Edgerouter site-to-site vpn setup guide for edge routers: configure Edgerouter site-to-site vpn with IPsec tunnels, IKE/ESP groups, and firewall rules

Edgerouter site-to-site vpn is a method to securely connect two or more networks over the internet using IPsec tunnels. In this guide, you’ll learn how to plan, configure, and troubleshoot an Edgerouter site-to-site VPN, with practical steps, tested commands, and real-world tips to keep traffic between sites private and reliable. If you’re looking for extra protection for your wider WAN traffic, consider adding a trusted VPN service as a backup or during remote work, and you can check out NordVPN with this special offer: . Now, let’s dive into the setup.

Introduction: what you’ll get in this article

• A clear, step-by-step process to set up a site-to-site VPN between an Edgerouter and a remote gateway
• Prerequisites you actually need and practical planning tips to avoid common mistakes
• CLI commands you can copy-paste with explanations and a firewall/NAT approach that won’t break your traffic
• Troubleshooting tips, performance notes, and security best practices
• A robust FAQ with practical answers to common questions

Note: this guide assumes you’re using a reasonably recent EdgeOS version on an Edgerouter EdgeRouter X, 4, 6, or 8 models. If your device runs an older firmware, you may need to adjust the syntax slightly, but the core concepts stay the same.

Understanding Edgerouter and IPsec basics

• IPsec site-to-site VPN creates a secure tunnel between two networks across the public internet. Traffic between sites is encapsulated and encrypted, so even if it travels over an insecure network, it remains private.
• The two core halves are the IKE Internet Key Exchange phase and the IPsec phase. IKE negotiates the keys and security methods. IPsec handles the actual encrypted data flow.
• Common encryption/hashing suites you’ll encounter:
  • Encryption: AES-256 is standard for site-to-site VPNs due to its balance of security and performance.
  • Integrity: SHA-256 is widely used to ensure data integrity.
  • Key exchange: IKEv1 remains common in many setups, but IKEv2 is increasingly preferred for its better renegotiation and mobility support.
• The two networks at each end should be non-overlapping subnets for example, 192.168.10.0/24 on Site A and 192.168.20.0/24 on Site B. Overlapping subnets will cause routing conflicts.

Key takeaway: plan subnets, pick robust crypto settings, and document the remote gateway’s public IP, tunnel identifiers, and PSK pre-shared key or certificate-based authentication if you’re using certs.

Prerequisites and network planning

• Hardware and firmware
  • An Edgerouter running EdgeOS with IPsec support EdgeRouter X, Lite, Pro, 4/6/8 series all work well for small-to-medium deployments.
  • Ensure your firmware is up-to-date to get the latest security fixes and stability improvements.
• Network planning
  • Determine your local site subnet and the remote site subnet. Avoid overlapping address spaces.
  • Decide if you’ll use a static public IP at both ends or dynamic IPs with a Dynamic DNS setup on one or both sides.
  • Plan firewall rules to permit IPsec control traffic ISAKMP/OAKLEY, IPsec data and the actual VPN traffic.
• Authentication method
  • PSK is simplest to start with. for larger deployments or higher security, consider certificate-based authentication IKE with certificates. PSK remains common for home labs or smaller offices.
• Testing and monitoring plan
  • Know how you’ll verify the tunnel is up ping across the VPN, traceroute, and checking IPsec SA state.
  • Consider basic monitoring so you’re alerted if the tunnel goes down.

Pro tip: if you’re at a remote site with a dynamic IP, a robust dynamic DNS setup makes re-establishing the tunnel much simpler. Document the DNS name you’ll use on the remote edge and keep your update interval reasonable e.g., every 10 minutes or when IP changes.

Step-by-step: configure Edgerouter site-to-site VPN

Below is a practical, copy-friendly approach to a standard Edgerouter site-to-site VPN using IPsec with IKEv1 and a PSK. Adjust your own remote_IP, local_subnet, remote_subnet, and PSK as needed.

