Edgerouter vpn site to site setup guide for IPsec tunnels between EdgeRouters using IKEv2, PSK, and ESP

Edgerouter vpn site to site is a method to securely connect two remote networks over the internet using IPsec tunnels on EdgeRouter devices.

If you’re here, you probably want a reliable, repeatable way to link two offices or home networks. In this guide I’ll walk you through what a site-to-site VPN on EdgeRouter actually is, the prerequisites you’ll need, a clear step-by-step setup using EdgeOS, real-world tips to avoid common gotchas, how to test and verify the tunnel, and a few troubleshooting tricks. We’ll cover both typical static IP scenarios and setups where one side sits behind NAT or uses a dynamic IP. Plus, I’ll include practical security best practices so that your tunnel isn’t just working, but solid.

– Quick overview of what you’ll learn:
– What a site-to-site IPsec VPN on EdgeRouter does and when to use it
– Prerequisites like public IPs, subnets, and PSK choices
– Step-by-step EdgeOS commands to create IKE and IPsec tunnels
– How to configure firewall rules and NAT traversal for IPsec
– How to test connectivity and verify tunnel status
– Common fail points and how to fix them
– Real-world tips for multi-site setups and performance considerations

For extra protection beyond the tunnel, you can check out NordVPN’s limited-time offer here:

NordVPN offer note: This is an affiliate link. If you click through and subscribe, the site may earn a commission at no extra cost to you. I only promote services I believe add value to readers.

Useful URLs and Resources unlinked, plain text
– Ubiquiti EdgeRouter official documentation – help.ubiquiti.com
– EdgeRouter community forums – community.ubiquiti.com
– IPsec basics on Wikipedia – en.wikipedia.org/wiki/IPsec
– IKEv2 overview and best practices – en.wikipedia.org/wiki/IKEv2
– NAT traversal NAT-T basics – en.wikipedia.org/wiki/Network_address_translation
– EdgeOS CLI reference – help.ubiquiti.com/hc/en-us/articles/115005233165-EdgeRouter-CLI
– Local network planning tips – cisco.com/c/en/us/products/security-vpn.html
– Private IP address planning guidelines – en.wikipedia.org/wiki/Private_network
– VPN throughput considerations – networkcomputing.com

What is a site-to-site VPN on EdgeRouter?

A site-to-site VPN creates a secure, encrypted tunnel between two distinct networks over the public internet. In an EdgeRouter context, you configure IPsec IKE and ESP to ensure traffic between the local networks for example, 10.0.0.0/24 on Site A and 192.168.1.0/24 on Site B travels through an encrypted channel. This is different from a remote-access VPN, where individual clients connect to a single gateway. With site-to-site, you get a persistent tunnel that routes traffic between networks, not just individual devices.

Key benefits:

• Encrypts between sites so sensitive data never traverses the internet in plain text.
• Keeps the local networks separate and private, while allowing seamless inter-network access.
• Works well for branch offices, mergers, co-location, and remote backups.

Common terms you’ll see:

• IKE Internet Key Exchange: Phase 1 negotiation that sets up secure parameters.
• IPsec: The actual tunnel protocol that encrypts traffic.
• ESP Encapsulating Security Payload: The protocol that provides confidentiality and integrity inside IPsec.
• PSK pre-shared key vs certificates: authentication methods for IPsec peers.
• NAT-T NAT Traversal: allows IPsec to work when one or both endpoints sit behind NAT.

Prerequisites for Edgerouter site-to-site VPN

Before you start typing commands, gather these essentials:

• Two sites with public IP addresses. If one side is behind a NAT or uses a dynamic IP, plan for NAT-T and possibly dynamic DNS.
• Two LAN subnets that don’t overlap. Example: Site A 10.0.0.0/24, Site B 192.168.2.0/24.
• A shared pre-shared key PSK for IPsec authentication, or certificates if you opt for a certificate-based setup.
• Basic firewall control at both sites to allow IPsec-related traffic UDP 500, UDP 4500, and IPsec ESP.
• EdgeRouter devices at both sites running EdgeOS the EdgeRouter OS by Ubiquiti, typically EdgeRouter X/ER‑XX/ER‑4 series, etc..
• Optional: static routes to steer traffic for the remote LAN across the VPN.

