EdgeRouter 4: IPSec, S2S vpn
-
@gtech said in EdgeRouter 4: IPSec, S2S vpn:
I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?
So the question is... is the VLAN useful to you? Having a VLAN for VPN clients is perfectly fine, it gives you a chance to limit access to the entire VPN connected group of machines no a network level (basically makes three tiers... internet, VPN, and LAN.) Do you have limits that you will set, or will you simple route the VLAN to the LAN defeating its purpose?
If you are just going to route, then the VLAN serves no purpose. If you are going to treat it like a DMZ and limit the access to only a few services on the LAN, then it can be very useful.
-
@gtech said in EdgeRouter 4: IPSec, S2S vpn:
@JaredBusch This is very detailed. I am going through it, thanks. Should have mentioned my needs, VPN for a few stuff as needed. I will be setting up few vlans namely default, phones, camera, guest, staff(internet only), IT etc. I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?
That was for site to site connections.
If you need roaming staff, then you want L2TP.
set vpn l2tp remote-access authentication local-users username usera password PasswordUserA set vpn l2tp remote-access authentication local-users username userb password PasswordUserB set vpn l2tp remote-access authentication local-users username userc password 'PasswordU$erC' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication require mschap-v2 set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access idle 1800 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeLongPSKGoesHere set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access ipsec-settings lifetime 3600 set vpn l2tp remote-access mtu 1492 -
This post is deleted! -
@scottalanmiller good point
-
@JaredBusch I saw that, sure the info will come in useful for future projects . This weekend hopefully I can move to the ER4 with no major issues. All I am left to do is move firewall rules across/ port forwards to the ER4 and setup VPN.
-
I appreciate the config @JaredBusch this'll come in handy when I deploy ER's on both sides.
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
Ugh, that won't be any fun.
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
I appreciate the config @JaredBusch this'll come in handy when I deploy ER's on both sides.
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
Change the authentication in ER to PSK.
set vpn ipsec site-to-site peer site.domain.com authentication mode pre-shared-secret set vpn ipsec site-to-site peer site.domain.com authentication pre-shared-secret ex3VRe3FAGv769sGwrpLPhqQ set vpn ipsec site-to-site peer site.domain.com connection-type initiate set vpn ipsec site-to-site peer site.domain.com description 'HQ to PSK Site A' set vpn ipsec site-to-site peer site.domain.com ike-group myike set vpn ipsec site-to-site peer site.domain.com ikev2-reauth inherit set vpn ipsec site-to-site peer site.domain.com local-address 123.123.123.123 set vpn ipsec site-to-site peer site.domain.com tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer site.domain.com tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer site.domain.com tunnel 1 esp-group myesp set vpn ipsec site-to-site peer site.domain.com tunnel 1 local prefix 10.254.103.0/24 set vpn ipsec site-to-site peer site.domain.com tunnel 1 remote prefix 10.254.0.0/24And then change the IKE and ESP sections from the last post to match WTF ever the Meraki uses.
-
@JaredBusch :thumbs_up: :thumbs_up_medium_skin_tone: :thumbs_up_medium-dark_skin_tone:
I'll give that a try. -
This post is deleted! -
That previous error was due to copy/paste issues.
Here is the error I'm getting:
[ service nat ] NAT configuration error: rule type not specified/valid -
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
That previous error was due to copy/paste issues.
Here is the error I'm getting:
[ service nat ] NAT configuration error: rule type not specified/validThe NAT above was exported from a live router using
show configuration command service | grep natAre you running 2.0? maybe something changed?
Edit: Nope
-
Never mind. I read the error closer.. I missed a line when I copy/pasted
fixed above also.set service nat rule 5000 type masquerade -
@JaredBusch said in EdgeRouter 4: IPSec, S2S vpn:
Never mind. I read the error closer.. I missed a line when I copy/pasted
fixed above also.set service nat rule 5000 type masqueradeHaha, just added that line like 2 mins ago!!
Thanks for fixing!! -
ER4 <--> Meraki MX S2S is "up"
Many thanks to @JaredBusch for all the help. -
@JaredBusch
S2S #1: ER4 (ip 1.2.3.4) <--> Meraki MX is up
S2S #2: ER4 (ip 1.2.3.4) <--> Unifi USG not working, just says "connecting" (when I run "show vpn ipsec sa)Any tricks or tips to make S2S #2 work?
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
@JaredBusch
S2S #1: ER4 (ip 1.2.3.4) <--> Meraki MX is up
S2S #2: ER4 (ip 1.2.3.4) <--> Unifi USG not working, just says "connecting" (when I run "show vpn ipsec sa)Any tricks or tips to make S2S #2 work?
USG sucks...
-
@JaredBusch Don't talk bad about my USG :grinning_face_with_smiling_eyes:
In a few week I plan on replacing the USG w an ER4.For now, I was able to get the ER4 <--> USGp4 connection up & running...:thumbs_up:
-
I have 2 public IPs on the USGp4 (using WAN 1 & 2)
For some reason, the second peer (of my S2S) ER4 refuses to connect to the USGp4 WAN1 IP.
I finally tried WAN2 & it connected. -
update:
ER4 <--> S2S <--> Meraki MX is/was an absolute disaster.
No workie!!!
For now, have to scrap the idea, it just doesn't work :angry_face: :face_with_open_mouth_cold_sweat:
