Journalist
Edgerouter x vpn site to site is possible using IPsec with strongSwan on the EdgeRouter X. This guide provides a practical, step-by-step approach to planning, configuring, and validating a site-to-site IPsec VPN between two EdgeRouter X devices. Whether you’re linking two branch offices or creating a secure 虚拟 private network between your home lab and a remote site, you’ll find concrete steps, real-world tips, and troubleshooting help. Plus, for added security on end-user devices and remote workers, you can explore a premium VPN service—for example, NordVPN—for extra protection across endpoints. NordVPN 77% OFF + 3 Months Free is available here:
Useful resources unlinked, plain text:
– EdgeRouter X Documentation – ubnt.com
– IPsec VPN Concepts – cisco.com
– StrongSwan Documentation – strongswan.org
– NIST SP 800-77 Guide to IPsec – nist.gov
– Networking subnets and CIDR basics – en.wikipedia.org/wiki/IPv4_subnetting
– Home lab VPN best practices – reddit.com/r/homelab
What you’ll learn in this guide
– How IPsec site-to-site VPN works on EdgeRouter X
– How to plan addressing, subnets, and WAN considerations
– A step-by-step GUI-based and CLI-based setup you can follow on real devices
– How to verify tunnels, monitor connections, and troubleshoot common issues
– Security practices: PSK vs certificates, encryption and integrity, firewall rules, and NAT
– Common pitfalls and performance considerations for EdgeRouter X
Prerequisites and what you need
– Two EdgeRouter X devices ER-X with current EdgeOS firmware
– Two public Internet endpoints with either static IPs or dynamic IPs dynamic is workable with DDNS
– A defined IP address plan for each site subnets that won’t overlap
– An available admin account on both EdgeRouter X devices
– A pre-shared key PSK or certificate-based authentication preference
– Basic familiarity with EdgeOS GUI and CLI SSH or console
Pro tip: If you want extra protection for your users and devices beyond the site-to-site tunnel, you can pair this setup with a trusted VPN service for remote devices. NordVPN offers a current deal 77% OFF + 3 Months Free. Use the link in the introduction if you want to explore that option.
What site-to-site IPsec VPN on EdgeRouter X means
– Your two networks for example, 192.168.10.0/24 and 192.168.20.0/24 are connected through a secure IPsec tunnel over the Internet.
– Traffic destined for the remote subnet is encrypted automatically by the tunnel.
– You typically configure Phase 1 IKE and Phase 2 IPsec proposals, a pre-shared key or certificates, a local and remote subnet, and the tunnel endpoints the public IPs of each site.
Common terms you’ll see
– IKE Phase 1: establishes a secure channel. often IKEv2 with AES-256 and SHA-256
– IPsec Phase 2: handles the actual encryption of traffic between subnets
– Local/Remote Subnet: the networks on each side participating in the VPN
– PSK pre-shared key or certificates: authentication methods
– NAT traversal: if one or both sites sit behind NAT
Design and planning: network layout and addressing
– Site A: local network A example: 192.168.10.0/24
– Site B: local network B example: 192.168.20.0/24
– Site A WAN IP: A.B.C.D public
– Site B WAN IP: W.X.Y.Z public
– If either site uses private IPs on the WAN, use a DDNS service or a VPN capable of handling dynamic WANs
– Ensure subnets don’t overlap with other internal networks or with the VPN’s own subnets
– Decide on authentication: PSK is easier to start with. certificates are more scalable in larger deployments
– Pick encryption and integrity: AES-256 and SHA-256 are common, with a DH group such as modp2048
Security note: Always keep EdgeOS firmware up to date. Newer firmware versions include security patches and improved IPsec handling.
Step-by-step configuration guide controller-friendly
Important: These steps assume two EdgeRouter X devices Site A and Site B. The UI labels may vary slightly by firmware version, but the concepts stay the same.
# Part 1: Prepare Site A EdgeRouter X
1 Log in to the EdgeRouter X web UI https://192.168.1.1 or the device’s IP.
2 Navigate to VPN > IPsec Site-to-Site.
3 Create a new tunnel/peer:
– Peer IP: remote WAN IP of Site B e.g., 203.0.113.2
– Local WAN IP: your Site A public IP auto-filled
– Authentication: Pre-Shared Secret PSK
– PSK: your strong shared secret
– Local Subnet: 192.168.10.0/24
– Remote Subnet: 192.168.20.0/24
4 IKE Phase 1 settings:
– IKE version: IKEv2
– Encryption: AES-256
– Integrity: SHA-256
– DH Group: MODP 2048
– DH group can vary slightly by firmware some use ‘modp2048’
5 IPsec Phase 2 settings:
– Protocol: ESP
6 Enable IPsec interface or auto-firewall rules if your EdgeOS version supports it
7 Save/apply changes
# Part 2: Prepare Site B EdgeRouter X
Repeat the same steps, swapping in the opposite ends:
– Peer IP: Site A’s WAN IP
– Local Subnet: 192.168.20.0/24
– Remote Subnet: 192.168.10.0/24
– PSK: Use the identical pre-shared secret
– IKE and IPsec settings the same IKEv2, AES-256, SHA-256, MODP 2048
# Part 3: Wire up routing and firewall rules
– Ensure the VPN tunnel’s traffic is allowed by firewall policies. You may need to permit ESP IPsec and ISAKMP IKE traffic between the sites.
