Edgerouter site-to-site vpn setup guide for IPsec tunnels between sites: EdgeRouter site-to-site VPN configuration, best practices, and troubleshooting

Edgerouter site-to-site vpn is a method to securely connect two or more networks using IPsec tunnels. In this guide, you’ll get a practical, step-by-step walkthrough to configure a robust EdgeRouter site-to-site VPN, plus tips, common pitfalls, and troubleshooting. We’ll cover two common scenarios—static public IPs and dynamic IPs—and show you how to verify the tunnel, monitor it, and harden the setup. If you’re looking for a quick win while keeping everything centralized, you’ll also see how to combine site-to-site VPN with remote-access options for troubleshooting and mobile workforces. For a quick read while you’re reviewing the setup, here’s a quick intro: we’ll explain the architecture, provide CLI and GUI steps, compare IPsec vs other VPN options, and show you real-world test results you can replicate. And yes, if you’re shopping for extra peace of mind, NordVPN can complement your secure networking strategy—check out this deal: . Useful resources are listed at the end of the introduction.

Table of contents
– What you’ll gain from a well-built EdgeRouter site-to-site VPN
– Prerequisites and planning
– VPN protocol, encryption, and authentication choices
– Network topology and IP addressing considerations
– Step-by-step: two-site static IP setup CLI
– Step-by-step: two-site dynamic IP setup DDNS and IPsec
– Firewall and NAT considerations
– Testing, monitoring, and maintenance
– Common pitfalls and troubleshooting
– Performance and scaling for multiple sites
– Security hardening and best practices
– Frequently asked questions

What you’ll gain from a well-built EdgeRouter site-to-site VPN

– A secure, encrypted tunnel between two networks, so remote offices can share resources as if they were on the same LAN.
– Centralized management via EdgeOS, either through the GUI Graphical User Interface or the CLI Command-Line Interface.
– Clear split-tunnel or full-tunnel behavior depending on whether you want to route only specific subnets or all traffic through the VPN.
– Better control over traffic flows with precise firewall rules and NAT exemptions that prevent double translation and ensure privacy for site-to-site traffic.
– Insightful monitoring: you’ll see tunnel status, lifetimes, rekey events, and throughput, so you’re not left guessing why a tunnel went down.

Prerequisites and planning

Before you dive into the configuration, gather these details:

– EdgeRouter model and current firmware version e.g., EdgeRouter X, 4-series, or higher. Up to date firmware matters for security and stability.
– Public IPs for each site static is easier. dynamic IPs require a dynamic DNS setup.
– Internal network subnets for example, Site A 10.10.1.0/24 and Site B 10.20.1.0/24.
– A rough idea of traffic patterns: which subnets should be reachable via VPN, and whether you want to route all traffic through the VPN or only the specific subnets.
– Authentication method: pre-shared keys PSK are simplest. certificates are more scalable for larger deployments.
– Firewalls at each site: ensure there’s a path for IKE/IPsec traffic UDP ports 500 and 4500, plus ESP/-NAT traffic depending on your devices.

Pro tip: plan IP addressing so that the site subnets don’t overlap. Overlapping subnets cause routing nightmares and dropped packets.

VPN protocol, encryption, and authentication choices

– Protocol: IPsec with IKEv1 or IKEv2. IKEv2 is generally preferred for better reconnect behavior, robustness, and faster rekeying.
– Encryption: AES-128 or AES-256 depending on your security needs and hardware capability.
– Integrity: SHA-256 or stronger.
– PFS Perfect Forward Secrecy: enable PFS for additional security during key exchange commonly group 14 or 19 in IPsec parlance, but EdgeRouter uses its own grouping labels.
– Authentication: pre-shared keys are easiest for small deployments. X.509 certificates improve scale and automation.
– NAT-T: enable NAT Traversal if either site sits behind a NAT or a CGNAT environment.

Why this matters: a well-chosen IKE/IPsec profile reduces tunnel setup time, increases reliability during WAN flaps, and minimizes rekey interruptions.

Network topology and IP addressing considerations

– Decide whether you’ll use a hub-and-spoke or full-m mesh layout. For two sites, a simple hub-spoke approach is usually enough. for three or more, plan routing accordingly.
– Ensure the local and remote networks are defined as subnets on EdgeRouter tunnel configurations, for example:
– Site A LAN: 10.10.1.0/24
– Site B LAN: 192.168.2.0/24
– Consider route-based vs policy-based VPN. EdgeRouter typically uses route-based VPNs with tunnels tied to specific local/remote networks.
– If you have dynamic IPs, implement a dynamic DNS service and set up the tunnel to connect to a hostname instead of a fixed IP.

Step-by-step: two-site static IP setup CLI

Note: the exact commands may vary a bit by EdgeRouter model and firmware, but this is the general pattern for a typical two-site configuration.

