Journalist
Edgerouter site-to-site vpn setup guide: how to configure IPsec tunnels between branches on EdgeRouter, best practices, and troubleshooting
Edgerouter site-to-site vpn. It’s a practical and scalable way to connect two or more networked sites securely over the internet using IPsec on EdgeRouter devices. This guide covers the fundamentals, a step-by-step setup GUI and CLI, best practices, troubleshooting, performance tips, and real-world examples so you can get your branches talking safely in no time. If you’re evaluating extra protection for remote access or want a hardened backbone between offices, this post has you covered. For extra protection during on-the-road work or when you’re using public Wi‑Fi, consider NordVPN’s current deal:
Useful URLs and Resources un-clickable for this introduction:
EdgeRouter official documentation – docs.ubnt.com
Ubiquiti Community forums – help.ui.com
IPsec overview – en.wikipedia.org/wiki/IPsec
IKEv2 overview – en.wikipedia.org/wiki/IKEv2
EdgeRouter CLI reference – help.ubnt.com
Networking 101 primers – en.wikipedia.org/wiki/Computer_network
RFC 4301 – IPsec architecture overview – tools.ietf.org/html/rfc4301
Site-to-site VPN best practices – netbenchmarks.org
MTU and fragmentation basics – mtu.org
What is Edgerouter site-to-site vpn
Site-to-site VPN on an EdgeRouter creates a secure tunnel between two separate private networks over the public internet. It uses IPsec to encrypt traffic as it travels between sites, so devices on one side can talk to devices on the other as if they were on the same LAN. Edgerouter devices—including popular models like EdgeRouter X, EdgeRouter 4, and EdgeRouter Infinity—support IPsec in a way that’s approachable for small businesses and tech enthusiasts alike. In practice, you’ll set up an IPsec tunnel with a remote peer, define the local and remote networks, and then ensure traffic routes through the tunnel.
Key ideas to keep in mind:
– You’ll configure an IKE Internet Key Exchange group to establish a secure tunnel and an ESP Encapsulating Security Payload group to define how data is encrypted.
– You’ll specify a peer the remote site’s public IP and a pre-shared key PSK or certificate-based authentication.
– You’ll carve out the local network LAN behind the EdgeRouter and the remote network behind the other EdgeRouter so the tunnel knows which routes to encrypt.
Why use a site-to-site VPN on EdgeRouter
– Centralized control: One device can secure multiple branch connections with scalable, policy-based routing.
– Cost-effective: No MPLS or leased lines needed for many small-to-mid-size outfits.
– Flexibility: You can choose the encryption strength, tunnel lifetimes, and whether you want split-tunnel or full-tunnel routing.
– Security: IPsec with modern ciphers like AES-256-GCM provides strong protection. you can also enforce granular firewall rules at each site.
Industry data points you might find helpful:
– When configured with modern ciphers AES-256-GCM, SHA-256, IPsec tunnels show robust performance across typical branch scenarios, though throughput depends on model, CPU cores, and enablement of features like tunnel keepalives.
– EdgeRouter models vary by hardware acceleration. newer devices tend to deliver higher IPsec throughput with lower latency. For planning, consult the specific model’s data sheet and EdgeOS release notes.
– For reliability, IKEv2 tends to be more robust on unstable WANs than IKEv1, especially with automatic rekey and NAT-Traversal enabled.
Prerequisites and planning
Before you spin up a site-to-site VPN, do a quick planning pass:
– Public IPs: You need a stable public IP on each site static is ideal. dynamic can be handled with dynamic DNS plus a failover.
– Local networks: Decide your internal subnets e.g., Site A 192.168.10.0/24, Site B 192.168.20.0/24. Ensure there’s no overlapping addressing.
– Firewall rules: Determine what traffic you want allowed across the tunnel and what needs NAT. typically, you’ll only NAT outbound traffic to the internet, not across the VPN.
– MTU and fragmentation: VPN tunnels introduce overhead. Expect MTU slightly lower than 1500, often around 1460–1472 depending on encapsulation and path MTU discovery.
– Authentication: Decide between pre-shared key PSK and certificate-based authentication. PSK is simpler for small deployments. certificate-based scales better in larger environments.
– MTU/fragmentation testing: Plan to test ping and traceroute across the tunnel to verify there’s no MTU-related fragmentation.
Choosing the right VPN protocol and security settings
– Protocol: IPsec with IKEv2 is the common default for stability and fast rekey behavior. IKEv1 is older and less common now, though it’s still supported on some devices.
– Encryption: AES-256 is a standard choice. AES-128 can be used if you’re constrained by CPU, but AES-256-GCM provides both encryption and integrity in one operation.
– Integrity: SHA-256 or SHA-384 are good defaults. avoid legacy hashes like SHA-1 for new deployments.
– DH group: Use strong Diffie-Hellman groups e.g., group 14 for 2048-bit, or higher such as group 19/20 for 256-bit curves when available.
– PFS: Enable Perfect Forward Secrecy PFS for child SA keys. typical values are group 14 or higher.
