log into the EdgeRouter and view the VPN status
• Connectivity tests
  • Ping from a host on Site A 192.168.10.10 to a host on Site B 192.168.20.10
  • If ping fails, check:
    • VPN tunnel status
    • IP routing between subnets
    • Firewall rules allowing traffic over the tunnel
• Traceroute and path testing
  • Run traceroute from Site A to Site B to verify the path uses the VPN
• Real-world traffic tests
  • Test SMB, RDP, or other protocols that cross the VPN
  • Monitor throughput and latency to ensure it meets expectations

Troubleshooting common issues

• Issue: VPN tunnel shows as down
  • Solution: Verify both sides use matching PSK or certificates
  • Ensure public IPs are correct; if behind CGNAT or dynamic IPs, update DDNS settings
• Issue: Phase 1 negotiates but Phase 2 fails
  • Solution: Align encryption, Hash, and PFS settings on both sides
  • Check that both subnets are correctly defined on each end
• Issue: No traffic across the tunnel
  • Solution: Confirm firewall rules allow IPsec and data traffic
  • Ensure IP routing on both sites includes routes for the remote subnet via the VPN
• Issue: IPsec tunnel drops frequently
  • Solution: Enable DPD, adjust lifetimes, verify network stability, check MTU
• Issue: DNS leaks or name resolution issues
  • Solution: Use internal DNS or hosts files for critical resources across sites
• Issue: Performance issues
  • Solution: Check CPU utilization on EdgeRouter, ensure hardware can handle encryption, consider upgrading
• Issue: Dynamic IP changes
  • Solution: Use DDNS service names on both sites and update peers automatically

Best practices and maintenance

• Regular firmware updates
• Periodic backup of EdgeRouter configurations
• Document all VPN settings PSK, subnets, endpoints
• Use certificates if possible for stronger security
• Reserve private IP ranges you won’t reuse elsewhere to prevent conflicts
• Consider monitoring solutions to alert on tunnel status changes
• Plan for scalability if you add more sites

More formats for quick reading

• Quick checklist:
  • Public IPs known and reachable
  • Subnets defined and non-overlapping
  • IKEv2 with AES-256 and SHA-256
  • Phase 2 with ESP-AES-256/SHA-256
  • NAT-T enabled if needed
  • Firewall rules allowing VPN and inter-subnet traffic
  • DDNS configured if IPs change
• Example traffic matrix:
  • From Site A host 192.168.10.50 to Site B host 192.168.20.25: allowed via tunnel
  • From Site B host 192.168.20.60 to Site A host 192.168.10.70: allowed via tunnel
• Commonly used commands for CLI users
  • show vpn status
  • show crypto sa
  • show ip route
  • show firewall-filter
  • ping 192.168.20.25 source 192.168.10.50

Frequently Asked Questions

What is a site-to-site VPN on EdgeRouter?

A site-to-site VPN creates a secure, encrypted tunnel between two separate networks over the internet, allowing devices on either side to communicate as if they’re on the same LAN.

Why use IPsec for a site-to-site VPN?

IPsec provides secure, authenticated, and encrypted communication for IP traffic between sites. It’s widely supported, standards-based, and robust for securing data in transit.

Can I use dynamic IPs at either site?

Yes, but you’ll want to use Dynamic DNS DDNS on both sides so the peers can resolve each other’s current public IPs.

Should I use IKEv2 or IKEv1?

IKEv2 is preferred for its better security, stability, and automatic rekeying. It’s broadly supported on EdgeRouter devices.

How do I test if the tunnel is up?

Check the EdgeRouter VPN status page or use command line equivalents to view phase 1 and phase 2 status, then run connectivity tests ping, traceroute across the VPN.

How do I fix a flaky tunnel?

Ensure matching proposals, update IP addresses if changed, enable DPD, verify NAT-T if behind NAT, and check for firewall drops that block IPsec traffic.

Can I add more sites later?

Absolutely. You can build a hub-and-spoke or full mesh depending on your topology. Each new site adds a new IPsec tunnel configuration to the EdgeRouter.

How do I back up VPN configurations?

Use the EdgeRouter backup options to export your current configuration. Store backups offline in case you need to restore.

What about IPv6 VPNs?

IPsec VPNs can be configured for IPv6, but you’ll need to plan subnets for IPv6 and ensure firewall rules and routing reflect the IPv6 addresses.

Do I need certificates or can I stick with PSK?

Certificates offer stronger security and easier certificate rotation for larger deployments. PSK is simpler for small, static setups but requires careful management of shared secrets.

