Site2Site VPN with ubiquiti and Cisco router

One of my customer asked me to do a site2site VPN with his home ubiquiti router. I said “Yeah sure, we can try…” and it wasn’t very hard to accomplish this. Site2site IPsec VPN with dynamic peers to a Cisco router and parralel EasyVPN Cisco VPN users is not possible! In this case, the company is using SSL VPN for the road warriors, so we had no problem here. First, I configured the Cisco router in the headquarter. The IP subnet at home is 192.168.200.0/24:

# Phase 1 Parameter
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

# Phase 2 Parameter
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec security-association lifetime seconds 28800

# PreSharedKey for all dynamic VPN partners
crypto isakmp key MYSECRETPASSWORD address 0.0.0.0 no-xauth
crypto dynamic-map DynamicNetworks 10
 description VPN from dynamic IPs
 set transform-set ESP-AES-SHA
 set pfs group2
 match address homeoffice1

ip access-list extended homeoffice1
 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 192.168.200.0 0.0.0.255

crypto map CompanyMap 210 ipsec-isakmp dynamic DynamicNetworks

interface GigabitEthernet0/1
 description WAN Interface
 crypto map CompanyMap

 

the Cisco router is now able to react on dynamic VPN peers. Keep in mind to “no-nat” VPN traffic, otherwhise you can’t reach the remote network.

After this I logged on into the ubiquiti interface and saw a very simple GUI 🙂 so I connected to the shell via SSH and found some commands for configuring hidden VPN parameters. After some tries, here’s my final config:

configure

set vpn ipsec auto-firewall-nat-exclude enable

# Phase 1 Parameters
set vpn ipsec ike-group MyCompany lifetime 86400
set vpn ipsec ike-group MyCompany proposal 1 dh-group 2
set vpn ipsec ike-group MyCompany proposal 1 encryption aes128
set vpn ipsec ike-group MyCompany proposal 1 hash sha1

# Phase 2 Parameters
set vpn ipsec esp-group MyCompany lifetime 28800
set vpn ipsec esp-group MyCompany pfs dh-group2
set vpn ipsec esp-group MyCompany proposal 1 encryption aes128
set vpn ipsec esp-group MyCompany proposal 1 hash sha1

# PreSharedKey (11.22.33.44 is an example for the fixed VPN gateway IP address)
set vpn ipsec site-to-site peer 11.22.33.44 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 11.22.33.44 authentication pre-shared-secret MYSECRETPASSWORD
set vpn ipsec site-to-site peer 11.22.33.44 description MyCompany

set vpn ipsec site-to-site peer 11.22.33.44 local-address any
set vpn ipsec site-to-site peer 11.22.33.44 ike-group MyCompany

# Tunnel Definitions
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 esp-group MyCompany
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 local prefix 192.168.200.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 remote prefix 192.168.10.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 esp-group MyCompany
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 local prefix 192.168.200.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 remote prefix 192.168.20.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 local prefix 192.168.200.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 remote prefix 192.168.40.0/24
set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 esp-group MyCompany

commit

You can also connect an ubiquiti router to a Sophos UTM or other VPN gateway. Maybe this tutorial is usefull for someone 🙂 have fun!

Leave a Comment