One of my customer asked me to do a site2site VPN with his home ubiquiti router. I said “Yeah sure, we can try…” and it wasn’t very hard to accomplish this. Site2site IPsec VPN with dynamic peers to a Cisco router and parralel EasyVPN Cisco VPN users is not possible! In this case, the company is using SSL VPN for the road warriors, so we had no problem here. First, I configured the Cisco router in the headquarter. The IP subnet at home is 192.168.200.0/24:
# Phase 1 Parameter crypto isakmp policy 10 encr aes authentication pre-share group 2 # Phase 2 Parameter crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac mode tunnel crypto ipsec security-association lifetime seconds 28800 # PreSharedKey for all dynamic VPN partners crypto isakmp key MYSECRETPASSWORD address 0.0.0.0 no-xauth crypto dynamic-map DynamicNetworks 10 description VPN from dynamic IPs set transform-set ESP-AES-SHA set pfs group2 match address homeoffice1 ip access-list extended homeoffice1 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255 permit ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 192.168.200.0 0.0.0.255 crypto map CompanyMap 210 ipsec-isakmp dynamic DynamicNetworks interface GigabitEthernet0/1 description WAN Interface crypto map CompanyMap
the Cisco router is now able to react on dynamic VPN peers. Keep in mind to “no-nat” VPN traffic, otherwhise you can’t reach the remote network.
After this I logged on into the ubiquiti interface and saw a very simple GUI :) so I connected to the shell via SSH and found some commands for configuring hidden VPN parameters. After some tries, here’s my final config:
configure set vpn ipsec auto-firewall-nat-exclude enable # Phase 1 Parameters set vpn ipsec ike-group MyCompany lifetime 86400 set vpn ipsec ike-group MyCompany proposal 1 dh-group 2 set vpn ipsec ike-group MyCompany proposal 1 encryption aes128 set vpn ipsec ike-group MyCompany proposal 1 hash sha1 # Phase 2 Parameters set vpn ipsec esp-group MyCompany lifetime 28800 set vpn ipsec esp-group MyCompany pfs dh-group2 set vpn ipsec esp-group MyCompany proposal 1 encryption aes128 set vpn ipsec esp-group MyCompany proposal 1 hash sha1 # PreSharedKey (11.22.33.44 is an example for the fixed VPN gateway IP address) set vpn ipsec site-to-site peer 11.22.33.44 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 11.22.33.44 authentication pre-shared-secret MYSECRETPASSWORD set vpn ipsec site-to-site peer 11.22.33.44 description MyCompany set vpn ipsec site-to-site peer 11.22.33.44 local-address any set vpn ipsec site-to-site peer 11.22.33.44 ike-group MyCompany # Tunnel Definitions set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 esp-group MyCompany set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 local prefix 192.168.200.0/24 set vpn ipsec site-to-site peer 11.22.33.44 tunnel 1 remote prefix 192.168.10.0/24 set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 esp-group MyCompany set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 local prefix 192.168.200.0/24 set vpn ipsec site-to-site peer 11.22.33.44 tunnel 2 remote prefix 192.168.20.0/24 set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 local prefix 192.168.200.0/24 set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 remote prefix 192.168.40.0/24 set vpn ipsec site-to-site peer 11.22.33.44 tunnel 3 esp-group MyCompany commit
You can also connect an ubiquiti router to a Sophos UTM or other VPN gateway. Maybe this tutorial is usefull for someone :) have fun!