This guide aims to give you a solid, practical path to setting up a robust EdgeRouter site-to-site IPsec VPN between two remote networks. If you want, I can tailor the steps with your exact subnet ranges, IPs, and preferred authentication method to produce a concrete, copy-paste-ready configuration.

Ubiquiti Edgerouter site-to-site VPN is a method to securely connect two remote networks over the internet using IPsec tunnels. This guide walks you through everything from planning and prerequisites to GUI and CLI setup, testing, troubleshooting, and best practices. Whether you’re linking a branch office to a datacenter or two regional offices, you’ll find practical steps, real-world tips, and checklists you can reuse. If you’re looking for extra privacy while you test or manage remote access, consider this VPN deal: . Also, here are some useful resources to bookmark as you implement this:

• Ubiquiti EdgeRouter IPsec site-to-site docs – help.ubiquiti.com
• EdgeRouter User Guide – docs.ubiquiti.com
• Ubiquiti Community forums – community.ui.com
• EdgeOS CLI reference – help.ubiquiti.com
• General IPsec VPN best practices – en.wikipedia.org/wiki/IPsec

Introduction overview

• What you’ll learn in this guide: a practical, step-by-step path to configuring a reliable site-to-site VPN between two EdgeRouter devices, with GUI and CLI options, testing steps, troubleshooting tips, and security considerations.
• Quick-start plan: define networks and public IPs, choose your IKE and ESP proposals, create the peer, enable NAT exemptions for VPN traffic, verify the tunnel, and test end-to-end connectivity.
• Real-world tips: plan for NAT traversal if either site is behind a ISP gateway, use strong PSKs, and pin down subnets to avoid overlap.

What a site-to-site VPN does for you

• It creates a secure, encrypted tunnel between two networks, so devices on one side can reach devices on the other side as if they were locally connected.
• It protects data in transit over the public internet, which is essential for sensitive corporate workloads, inter-office backups, and remote site management.
• It’s typically more scalable than client VPN for fixed remote networks, since devices on each side don’t need individual user credentials.

Prerequisites and planning

• Two EdgeRouter devices EdgeRouter X, 4, 6, or higher with EdgeOS installed.
• Public IPs static is ideal on both sides. If you’re behind a CGNAT or a dynamic IP, you’ll want a DDNS entry and a plan to refresh tunnels when IPs change.
• Subnets that don’t overlap between sites for example, 192.168.1.0/24 on Site A and 10.1.0.0/24 on Site B.
• Administrative access to both EdgeRouters GUI or CLI.
• Firewall rules that allow IPsec traffic UDP 500, UDP 4500, and IPsec ESP as needed.
• A plan for monitoring and troubleshooting logging enabled, know where to look for IPsec events.

Planning notes

• Subnet design: keep your internal networks simple and non-overlapping. If you must merge overlapping networks, you’ll need to do NAT or VPN routing caveats, which complicate things.
• Redundancy: for mission-critical links, consider configuring two site-to-site tunnels to different public IPs for failover.
• IPv4 vs IPv6: IPsec tunnels usually work primarily with IPv4 in many off-the-shelf setups. plan IPv6 routing separately if needed.
• NAT exemption: traffic between the two sites should typically bypass NAT so that the remote subnet can be reached directly.
• Authentication: pick a strong pre-shared key PSK and rotate it periodically. If you’re comfortable with certificates, you can also use certificate-based authentication, depending on firmware capabilities.

GUI setup walkthrough EdgeRouter UI

1. Gather peer information

• Remote peer public IP address the other site’s EdgeRouter public IP.
• Local subnet the network behind this EdgeRouter you want to reach from the other site, e.g., 192.168.1.0/24.
• Remote subnet the network behind the other EdgeRouter, e.g., 10.1.0.0/24.
• A strong pre-shared key PSK for IPsec.

2. Open the EdgeRouter UI

• Navigate to VPN > IPsec > Site-to-Site or IPsec if your firmware labels it that way.

3. Create a new peer

• Peer IP or hostname: enter the remote site’s public IP.
• Authentication: set to Pre-Shared Key and paste in your PSK.
• IKE Group: choose a modern group for example, IKE-1 with AES256/SHA256. if available, use IKEv2-compatible profiles.
• ESP Group: choose an ESP proposal with AES256/SHA256 e.g., ESP-1.
• Local Subnet: enter your local network, e.g., 192.168.1.0/24.
• Remote Subnet: enter the remote network, e.g., 10.1.0.0/24.
• Enable the site-to-site tunnel.

4. Save and apply

• Save changes, then Apply. The UI will attempt to establish the tunnel. If it doesn’t come up immediately, you’ll see status indicators and logs you can view.