1. Define IKE and ESP groups

• These blocks set encryption, hashing, and lifetime options. They’ll govern how the two sides negotiate the tunnel.

set vpn ipsec ike-group IKE-1 proposal 1 encryption aes256
set vpn ipsec ike-group IKE-1 proposal 1 hash sha256
set vpn ipsec ike-group IKE-1 proposal 1 dh-group 14
set vpn ipsec ike-group IKE-1 lifetime 28800
set vpn ipsec esp-group ESP-1 proposal 1 encryption aes256
set vpn ipsec esp-group ESP-1 proposal 1 hash sha256
set vpn ipsec esp-group ESP-1 lifetime 3600

2. Create the site-to-site peer and tunnel

• Replace 203.0.113.1 with your remote gateway’s public IP, and replace the local/remote subnets with yours.

set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret ‘yourPSKhere’
set vpn ipsec site-to-site peer 203.0.113.1 ike-group IKE-1
set vpn ipsec site-to-site peer 203.0.113.1 default-esp-group ESP-1
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote prefix 192.168.20.0/24 Wireguard vpn edgerouter x

3. Apply NAT considerations

• If each site has its own internal network, you typically do not NAT VPN traffic between the sites. Ensure the VPN subnet ranges don’t get translated as they traverse the tunnel.
• If you have to allow VPN traffic to traverse NATed connections, enable NAT-T and ensure firewall rules permit IPsec UDP 500, 4500, and IPsec ESP across both edges.

4. Commit and save

• After you enter these commands, commit and save your changes so they persist after a reboot.

commit
save

5. Verify the tunnel

• On the Edgerouter, you can check the status with:
  show vpn ipsec sa
  show vpn ipsec status
• You should see an established tunnel for tunnel 1 if everything is aligned shared PSK, matching IKE/ESP groups, and correct local/remote prefixes.

6. Routing and firewall adjustments

• Add routes as needed so traffic destined for the remote subnet uses the VPN tunnel. On EdgeRouter, a straightforward approach is to add static routes:
  set protocols static-route 192.168.20.0/24 next-hop
• If your network uses dynamic routing like OSPF or BGP, you can run those protocols over the VPN tunnel as well, but that’s a more advanced setup.

7. Testing the connection

• From a host on Site A 192.168.10.0/24, ping a host on Site B 192.168.20.0/24 to confirm connectivity.
• If you can’t ping, check:
  • The remote host is reachable at its VPN IP if you have a tunnel IP assigned.
  • The firewall on both sides allows ICMP and the necessary IPsec traffic.
  • The VPN SA is established and not repeatedly failing due to mismatched PSK or crypto settings.

8. Dynamic IP scenario optional

• If a remote site uses a dynamic public IP, configure a dynamic DNS name on that side and reference it in the remote gateway’s IP when defining the peer. This setup makes re-establishing the tunnel smoother after IP changes.

Tips:

• Start with a simple PSK, then upgrade to certificate-based authentication if you need higher security or more scalable management.
• Use a robust PSK quality—random, long, and not reused anywhere else.

Firewall and NAT considerations

• VPN traffic should be allowed through the firewall on both ends for IPsec ISAKMP/OAKLEY/UDP 500. UDP 4500 for NAT-T. ESP protocol. If you’re using a standard EdgeRouter firewall, the default rules often permit IPsec traffic, but you should verify.
• Ensure that traffic between the two VPN subnets is not NATed. NAT can break cross-site routing, especially with non-NAT-T devices on the other side. If you must NAT VPN traffic, restrict NAT to only the local internet-bound traffic and exempt VPN ranges from NAT.
• If you’re connecting to a remote gateway that also has NAT traversal, you may need to ensure UDP ports 500 and 4500 are open on both sides, and that ESP protocol 50 is permitted across your NAT devices or end devices.

Real-world tip: keep a simple test network. Set up a 192.168.10.0/24 site and 192.168.20.0/24 remote site, and begin with a few test hosts to verify routing and NAT behavior before scaling.

Performance considerations

• Crypto acceleration and CPU core count influence VPN throughput on EdgeRouters. In practice, AES-256 over IPsec on modern EdgeRouter devices can easily handle a few hundred Mbps in typical home/branch deployments, with 1 Gbps possible on higher-end models if you don’t push too many encryption operations at once.
• If you’re seeing slow performance, consider:
  • Using a stronger but efficient cipher like AES-256-GCM with a compatible remote device.
  • Reducing the number of VPN tunnels to match the actual traffic needs.
  • Ensuring firmware is up-to-date and that the device isn’t CPU-throttling due to background processes or overheating.