– Create or adjust firewall rules so that traffic from 192.168.10.0/24 to 192.168.20.0/24 and vice versa is allowed through the VPN interface.
– If you use NAT on either side, avoid NAT for VPN traffic to prevent double-NAT issues.
– Add static routes or dynamic routing if you have multiple networks so that devices know to reach the remote subnet via the VPN tunnel interface.
# Part 4: Verification and monitoring
– Use the EdgeRouter UI to view tunnel status and the IKE/IPsec status page.
– From Site A, test connectivity to 192.168.20.0/24 devices ping, traceroute, etc..
– Use the CLI for deeper visibility if needed:
– show vpn ipsec sa or show vpn ipsec status for current SA status
– show vpn ike sa to see IKE SA status
– tail -f /var/log/messages | grep ipsec Linux-like logs
– If the tunnel isn’t up, re-check:
– PSK mismatch
– Local/Remote subnet definitions
– Public IP addresses and firewall rules
– IKEv2 support on both sides
– NAT traversal status if behind NAT
# Part 5: CLI-based sample configuration high-level
EdgeRouter X uses EdgeOS CLI. Below is a high-level outline you can adapt. Commands may vary by firmware version. consult EdgeOS documentation for exact syntax.
– Define a site-to-site peer Site B from Site A
– set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
– set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret ‘YOURPSK’
– set vpn ipsec site-to-site peer 203.0.113.2 local-subnet 192.168.10.0/24
– set vpn ipsec site-to-site peer 203.0.113.2 remote-subnet 192.168.20.0/24
– set vpn ipsec site-to-site peer 203.0.113.2 ike-group
– set vpn ipsec site-to-site peer 203.0.113.2 esp-group
– set vpn ipsec site-to-site peer 203.0.113.2 interface-route-options ‘auto’
– Ensure the IKE and ESP groups match on both sides encryption, integrity, DH group
– Apply firewall rules to permit VPN traffic if needed
– Commit and save
If you’d like example configurations that match your exact firmware version, I can tailor the CLI commands after you share your EdgeOS version and the IP addresses.
# Part 6: Security considerations and best practices
– Use IKEv2 wherever possible for better security and stability.
– Prefer certificate-based authentication for larger deployments. PSK is simpler for small setups but less scalable.
– Use AES-256 and SHA-256 to keep data integrity strong. consider enabling Perfect Forward Secrecy PFS with DH Group 2048 or higher.
– Regularly review firewall rules and keep your routers updated.
– If you have remote users, consider a separate VPN solution for client-to-site access in addition to your site-to-site tunnel.
Common issues and troubleshooting tips
– Tunnel not coming up after configuration:
– Double-check PSK and ensure it’s identical on both ends
– Verify the remote-subnet and local-subnet definitions don’t conflict
– Confirm both WAN IPs are reachable from the other site test with ping from a remote host
– Handshake failures IKE:
– Confirm IKE version IKEv2 vs IKEv1 is the same on both sides
– Make sure encryption/integrity algorithms match
– Traffic not routing through the tunnel:
– Ensure the VPN interface is in the correct routing table
– Verify firewall rules permit traffic across the VPN
– Ensure there are no conflicting NAT rules affecting VPN traffic
– Dynamic IP addresses on WAN:
– Use a dynamic DNS service on both ends or a VPN-friendly DDNS provider
– Some providers support continuous re-check of remote peer IP. ensure the setup accounts for IP changes
– Performance concerns:
– EdgeRouter X has limited CPU power. AES-NI-like performance is decent, but heavy traffic might saturate the router
– Consider limiting the tunnel to required subnets or using multiple smaller tunnels if needed
– Multi-site mesh considerations:
– For three or more sites, you’ll want a hub-and-spoke or full-mesh topology. manage routing tables carefully to avoid loops or redundant paths
Security and monitoring best practices
– Keep PSK strong long, unique, random and rotate keys periodically.
– If you’re managing many tunnels, consider switching to certificate-based IKE authentication.
– Enable logging for VPN events and review periodically.
– Use MFA for admin access on the EdgeRouter UI to reduce risk of compromise.
– Separate management network admin VLAN from VPN traffic if possible.
Performance and real-world expectations
– The EdgeRouter X is a compact router with decent throughput for small to medium sites, but you’ll want to monitor CPU usage if you push through heavy VPN traffic. Real-world throughput depends on encryption settings and the number of tunnels.
– For small offices connecting two sites with a few dozen hosts, IPsec site-to-site on ER-X typically performs well with AES-256 and SHA-256 in IKEv2.