Security tips to keep in mind: Setup vpn extension for edge

• Use strong PSK random, long, unique to this tunnel. If you can, switch to certificate-based authentication for even stronger security, though it’s a bit more complex to manage.
• Use AES-256 and SHA-256 or better for encryption and integrity.
• Enable NAT-T if you expect NAT between sites or at least on the WAN connections.

Step-by-step setup guide EdgeOS

Note: EdgeRouter uses a CLI that resembles VyOS/EdgeOS syntax. The exact commands may vary slightly by firmware version, but the overall approach is the same: define IKE group, ESP group, create a site-to-site peer, and bind a tunnel with local/remote prefixes.

Scenario 1: Site A public IP 203.0.113.2, LAN 10.0.0.0/24 <-> Site B public IP 198.51.100.2, LAN 192.168.2.0/24
Scenario 2: Site B behind CGNAT or dynamic IP. NAT-T enabled and dynamic DNS setup.

A. Define IKE and ESP groups common for both sites

• On Site A and Site B, configure consistent IKE/ESP groups.

  • IKE group
    • Name: IKE-GROUP1
    • lifetime: 3600
    • proposals: encryption AES256, hash SHA256, DH group 14 2048-bit
  • ESP group
    • Name: ESP-GROUP1
    • proposals: encryption AES256, hash SHA256

  Commands example. enter on Site A, and mirror on Site B with the peer IP swapped: F5 vpn client version

  • Set vpn ipsec ike-group IKE-GROUP1 lifetime 3600

  • Set vpn ipsec ike-group IKE-GROUP1 proposal 1 encryption aes256

  • Set vpn ipsec ike-group IKE-GROUP1 proposal 1 hash sha256

  • Set vpn ipsec ike-group IKE-GROUP1 proposal 1 dh-group 14

  • Set vpn ipsec esp-group ESP-GROUP1 lifetime 3600 Edgerouter x sfp vpn setup

  • Set vpn ipsec esp-group ESP-GROUP1 proposal 1 encryption aes256

  • Set vpn ipsec esp-group ESP-GROUP1 proposal 1 hash sha256

B. Create the site-to-site peer IPsec tunnel partner

• On Site A public IP 203.0.113.2, peer Site B at 198.51.100.2

• On Site B public IP 198.51.100.2, peer Site A at 203.0.113.2 Veepn for microsoft edge

  Commands for Site A:

  • set vpn ipsec site-to-site peer 198.51.100.2 authentication mode pre-shared-secret
  • set vpn ipsec site-to-site peer 198.51.100.2 authentication pre-shared-secret ‘YourStrongPskHere’
  • set vpn ipsec site-to-site peer 198.51.100.2 ike-group IKE-GROUP1
  • set vpn ipsec site-to-site peer 198.51.100.2 esp-group ESP-GROUP1
  • set vpn ipsec site-to-site peer 198.51.100.2 local-address 203.0.113.2
  • set vpn ipsec site-to-site peer 198.51.100.2 tunnel 1 local prefix 10.0.0.0/24
  • set vpn ipsec site-to-site peer 198.51.100.2 tunnel 1 remote prefix 192.168.2.0/24
  • set vpn ipsec site-to-site peer 198.51.100.2 nat-traversal enable

  Commands for Site B mirror:

  • set vpn ipsec site-to-site peer 203.0.113.2 authentication mode pre-shared-secret
  • set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret ‘YourStrongPskHere’
  • set vpn ipsec site-to-site peer 203.0.113.2 ike-group IKE-GROUP1
  • set vpn ipsec site-to-site peer 203.0.113.2 esp-group ESP-GROUP1
  • set vpn ipsec site-to-site peer 203.0.113.2 local-address 198.51.100.2
  • set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 local prefix 192.168.2.0/24
  • set vpn ipsec site-to-site peer 203.0.113.2 tunnel 1 remote prefix 10.0.0.0/24
  • set vpn ipsec site-to-site peer 203.0.113.2 nat-traversal enable

C. Firewall rules WAN side

• IPsec requires allowing ESP and NAT-T through the firewall on the WAN interface.