5. NAT and firewall adjustments

• Ensure NAT is not translating traffic between the two VPN subnets. In many setups, you’ll add a NAT exemption or create firewall rules that allow VPN-to-VPN traffic to pass untouched.
• Make sure the WAN interface firewall allows the IPsec-related traffic protocol 50 ESP, UDP 500, UDP 4500 for NAT-T, etc..

6. Verify connectivity

• From a host on Site A, try pinging a host on Site B. If ICMP is blocked by a firewall, use a test host’s open port or a simple traceroute.
• Check the IPsec status in the UI: you should see a “UP” state for the site-to-site peer.

7. Optional routing tweaks

• If you’re using multiple subnets, you may want to set static routes so that traffic to the remote subnet flows through the VPN tunnel. In EdgeRouter, this is usually handled via policy-based routing or static routes pointing to the VPN interface.

CLI setup walkthrough EdgeOS
If you prefer the CLI, here’s a generic pattern you can adapt to your own addresses and PSK. Replace the placeholders with your actual values.

• Define IKE and ESP groups
  set vpn ipsec ike-group IKE-1 proposal 1 encryption aes256
  set vpn ipsec ike-group IKE-1 proposal 1 hash sha256
  set vpn ipsec ike-group IKE-1 proposal 1 dh-group 14
  set vpn ipsec ike-group IKE-1 enable

  Set vpn ipsec esp-group ESP-1 proposal 1 encryption aes256
  set vpn ipsec esp-group ESP-1 proposal 1 hash sha256

• Configure the peer
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP authentication mode pre-shared-secret
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP authentication pre-shared-secret ‘yourStrongPSK’
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP ike-group IKE-1
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP default-esp-group ESP-1
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP local-subnet 192.168.1.0/24
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP remote-subnet 10.1.0.0/24

• Optional: enable Dead Peer Detection, PFS, or adjust lifetimes
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP enable
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP ikev2 enable if your version supports it
  set vpn ipsec site-to-site peer REMOTE_PUBLIC_IP pfs enable

• NAT exemption avoid NAT between VPN subnets
  Note: Exact commands may vary by version. In GUI terms, you’re exempting VPN-to-VPN traffic from NAT.
  If you’re configuring via CLI, make sure that traffic between 192.168.1.0/24 and 10.1.0.0/24 doesn’t get NATed.

• Save and apply
  commit
  save

• Verification
  show vpn ipsec sa
  show vpn ipsec status
  show log | grep ipsec

Testing and validation

• Basic checks

  • Confirm the tunnel shows as UP on both ends.
  • Ping across subnets from host to host on opposite sides.
  • If ICMP is blocked, test with a simple TCP/UDP check e.g., ping to a host with ICMP allowed, or use a service you know is listening on both sides.

• Troubleshooting tips

  • Double-check peer IPs and PSKs for both sides. A mismatch here is the most common failure.
  • Confirm that local and remote subnets don’t overlap.
  • Ensure the public IPs are reachable from each site no ISP-level blocks, no misconfigured NAT at the gateway.
  • Verify phase 1 and phase 2 settings IKE group and ESP group match on both sides.
  • Check firewalls to ensure IPsec traffic is allowed and that inter-site traffic is not blocked.

Common pitfalls and quick fixes

• Mismatched subnets: verify both local-subnet and remote-subnet, and avoid any overlapping addresses.
• Incorrect PSK or authentication method: ensure both sides use the same PSK and that the method is the same.
• NAT traversal issues: if one side is behind a NAT, NAT-T must be enabled. If you’re not sure, enable NAT-T on both sides.
• Firewall rules: allow IPsec ESP and IKE traffic through the appropriate interfaces. If tunnels establish but traffic doesn’t pass, zone-based or interface-level firewall settings are often the culprit.
• Dynamic IPs: if a site has a dynamic public IP, use Dynamic DNS and ensure tunnel re-establishes when IPs change.

Security best practices

• Use strong pre-shared keys and rotate them periodically.
• Prefer newer IKE and ESP configurations when your devices support them IKEv2 where possible, AES-256, SHA-256, and appropriate DH groups.
• Keep EdgeOS firmware up to date to benefit from security patches and VPN improvements.
• Limit VPN access to only what’s needed least privilege for subnets and hosts.
• Consider dividing traffic with separate tunnels for specific subnets if you have complex network needs.