– If you require more headroom or more complex topologies e.g., more sites, more VPNs, or client VPNs, you may want to consider higher-end EdgeOS devices or dedicated VPN appliances.
How to extend this setup optional
– Client-to-site access: If you need remote workers to reach the internal network securely, set up an IPsec or OpenVPN client on EdgeRouter X for a separate remote access VPN.
– Redundancy: For critical sites, implement a backup gateway or failover routing so the tunnel can be re-established automatically if a WAN link fails.
– Monitoring: Use SNMP, NetFlow, or a simple packet-capture to observe VPN health and traffic patterns.
– Logging: Centralize logs to a SIEM or a syslog server for easier incident response.
Frequently Asked Questions
# What is an IPsec site-to-site VPN?
An IPsec site-to-site VPN creates a secure, encrypted tunnel between two networks over the public Internet, allowing devices on one network to communicate with devices on the other as if they were on the same local network.
# Can EdgeRouter X do IPsec site-to-site without extra hardware?
Yes. EdgeRouter X supports IPsec site-to-site VPN using EdgeOS. You configure a tunnel between two ER-X devices or other IPsec-capable peers using IKE and IPsec policies.
# Should I use PSK or certificates for authentication?
For small deployments, PSK is easier. For larger or scalable deployments, certificate-based authentication is more secure and easier to manage.
# What if my WAN IPs are dynamic?
Use dynamic DNS DDNS to keep a stable endpoint on each side. Many EdgeRouter devices support configuring DDNS/Dynamic IP update clients.
# How do I verify an IPsec tunnel on EdgeRouter X?
Check the tunnel status in the EdgeOS UI under VPN > IPsec Site-to-Site, and use CLI commands like show vpn ipsec sa and show vpn ike sa to inspect active SAs and IKE sessions.
# What subnets should I use for the local and remote networks?
Choose non-overlapping subnets for each site, such as 192.168.10.0/24 at Site A and 192.168.20.0/24 at Site B. Avoid overlapping addresses with other internal networks and the VPN itself.
# Do I need a public IP for both sites?
Typically yes, each site needs a reachable public IP or a stable DDNS hostname so the peers can connect. If one side is behind NAT, ensure NAT-T is enabled and port forwarding is configured if necessary.
# How secure is IPsec vs OpenVPN on EdgeRouter X?
IPsec is generally faster on EdgeRouter X and well-suited for site-to-site interconnects. OpenVPN can be used for client access or alternative site-to-site setups, but performance and feature parity depend on firmware and configuration.
# Can I run VPNs on both ends behind NAT?
Yes, with NAT-T NAT Traversal enabled, IPsec can work when one or both sides sit behind NAT. Ensure the router is configured to support NAT-T and that firewall rules permit necessary ESP and IKE traffic.
# How do I handle multiple sites in a hub-and-spoke model?
Plan a hub site that connects to each spoke or create a mesh of tunnels. You’ll need careful routing rules so traffic uses the correct tunnels and avoids routing loops.
# How do I troubleshoot if the tunnel drops randomly?
Check logs for VPN events, verify uptime of the IKE SA, confirm there are no IP conflicts, monitor WAN health, and consider adjusting DPD Dead Peer Detection or re-key intervals. Also ensure your PSK/certificates haven’t expired.
# Can NordVPN be used to connect two EdgeRouter X devices directly?
NordVPN and similar consumer/prosumer VPN services aren’t typically used for site-to-site interconnects between EdgeRouter X devices. They’re more suited to secure remote access for individual devices. For site-to-site interconnects, IPsec or other enterprise-grade VPN software is recommended. If you want to explore VPN services for remote clients, you can read about consumer VPN options like NordVPN and consider its benefits for individual devices.
# Is EdgeRouter X enough for a three-site VPN?
EdgeRouter X can handle two sites well. for three or more sites, you might run into performance or management limits. In that case, you can still use EdgeRouter X at the edge sites and consider a central aggregator router or higher-end EdgeRouter models to manage multiple tunnels with better throughput and simpler routing.
# What are the best practices for firewall rules with a site-to-site VPN?
– Allow IPsec ISAKMP/IKE and ESP traffic between the VPN peers.
– Permit traffic between the local and remote subnets across the VPN interface.
– Avoid NAT for VPN traffic unless required and carefully configure NAT exemptions.
– Keep management interfaces isolated and protected.
# How often should I rotate the pre-shared key?
Consider rotating PSKs every 6–12 months, or sooner if you suspect a compromise or if your security policy requires it. For larger deployments, certificate rotation and management should be automated.
# What’s the best way to document this setup?
Create a network diagram showing site A and site B subnets, the VPN peers, the local and remote networks, and firewall rules. Maintain a written record of PSKs or certificate details, IKE/IPsec settings, and any dynamic DNS configuration. Document testing steps and results so you can reproduce the setup if you replace hardware or firmware.
If you’d like, I can tailor the CLI commands to match your exact EdgeOS version and provide a version-specific configuration snippet. And if you want to optimize security further, I can include a certificate-based setup outline and a sample PKI plan for larger sites.