– IKE modes: Prefer IKEv2 with Main Mode and not aggressive mode for security and reliability.
– NAT-T: If either site sits behind NAT, ensure NAT Traversal is enabled so IKE/ESP can negotiate through NAT devices.
– Dead Peer Detection and keepalives: Enable to quickly detect broken tunnels and reestablish them.
Step-by-step guide: configure EdgeRouter for a site-to-site VPN
Note: You can implement these steps either via the EdgeOS GUI or through the CLI. The exact syntax can vary slightly by firmware version, so always cross-check with the latest EdgeOS docs. Below is a practical blueprint you can adapt.
# Step 1 – Gather real data and plan addresses
– Site A LAN: 192.168.10.0/24
– Site B LAN: 192.168.20.0/24
– Site A public IP: a.b.c.d
– Site B public IP: w.x.y.z
– Decide if you want full-tunnel or split-tunnel full-tunnel routes all traffic across the VPN. split-tunnel only routes traffic destined for the remote network.
# Step 2 – Create IKE and ESP groups high-level
– IKE group: AES256, SHA256, DH group 14, lifetime 28800 seconds
– ESP group: AES256-GCM or AES256 with SHA256, lifetime 3600 seconds
# Step 3 – Define the VPN peer and PSK or certificate
– Peer at Site B: w.x.y.z
– PSK: a strong random secret never reuse
– If you’re using certificates, define the CA, a certificate for each edge, and map them to the peer
# Step 4 – Local and remote networks
– Local network: 192.168.10.0/24 Site A
– Remote network: 192.168.20.0/24 Site B
# Step 5 – Configure the tunnels
– Define tunnel 1 primary tunnel with the above IKE/ESP groups
– Bind the tunnel to the correct interfaces if you have multiple WAN connections
– Include a local-subnet-to-remote-subnet route mapping
# Step 6 – Firewall rules and NAT
– Create firewall rules to permit IKE UDP 500 and NAT-T UDP 4500 traffic to the VPN peer
– Block unmanaged traffic on the tunnel unless you want it to pass through
– If you’re using split-tunnel, ensure only the remote subnet is allowed to traverse the VPN
# Step 7 – Apply and test
– Save the configuration
– Bring up the tunnel and monitor status
– Verify with ping/traceroute:
– From Site A: ping 192.168.20.1 example gateway on Site B
– From Site B: ping 192.168.10.1 example gateway on Site A
– Look for an “ESTABLISHED” IPsec SA state and traffic flowing in both directions
# Step 8 – Monitoring and validation
– Check IPsec SA counters to confirm data is moving across the tunnel
– Verify that specified LAN subnets can reach each other
– Confirm that routing is correct both ways edge firewall rules don’t block the traffic
# GUI EdgeOS Web UI steps high-level
– Go to VPN > IPsec > IKE Groups: create a new group with AES-256, SHA-256, DH Group 14
– Create ESP Groups: define the ESP suite AES-256-GCM or AES-256 with SHA-256
– Add a new IPsec Peer: enter Site B’s public IP, select the IKE Group, set the authentication method to PSK, and enter the PSK
– Set Local & Remote Networks: define Site A LAN on the local side and Site B LAN on the remote side
– Configure VPN Policies: add a tunnel using the peer, binding to the correct interfaces
– Firewall and NAT: add rules to allow IPsec and ensure NAT doesn’t interfere with the tunnel
– Apply and test with the built-in status indicators
# CLI steps EdgeOS
– Access the EdgeRouter via SSH or console
– Define IKE and ESP groups
– Configure the IPsec peer with PSK and remote LAN
– Create routing rules to push traffic through the tunnel
– Enable the tunnel and verify status
Note: Exact commands vary by firmware. refer to EdgeRouter CLI references for precise syntax.
# Example scenario conceptual, not copy-paste
– Create an IKE group with encryption aes256, hash sha256, diffie-hellman group 14
– Create an ESP group with encryption aes256-gcm and integrity via the same or stronger hash
– Peer 1.2.3.4 with PSK: “your-strong-psk”
– Local net 192.168.10.0/24. remote net 192.168.20.0/24
– Enable the tunnel, ensure NAT-T is on if you’re behind NAT, and test connectivity
Testing and validation
– Verify tunnel status: you should see a tunnel in an ESTABLISHED state when traffic is flowing
– Check IPsec stats: confirm how many packets have been encrypted/decrypted, dropped, or rekeyed
– Validate routing: make a host-to-host test across the VPN and confirm traffic hits the expected interfaces
– Failover test: if you have multiple WANs, simulate a WAN drop to ensure the tunnel fails over gracefully, then returns to normal when the WAN comes back
Common pitfalls and how to fix them
– IP address overlaps: ensure there’s no conflict between internal subnets across sites
– PSK mismatch: recheck the shared secret on both sides
– Mismatched IKE/ESP settings: AES-256 vs AES-128, SHA-256 vs SHA-1. ensure both sides match
– NAT-T issues: enable NAT-Traversal if behind NAT devices. verify public IPs are reachable
– Firewall blocks: ensure UDP 500 and UDP 4500 and ESP protocol if not NAT-T are allowed
– Traffic not routed across VPN: confirm routes on both sides point to the VPN tunnel for the remote network
– MTU fragmentation: tune MTU/MSS if you see dropped packets or fragmentation logs
Performance considerations and optimization
– Choose strong, hardware-friendly ciphers: AES-256-GCM often gives good performance on EdgeRouter devices
– Opt for IKEv2: generally more robust on dynamic networks and supports better rekey behavior
– Enable PFS: improves security during key renegotiations but can affect throughput. measure impact and adjust
– Keep-alive settings: use DPD Dead Peer Detection and keepalives to maintain a healthy tunnel in imperfect networks
– Split-tunnel vs full-tunnel: if you don’t need all traffic to go through the VPN, split-tunnel can improve overall site performance
– Regular firmware updates: EdgeOS updates often include performance and security improvements for IPsec
Real-world use cases
– Small business with two offices: site A uses 192.168.10.0/24, site B uses 192.168.20.0/24. traffic between servers in both networks is required for backups and shared resources.
– Remote data center: a data center connected to a remote office for backup replication and cross-site access to a central registry.
– Branch-to-branch connectivity in retail: a corporate HQ connects securely to multiple store locations for POS systems and central inventory management.
Security best practices
– Use a strong PSK or switch to certificate-based authentication for larger deployments
– Disable weak ciphers and move to AES-256-GCM/SHA-256 combos
– Enforce strong firewall policies and segment VPN traffic from public interfaces
– Regularly review VPN logs for failed attempts and unexpected tunnel resets
– Back up EdgeRouter configurations after successful VPN setups
– Keep firmware updated to mitigate known IPsec vulnerabilities
Monitoring, logging, and maintenance
– Enable logging for IPsec events and monitor with your preferred syslog server
– Schedule periodic checks of tunnel status and SA counts
– Back up configuration files, especially after significant VPN changes
– Test failover scenarios if you have multiple WANs to ensure the tunnel re-establishes cleanly
Frequently Asked Questions
# What is a site-to-site VPN on EdgeRouter?
A site-to-site VPN on EdgeRouter connects two separate networks over the internet using IPsec so devices on one site can talk to devices on the other as if they were on the same LAN.
# Do I need public static IPs for both sites?
Static public IPs are ideal because they simplify the VPN setup and reduce rekeying problems. DynDNS or similar services can work if you’re ready to handle occasional IP changes, but it adds complexity.
# Which EdgeRouter models support IPsec site-to-site VPN?
Most EdgeRouter models EdgeRouter X, EdgeRouter 4, EdgeRouter 6/8, EdgeRouter Infinity support IPsec site-to-site VPN. Always check the current EdgeOS version and model capabilities in the official docs.
# Should I use IKEv2 or IKEv1?
IKEv2 is preferred for modern setups due to better stability, faster rekeying, and compatibility with NAT-T in most networks.
# What cryptographic settings should I use?
AES-256 for encryption, SHA-256 for integrity, and a DH group of at least 14 2048-bit are solid defaults. Consider AES-256-GCM for performance and security when possible.
# How do I verify that traffic is actually crossing the VPN tunnel?
Use IPsec status commands in EdgeOS or the GUI’s VPN status page to confirm SA up, monitor traffic counters, and run cross-site pings or traceroutes to verify routes.
# How do I troubleshoot a tunnel that shows DOWN or INACTIVE?
Check PSK mismatches, ensure the remote public IP is reachable, verify UDP 500/4500 are open, confirm there’s no local firewall blocking, and re-check the IKE/ESP proposals on both sides for alignment.
# Can I use certificates instead of a pre-shared key?
Yes. Certificate-based authentication scales better for larger deployments and can improve security by not sharing a single PSK across devices.
# How can I optimize for performance?
Enable AES-256-GCM, use IKEv2, enable PFS, test with split-tunnel if appropriate, and ensure your EdgeRouter firmware is up to date. For higher throughput, consider hardware-accelerated models and optimize MTU to minimize fragmentation.
# Is NAT necessary for site-to-site VPN?
NAT is not strictly necessary for the tunnel itself, but NAT-T is often required when one or both sites are behind NAT devices. Make sure NAT is properly configured to prevent NAT from breaking VPN flows.
# How do I handle multiple sites in a hub-and-spoke VPN topology?
Treat the hub EdgeRouter as the central IPsec peer and create separate site-to-site tunnels to each spoke. Use routing policies to ensure traffic routes through the hub where needed.
# What are common security mistakes with EdgeRouter IPsec?
Weak PSKs, reusing PSKs across sites, using outdated ciphers, leaving firewall rules too permissive, and not segmenting VPN traffic from the internet-facing interface.
# How often should I test and update VPN configurations?
Test after any firmware upgrade or major network change, and review security settings at least once per year. Periodic audits help prevent drift and vulnerabilities.
If you’re looking to take your network security further while you set up or maintain edge-to-edge VPNs, this content aims to give you a solid, practical foundation plus the troubleshooting mindset you’ll rely on in real-world deployments.