Example adjust per your firewall naming:

• set firewall name WAN_LOCAL rule 10 protocol esp
• set firewall name WAN_LOCAL rule 10 action accept
• set firewall name WAN_LOCAL rule 20 protocol udp
• set firewall name WAN_LOCAL rule 20 destination port 500
• set firewall name WAN_LOCAL rule 20 action accept
• set firewall name WAN_LOCAL rule 30 protocol udp
• set firewall name WAN_LOCAL rule 30 destination port 4500
• set firewall name WAN_LOCAL rule 30 action accept

D. NAT-T and automatic startup Edgerouter x vpn client

• Ensure NAT-Traversal is enabled so IPsec can work when either side is behind NAT.

• You can also add a setting to automatically start the VPN on boot if your EdgeRouter is reloaded.

  Example:

  • set vpn ipsec options nat-traversal enable
  • commit
  • save

E. Commit, test, and verify

• Run:
• Then verify status:
  • show vpn ipsec sa
  • show vpn ipsec status
  • show vpn ipsec installedsa
• Ping tests:
  • From Site A, ping 192.168.2.1 a host on the remote LAN
  • From Site B, ping 10.0.0.1 a host on the local LAN at Site A
• If the tunnel shows as active, you should see a tunnel 1 association and data path.

F. Troubleshooting common issues Is pia vpn free and how pricing, free trials, and top alternatives compare for Private Internet Access VPN in 2025

• The tunnel won’t come up:
  • Check PSK consistency on both sides. they must match exactly.
  • Confirm IKE-GROUP and ESP-GROUP match on both sides.
  • Verify local-address and remote-prefix values match the actual LANs.
  • Ensure the public IPs you used in the peer statements are correct.
  • Confirm firewall rules are not blocking UDP 500/4500 or ESP 50.
• The tunnel is up but traffic doesn’t route:
  • Check static routes on both sides and ensure they point to the VPN tunnel as the next hop for the remote LAN.
  • Confirm the VPN tunnel 1 local/remote prefixes don’t overlap and are correct.
  • Make sure there are no conflicting NAT rules that translate IPs for traffic going through the tunnel.
• NAT-T issues:
  • If either side is behind a firewall or gateway performing carrier-grade NAT, NAT-T is essential. ensure it’s enabled and that UDP 4500 is allowed through.
• Dynamic IP on one side:
  • Use a dynamic DNS update client on the side with the dynamic IP, and ensure the peer configuration is aware of the updated IP. NAT-T helps with NAT scenarios.

G. Multi-site and scaling tips

• For more than two sites, keep a consistent IKE/ESP policy across all peers to avoid mismatches and to simplify management.
• If you’re expanding, consider central site-to-site hub and spoke or fully meshed topology depending on traffic patterns.
• Maintain a simple naming convention for peers and tunnels to reduce confusion as the network grows.

H. Security and maintenance recommendations

• Regularly rotate PSKs or deploy certificates for authentication if you’re comfortable with PKI management.
• Monitor VPN status periodically and set up alerts if a tunnel goes down for a specified period.
• Consider enabling dead peer detection DPD if your EdgeRouter firmware supports it, to quickly detect an unreachable peer.

Real-world example configuration scenario-based

To give you a practical feel, here’s a compact, ready-to-use example you can adapt. This uses a simple PSK and a single tunnel, with both sites configured similarly.

Site A public IP 203.0.113.2, LAN 10.0.0.0/24 to Site B public IP 198.51.100.2, LAN 192.168.2.0/24

• Define groups What is ghost vpn and how it works for privacy, security, streaming, and everyday internet use in 2025

• Site-to-site peer

• Firewall examples WAN_LOCAL

  • set firewall name WAN_LOCAL rule 10 protocol esp
  • set firewall name WAN_LOCAL rule 10 action accept
  • set firewall name WAN_LOCAL rule 20 protocol udp
  • set firewall name WAN_LOCAL rule 20 destination port 500
  • set firewall name WAN_LOCAL rule 20 action accept
  • set firewall name WAN_LOCAL rule 30 protocol udp
  • set firewall name WAN_LOCAL rule 30 destination port 4500
  • set firewall name WAN_LOCAL rule 30 action accept

• Commit and verify

If you ever need to adjust because one side has a dynamic IP, keep NAT-T enabled and consider pairing with a dynamic DNS service, so the peer can resolve the current public IP without manual updates.