Security best practices

• Use certificate-based authentication in larger deployments or where you want to avoid shared secrets. Certificates allow easier revocation and rotation without reconfiguring every peer.
• Rotate PSKs on a schedule if you’re using them. Even if you start with PSK for testing, plan for migration to certs if the network expands.
• Keep EdgeOS and firmware up-to-date to protect against known vulnerabilities in IPsec stacks and related software.
• Segment your networks. Use distinct subnets behind each EdgeRouter to reduce blast radius if a tunnel is compromised.

Interoperability and common gotchas

• The most common mismatch is either the pre-shared key being different, or IKE/ESP crypto settings not matching encryption, hash, and DH group. Double-check both sides’ configurations if the tunnel won’t come up.
• Network overlaps cause routing conflicts. The fix is to re-architect subnets so each site has a unique addressing space.
• If you’re behind CGNAT or behind NAT devices, ensure NAT-T is enabled on both sides and that UDP ports 500/4500 are forwarded or allowed through any intermediate devices.

Monitoring and ongoing maintenance

• Regularly check the VPN status and keep an eye on logs for IPsec events. The most relevant logs show tunnel up/down messages, authentication failures, and crypto negotiation errors.
• Consider a light monitoring setup that pings a critical host across the VPN every few minutes and alerts you if the ping fails for a sustained period.
• Back up your EdgeRouter configuration after you confirm both tunnels if you have more than one are up and routing traffic correctly.

Real-world usage scenarios

• Small business campuses connecting a main office to one or two branch offices with stable static IPs.
• A home lab scenario where you want to securely access a lab network via a partner site.
• A distributed team with partial remote office locations that require secure data transfer between sites for data sharing or backup.

Notes on integrating with cloud or enterprise environments:

• If you’re connecting to a cloud VPN gateway AWS VPC, Azure VNet, etc., you’ll typically need to match the remote gateway’s IP, exchange the PSK or set up a certificate-based method, and configure the appropriate tunnel subnets. Interoperability is generally strong with IPsec, but you may encounter differences in how the cloud provider handles IKE policies.

Best practices checklist

• Plan your subnets to avoid overlap.
• Use a strong PSK or switch to certificates if you scale.
• Confirm you can reach remote hosts across the VPN with a few quick pings.
• Maintain a written change log for IPsec configuration changes.
• Keep EdgeOS firmware updated.
• Document the exact commands you used so you can replicate or adjust later.

Frequently Asked Questions

What is Edgerouter site-to-site vpn?

Edgerouter site-to-site vpn is a secure IPsec-based connection between two networks through EdgeRouter devices, allowing private traffic to flow between sites without exposing internal addresses to the public internet. Tunnelbear vpn es seguro: a comprehensive guide to TunnelBear security, privacy, features, and performance in 2025

Which Edgerouter models support site-to-site IPsec?

Most EdgeRouter models running EdgeOS support IPsec site-to-site VPNs, including EdgeRouter X, EdgeRouter Lite, EdgeRouter 4/6/8, and higher-end EdgeRouter Pro variants.

Do I need static public IPs on both sides?

Static IPs simplify setup because you can reliably point the remote gateway to a fixed address. Dynamic IPs are possible with Dynamic DNS, but they require a bit more maintenance to keep the tunnel stable.

Is PSK authentication enough for production?

PSK is fine for small deployments and lab environments. For larger networks or higher security, certificate-based authentication is preferred because it scales better and reduces the risk associated with PSKs.

How do I verify the VPN tunnel is up?

Use commands like show vpn ipsec sa and show vpn ipsec status on the Edgerouter. You should see a tunnel established. You can also ping a host on the remote network across the VPN.

How do I handle traffic routing between sites?

Configure static routes so that traffic destined for the remote subnet uses the VPN tunnel as the next hop. If you’re using dynamic routing, you can run OSPF or BGP over the VPN, but this adds complexity. Are vpns legal in japan and how to use them safely for privacy, streaming, and security in 2025

Can I run multiple tunnels on the same EdgeRouter?