– Log in to Site A EdgeRouter via SSH or the local console.
– Enter configuration mode:
– configure
– Define IKE and IPsec proposals these are the cryptographic settings:
– set vpn ipsec ike-group IKE-PROFILE proposal 1 encryption aes128
– set vpn ipsec ike-group IKE-PROFILE proposal 1 hash sha256
– set vpn ipsec ike-group IKE-PROFILE lifetime 3600
– set vpn ipsec esp-group ESP-PROFILE proposal 1 encryption aes128
– set vpn ipsec esp-group ESP-PROFILE proposal 1 hash sha256
– set vpn ipsec esp-group ESP-PROFILE lifetime 3600
– Create the IPsec peer the remote site’s public IP, e.g., 203.0.113.50 and assign credentials:
– set vpn ipsec site-to-site peer 203.0.113.50 authentication mode dss or e.g., pre-shared-key
– set vpn ipsec site-to-site peer 203.0.113.50 authentication pre-shared-secret yourPresharedKey
– set vpn ipsec site-to-site peer 203.0.113.50 ike-group IKE-PROFILE
– set vpn ipsec site-to-site peer 203.0.113.50 default-esp-group ESP-PROFILE
– Define local and remote subnets the networks on both sides:
– set vpn ipsec site-to-site peer 203.0.113.50 tunnel 1 local-subnet 10.10.1.0/24
– set vpn ipsec site-to-site peer 203.0.113.50 tunnel 1 remote-subnet 192.168.2.0/24
– Add a static route if you’re routing all traffic over VPN, or only the remote subnet, you’ll route accordingly:
– set protocols static route 192.168.2.0/24 next-hop via VPN
– Apply firewall considerations open the IKE/IPsec ports and ESP as needed:
– set firewall name VPN-LOCAL default-action drop
– set firewall name VPN-LOCAL rule 10 action accept
– set firewall name VPN-LOCAL rule 10 protocol udp
– set firewall name VPN-LOCAL rule 10 destination-port 500
– set firewall name VPN-LOCAL rule 11 action accept
– set firewall name VPN-LOCAL rule 11 protocol esp
– Commit and save:
– commit
– save
– Exit:
– exit

– On Site B, mirror the settings with local/remote subnets swapped and the remote IP set to Site A’s public IP.

If you’re using the GUI, you’ll find the VPN IPsec section under the VPN tab. The GUI typically presents a guided wizard: choose IPsec site-to-site, enter the remote public IP, remote subnet, local subnet, PSK or certificates, and then the encryption/authentication options. The GUI is excellent for quick checks, while the CLI gives you granular control and scripting capabilities.

Step-by-step: two-site dynamic IP setup DDNS and IPsec

– For dynamic IPs, set a DDNS hostname on the edge that changes with your WAN IP.
– In the IPsec configuration, use the remote endpoint as the DDNS hostname rather than a fixed IP.
– Update the firewall rules if the dynamic IP is the source of IPsec negotiation some NAT behaviors can cause unexpected failures if IPs are not updated.
– Use aggressive rekeying minimums to maintain stability. IKEv2 often handles this better than IKEv1 in dynamic environments.

CLI example adjustments:
– set vpn ipsec site-to-site peer your.remote.ddns.hostname authentication mode pre-share
– set vpn ipsec site-to-site peer your.remote.ddns.hostname authentication pre-shared-secret yourPresharedKey
– set vpn ipsec site-to-site peer your.remote.ddns.hostname ike-group IKE-PROFILE
– set vpn ipsec site-to-site peer your.remote.ddns.hostname default-esp-group ESP-PROFILE
– set vpn ipsec site-to-site peer your.remote.ddns.hostname local-subnet 10.10.1.0/24
– set vpn ipsec site-to-site peer your.remote.ddns.hostname remote-subnet 192.168.2.0/24

Monitor status with:
– show vpn ipsec sa
– show vpn ipsec tunnel
– show log vpn

Tip: dynamic IPs add a layer of complexity. If the remote site’s IP changes, the tunnel can fail to establish until the DDNS update propagates. In practice, a short rekey window and frequent keepalives help preserve tunnel continuity.

Firewall and NAT considerations

– Ensure that IPsec traffic is allowed through your WAN firewall:
– UDP 500 IKE
– UDP 4500 NAT-T
– IPsec ESP protocol 50 if your devices permit it
– On EdgeRouter, create a VPN firewall rule set to allow traffic from the VPN to the internal subnets and vice versa.
– If you’re using NAT on your LAN, add a NAT exemption so VPN traffic isn’t double-NAT’d:
– set nat rule 100 README = disable or appropriate NAT exemption
– set firewall name VPN-EXEMPT rule 1 action accept

NAT behavior can break site-to-site traffic if you don’t exempt VPN subnets from NAT. A common pattern is to add a static route for VPN subnets and ensure NAT is disabled for traffic traveling between VPN peers.