Frequently Asked Questions

What is Edgerouter vpn site to site?

What hardware do I need to set this up?

You’ll need two EdgeRouter devices any current EdgeRouter running EdgeOS, two public IP addresses or a combination of NAT and dynamic DNS on one side, and two LAN subnets that don’t overlap. Vpn for edge browser: how to use a VPN with Microsoft Edge for privacy, security, streaming, and faster browsing

Do I need certificates for IPsec on EdgeRouter?

Not strictly. You can use a pre-shared key PSK for authentication, which is simpler to set up. For stronger security in larger deployments, certificates can be used, but they require a PKI setup and management.

Can EdgeRouter do IKEv2, or is it only IKEv1?

EdgeRouter supports IKEv1 and IKEv2 depending on firmware and settings. AES256 + SHA256 and a modern DH group like 14 are recommended for IKEv2-like strength on modern devices.

How do I configure the PSK securely?

Choose a long, random string that isn’t reused elsewhere. Don’t use something simple or guessable. Rotate PSKs periodically as part of your security hygiene.

How do I know the VPN tunnel is actually working?

You’ll see the IPsec SA Security Association entries when you run show vpn ipsec sa or show vpn ipsec status. You should also be able to ping hosts across the tunnel e.g., ping remote LAN devices once routes are correctly configured.

What if one site has a dynamic IP?

Enable NAT-T and, if possible, pair with a dynamic DNS service on the side that changes IP. Mirror DNS updates on the other side so the tunnel can still be established. How to turn off vpn on edge

How can I test performance over the VPN?

Use iperf or similar network performance tools to test throughput between hosts on opposite LANs. Also test latency by pinging across the tunnel under normal load and during peak hours.

How do I add a second VPN site without breaking the first?

Keep the IKE and ESP parameters consistent and add a separate site-to-site peer with its own tunnel 1 or tunnel 2 if you want to separate. Maintain unique local/remote prefixes for each site to avoid routing confusion.

Can I have more than one tunnel per site?

Yes. You can configure multiple IPsec site-to-site peers on the same EdgeRouter. Each peer will have its own tunnel and can use distinct local/remote prefixes. Just ensure there are no overlapping subnets and that routing is clearly defined.

How do I route traffic through the VPN?

Use static routes on each site that point to the remote LAN subnet via the VPN tunnel. For example, on Site A, route 192.168.2.0/24 via tunnel 1, and on Site B, route 10.0.0.0/24 via tunnel 1.

What are the most common mistakes?

• Mismatched PSK, IKE group, or ESP group between peers
• Subnets that overlap or are misconfigured in the tunnel definitions
• Firewall blocks on UDP 500/4500 or ESP protocol 50
• Forgetting to commit and save changes after editing EdgeOS configuration

Is it better to use certificates for a long-term site-to-site VPN?

Certificates provide stronger and scalable authentication for multiple peers, especially in larger deployments. PSK is easier to set up for a small number of sites but rotating PSKs in many sites becomes harder over time. Microsoft edge secure network vpn review

Closing notes

Edgerouter vpn site to site can be surprisingly straightforward once you align the peers, subnets, and firewall rules. With the right IKE/ESP settings, NAT-T, and clean routing, you’ll have a robust, low-latency tunnel between sites that behaves like a single extended network. If you’re new to EdgeRouter, give yourself a little time to practice commands in a test environment before touching production networks. And if you want to explore additional protection, don’t forget to check the NordVPN offer linked above.

If you need a quick reference, I’ve included the essential commands and structure above, plus practical tips for common edge cases like NAT behind one side or dynamic IP setups. Happy tunneling!

六尺巷vpn ios 使用指南：在 iOS 上实现隐私保护、跨区访问与高速连接的完整攻略

Edge router x vpn setup step-by-step guide for configuring IPsec/L2TP and OpenVPN on EdgeRouter X and compatible devices