Yes. You can configure multiple IPsec site-to-site tunnels to different remote sites. Each tunnel has its own peer, local/remote subnets, and tunnel settings, and you’ll route traffic accordingly.

What about NAT on VPN traffic?

Typically, VPN traffic is not NATed between the two sites. If NAT is necessary due to network constraints, ensure NAT-T and SSID rules align with the remote gateway’s expectations. You may need to configure NAT exemptions for VPN networks.

How do I secure the VPN using certificates?

Set up a public key infrastructure PKI with certificates for each EdgeRouter. Import the certificate and private key on both sides, configure ike-group and esp-group to use certificate-based authentication, and ensure revocation and renewal processes are in place.

How often should I rotate keys or certificates?

Rotate PSKs regularly e.g., every 6–12 months for PSK-based setups. Certificates typically have longer lifetimes but should be renewed before expiration with a plan for revocation if a private key is compromised.

Can I use a VPN with dynamic IP addresses at both sites?

Yes, but you’ll want a dynamic DNS service on at least one side to resolve the remote gateway’s changing IP. This avoids manual reconfiguration whenever IP addresses change. Vpn to change location

How can I monitor VPN performance?

Track tunnel uptime, latency between sites, and packet loss. Use simple ping tests across the VPN and check the IPsec SA status. For larger deployments, consider network monitoring tools that can alert you when the VPN goes down or when latency spikes.

What common mistakes should I avoid?

• Mismatched IKE/ESP settings encryption, hash, DH group
• Overlapping local/remote subnets
• Using the same PSK on multiple peers without rotation
• Forgetting to commit and save the configuration
• Blocking VPN traffic in firewall rules or misconfiguring NAT exemptions

How do I back up VPN configurations?

Export the EdgeRouter configuration EdgeOS and store it securely. After you confirm the tunnel is up, save a snapshot of the current running configuration so you can restore quickly if needed.

Are there alternative approaches to Edgerouter site-to-site VPN?

Yes. Some folks use OpenVPN or WireGuard-based solutions for certain environments, especially when NAT traversal or client mobility is a concern. IPsec remains the most widely supported option for site-to-site VPNs due to its interoperability and enterprise history.

How do I migrate from IKEv1 to IKEv2?

IKEv2 offers improved reliability and renegotiation. If you’re starting fresh, consider IKEv2 and cert-based authentication. If you’re migrating from IKEv1, plan a staged change with parallel tunnels and careful testing to avoid downtime.

Can I automate VPN management on EdgeRouter?

Yes. You can script configurations using EdgeOS CLI and include them in backup routines. For larger environments, you might integrate with an orchestration tool, but always test scripts on a non-production device first. Microsoft edge vpn for Windows 11 and beyond: setup, security, streaming, and comparison of top providers

What’s a practical test I can run after setup?

• From Site A, run a traceroute to a host on Site B and ensure the path shows the VPN tunnel’s internal network routes.
• Use ping to test reachability across the tunnel.
• Check the tunnel’s uptime across a 24–48 hour period to gauge stability.

Final notes

Edgerouter site-to-site VPN is a practical way to securely connect two networks without sending traffic across the public internet unprotected. With the steps above, you’ll be able to design, configure, and maintain a stable IPsec-based tunnel between sites. Remember to document your settings, test repeatedly, and monitor the VPN for any changes in connectivity. If you want additional protection for your broader internet traffic, consider using a reputable VPN service as a complement to your site-to-site VPN setup, and you can take advantage of the special offer linked in the introduction.

Sources and resources for further reading un clickable text only:

• EdgeOS IPsec configuration guide – edgeos docs
• IPsec best practices for small offices – enterprise security blog
• Understanding IKEv1 vs IKEv2 – network engineering encyclopedia
• VPN troubleshooting checklist for site-to-site connections – IT forum collection
• Subnet planning for VPNs – network planning handbook

End of article.

Vpn多节点部署与选择指南：全球服务器、速率优化、隐私保护、路由与多设备接入

Best free vpn for edge browser