EdgeRouter 4: IPSec, S2S vpn
-
@gtech said in EdgeRouter 4: IPSec, S2S vpn:
@JaredBusch This is very detailed. I am going through it, thanks. Should have mentioned my needs, VPN for a few stuff as needed. I will be setting up few vlans namely default, phones, camera, guest, staff(internet only), IT etc. I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?
That was for site to site connections.
If you need roaming staff, then you want L2TP.
set vpn l2tp remote-access authentication local-users username usera password PasswordUserA set vpn l2tp remote-access authentication local-users username userb password PasswordUserB set vpn l2tp remote-access authentication local-users username userc password 'PasswordU$erC' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication require mschap-v2 set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access idle 1800 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeLongPSKGoesHere set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access ipsec-settings lifetime 3600 set vpn l2tp remote-access mtu 1492
-
This post is deleted! -
@scottalanmiller good point
-
@JaredBusch I saw that, sure the info will come in useful for future projects . This weekend hopefully I can move to the ER4 with no major issues. All I am left to do is move firewall rules across/ port forwards to the ER4 and setup VPN.
-
I appreciate the config @JaredBusch this'll come in handy when I deploy ER's on both sides.
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
Ugh, that won't be any fun.
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
I appreciate the config @JaredBusch this'll come in handy when I deploy ER's on both sides.
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
Change the authentication in ER to PSK.
set vpn ipsec site-to-site peer site.domain.com authentication mode pre-shared-secret set vpn ipsec site-to-site peer site.domain.com authentication pre-shared-secret ex3VRe3FAGv769sGwrpLPhqQ set vpn ipsec site-to-site peer site.domain.com connection-type initiate set vpn ipsec site-to-site peer site.domain.com description 'HQ to PSK Site A' set vpn ipsec site-to-site peer site.domain.com ike-group myike set vpn ipsec site-to-site peer site.domain.com ikev2-reauth inherit set vpn ipsec site-to-site peer site.domain.com local-address 123.123.123.123 set vpn ipsec site-to-site peer site.domain.com tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer site.domain.com tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer site.domain.com tunnel 1 esp-group myesp set vpn ipsec site-to-site peer site.domain.com tunnel 1 local prefix 10.254.103.0/24 set vpn ipsec site-to-site peer site.domain.com tunnel 1 remote prefix 10.254.0.0/24
And then change the IKE and ESP sections from the last post to match WTF ever the Meraki uses.
-
@JaredBusch :thumbs_up: :thumbs_up_medium_skin_tone: :thumbs_up_medium-dark_skin_tone:
I'll give that a try. -
This post is deleted! -
That previous error was due to copy/paste issues.
Here is the error I'm getting:
[ service nat ] NAT configuration error: rule type not specified/valid
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
That previous error was due to copy/paste issues.
Here is the error I'm getting:
[ service nat ] NAT configuration error: rule type not specified/valid
The NAT above was exported from a live router using
show configuration command service | grep nat
Are you running 2.0? maybe something changed?
Edit: Nope
-
Never mind. I read the error closer.. I missed a line when I copy/pasted
fixed above also.set service nat rule 5000 type masquerade
-
@JaredBusch said in EdgeRouter 4: IPSec, S2S vpn:
Never mind. I read the error closer.. I missed a line when I copy/pasted
fixed above also.set service nat rule 5000 type masquerade
Haha, just added that line like 2 mins ago!!
Thanks for fixing!! -
ER4 <--> Meraki MX S2S is "up"
Many thanks to @JaredBusch for all the help. -
@JaredBusch
S2S #1: ER4 (ip 1.2.3.4) <--> Meraki MX is up
S2S #2: ER4 (ip 1.2.3.4) <--> Unifi USG not working, just says "connecting" (when I run "show vpn ipsec sa)Any tricks or tips to make S2S #2 work?
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
@JaredBusch
S2S #1: ER4 (ip 1.2.3.4) <--> Meraki MX is up
S2S #2: ER4 (ip 1.2.3.4) <--> Unifi USG not working, just says "connecting" (when I run "show vpn ipsec sa)Any tricks or tips to make S2S #2 work?
USG sucks...
-
@JaredBusch Don't talk bad about my USG :grinning_face_with_smiling_eyes:
In a few week I plan on replacing the USG w an ER4.For now, I was able to get the ER4 <--> USGp4 connection up & running...:thumbs_up:
-
I have 2 public IPs on the USGp4 (using WAN 1 & 2)
For some reason, the second peer (of my S2S) ER4 refuses to connect to the USGp4 WAN1 IP.
I finally tried WAN2 & it connected. -
update:
ER4 <--> S2S <--> Meraki MX is/was an absolute disaster.
No workie!!!
For now, have to scrap the idea, it just doesn't work :angry_face: :face_with_open_mouth_cold_sweat: -
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
update:
ER4 <--> S2S <--> Meraki MX is/was an absolute disaster.
No workie!!!
For now, have to scrap the idea, it just doesn't work :angry_face: :face_with_open_mouth_cold_sweat:I don’t know enough about the Meraki side. But one would assume it can work. IPSEC is a standard.