Performance and maintenance tips

• Hardware limits: EdgeRouter devices have different CPU/throughput capabilities. plan VPN throughput accordingly, especially with 1 Gbps or higher links.
• Use split tunneling when appropriate: send only required subnets through the VPN and route everything else locally to optimize performance.
• Regularly review tunnel stats: monitor dropped packets, retransmits, and SA security association uptime to catch problems early.
• If you have multiple sites, a failover strategy with two tunnels and monitoring helps keep services available.

Advanced topics you may encounter

• Dual VPN tunnels for redundancy: configure two peers with different public IPs and set up both tunnels. If one goes down, the other can carry the traffic.
• Dynamic DNS with dynamic IPs: set a DDNS client on the EdgeRouter so the peer can always find you even if your public IP changes.
• Subnet planning for growth: if you intend to add more sites, plan your IP ranges with ample space to avoid future conflicts.

Frequently asked questions

What is a site-to-site VPN?

A site-to-site VPN connects two distinct networks over the internet, creating a secure tunnel so devices on one network can talk to devices on the other network as if they were on the same local network.

Does Ubiquiti EdgeRouter support IPsec site-to-site VPN?

Yes. EdgeRouter devices support IPsec-based site-to-site VPNs, and you can configure them via the GUI or the CLI.

How do I configure a site-to-site VPN on EdgeRouter using the GUI?

In the EdgeRouter UI, go to VPN > IPsec > Site-to-Site, add a new peer with the remote IP, set the PSK, choose IKE/ESP groups, specify local and remote subnets, and enable the tunnel. Save and apply, then test connectivity.

How do I configure a site-to-site VPN on EdgeRouter using the CLI?

Use the vpn ipsec commands to define IKE and ESP groups, configure the peer with the remote IP and PSK, set the local and remote subnets, and apply NAT exemption for VPN traffic. Then verify with show vpn ipsec sa and show vpn ipsec status.

How can I verify that the IPsec tunnel is up?

Check the tunnel status in the EdgeRouter UI or run commands like show vpn ipsec sa and show vpn ipsec status from the CLI. You should see the peer listed as UP and the SA renegotiations active. Tuxler vpn edge extension 2026

What should I do if the tunnel shows UP but I can’t reach the remote subnet?

Double-check firewall rules, NAT exemptions, and static routes. Ensure there’s no overlapping subnet, and confirm that the direction of traffic matches the remote subnet definitions.

How do I troubleshoot mismatched subnets or PSK errors?

Verify both sides have identical local-subnet and remote-subnet values, and confirm the PSK is exactly the same on both sides. Re-enter PSK if necessary and re-establish the tunnel.

Can I use dynamic DNS with IPsec site-to-site VPN on EdgeRouter?

Yes, dynamic DNS helps when your public IP changes. Configure a DDNS client on the EdgeRouter and update the remote side with the new IP address as needed.

Should I use IKEv2 or IKEv1 for EdgeRouter VPNs?

If your devices and firmware support it, IKEv2 is generally preferred for its speed and reliability. If your hardware or firmware only supports IKEv1, configure it with strong algorithms AES-256, SHA-256 and robust DH groups.

Do I need to disable NAT for VPN traffic on EdgeRouter?

Typically, yes—traffic between the two VPN subnets should bypass NAT. Use NAT exemption rules or the GUI’s built-in VPN NAT settings to ensure VPN traffic isn’t translated. Turn off vpn chrome extension and disable vpn in Chrome on Windows Mac Android iOS 2026

How can I improve VPN reliability for a branch office?

Use two tunnels to different public IPs for failover, ensure keepalive settings or DPD are enabled if supported, and monitor tunnel health with regular checks. Consider adding a simple, lightweight monitor on each site to alert you if a tunnel goes down.

What should I do if the VPN tunnel won’t come up after a firmware update?

Firmware updates can occasionally change default settings. Re-check IKE/ESP group settings, PSK, and local/remote subnet definitions. If possible, compare working backups of the configuration to identify what changed.

Is there a performance trade-off when enabling IPsec on EdgeRouter?

Yes, encryption and decryption require CPU resources. If you’re hitting throughput limits, consider reducing the number of tunnels or adjusting the traffic you send through the VPN, and ensure you’re running firmware optimized for VPN performance.

Conclusion
This guide gives you a solid, real-world approach to configuring a site-to-site VPN with Ubiquiti EdgeRouter devices. The combination of GUI and CLI options means you can choose the path you’re most comfortable with, and the troubleshooting and best practices sections will help you keep tunnels up and secure. As with any network setup, plan carefully, document your subnet design, and test thoroughly. The result is a reliable, secure channel that makes two remote networks feel like they’re on the same LAN.

Tonvpn下载：2025年最全指南，解锁你的网络自由 Pia vpn settings 2026