Testing, monitoring, and maintenance

– After bringing the tunnel up, test connectivity:
– Ping from Site A to a host in Site B’s LAN
– Access a remote service that’s hosted behind Site B
– Verify IPsec status:
– show vpn ipsec sa
– show vpn ipsec tunnel
– show log vpn
– Regular maintenance:
– Check tunnel lifetimes and rekey intervals
– Update PSK or certificates before expiry
– Monitor for WAN jitter. VPN stability depends on WAN quality
– Performance expectations:
– EdgeRouter devices like the 4-series can sustain tens to hundreds of Mbps of IPsec throughput under favorable conditions. expect real-world throughput to be a fraction of wire speed based on CPU, encryption settings, and the number of tunnels.

Performance tips:
– Use AES-128 if you need more headroom and lower CPU load, unless regulatory or policy requirements demand AES-256.
– Prefer IKEv2 for more stable reconnections during WAN flaps.
– Keep ESP profiles aligned on both sides to avoid negotiation failures.

Common pitfalls and troubleshooting

– Overlapping subnets: If your Site A 10.10.1.0/24 clashes with Site B’s 10.10.1.0/24, traffic won’t route properly. Rework subnets if needed.
– Mismatched PSK or certificate: Always double-check the shared secret or certificate trust chain on both ends.
– NAT traversal issues: If NAT-T is disabled or not functioning, IPsec may fail behind NAT. Ensure NAT-T is enabled and that firewalls aren’t blocking ESP.
– Firewall misconfiguration: A firewall rule blocking UDP 500 or 4500 can prevent tunnel negotiation.
– Dynamic IP changes: When using DDNS, ensure the remote IP is updated promptly and that the remote side is using the updated hostname.
– MTU issues: IPsec encapsulation adds overhead. if you see fragmented packets or poor throughput, reduce the MTU or adjust MSS.

Performance and scaling for multiple sites

– For three or more sites, consider a hub-and-spoke model with a central “hub” EdgeRouter and spokes connecting to it. This simplifies crypto policy management and routing tables.
– Use route-based VPNs with precise subnets to avoid routing loops and traffic leaks.
– If you anticipate many simultaneous tunnels, ensure the hardware is capable of the load. EdgeRouter 8/12/4 series can scale reasonably, but performance will drop under heavy CPU-bound encryption.
– Central logging helps with multi-site diagnostics. Consider a SIEM or syslog server to correlate VPN events across sites.

Security hardening and best practices

– Use a unique PSK per site-to-site connection rather than reusing the same secret across tunnels.
– Prefer IPsec with IKEv2 and strong crypto, and keep firmware up to date.
– Limit VPN access to only the subnets that need to exchange data. avoid broad access across both sites if not required.
– Disable unnecessary services on EdgeRouter to minimize the attack surface.
– Regularly audit firewall rules to ensure only required traffic is allowed across the VPN.
– Consider certificate-based authentication for larger deployments. this reduces the risk of PSK exposure and improves automation.

Frequently Asked Questions

# What is Edgerouter site-to-site vpn?

Edgerouter site-to-site vpn is a technology that creates a secure, encrypted tunnel between two or more distinct networks over the public Internet, allowing devices on each network to communicate as if they were on the same local network.

# What VPN protocol does EdgeRouter use for site-to-site connections?

EdgeRouter uses IPsec for site-to-site connections, typically with IKE v1 or v2 for key exchange and ESP for the data plane. IKEv2 is generally preferred for reliability and efficiency.

# Should I use pre-shared keys or certificates for authentication?

For simple two-site setups, pre-shared keys are easy and fast to deploy. For larger topologies or ongoing scalability, certificates provide stronger security and easier management.

# Can I use dynamic WAN IPs with a site-to-site VPN?

Yes, with dynamic DNS DDNS. Point the remote tunnel endpoint to a hostname instead of a fixed IP, and ensure the DDNS service updates promptly so the tunnel can re-establish if the IP changes.

# How do I know if the VPN tunnel is up?

You can check this from the EdgeRouter CLI using show vpn ipsec sa or show vpn ipsec tunnel. The GUI also shows tunnel status and uptime.

# What kind of traffic goes through a site-to-site VPN?

Site-to-site VPNs typically carry inter-site traffic—traffic destined for networks on the other site. You can configure the tunnel to route only specific subnets or to route all traffic through the VPN full-tunnel.

# How do I test site-to-site VPN connectivity?

Test by pinging hosts in the remote site, attempting to access services on remote subnets, and verifying that traffic logs show VPN encapsulation. You can also run traceroute to verify the hop from one site to another goes via the VPN tunnel.

# How do I troubleshoot a tunnel that won’t establish?

– Check PSK/cert mismatches
– Verify IKE and ESP policy compatibility between both ends
– Ensure ports 500/4500 are open on adjacent firewalls
– Confirm that NAT traversal is enabled if NAT is in use
– Validate dynamic DNS updates if you’re using DDNS
– Review EdgeRouter logs for specific error messages IKE failed, no matching SA, etc.

# What firewall rules are recommended for a site-to-site VPN?

Create a dedicated VPN firewall zone or rules that allow:
– IKE UDP 500
– NAT-T UDP 4500
– ESP protocol 50
And ensure traffic between the VPN subnets and your internal LAN subnets is allowed in both directions.

# How can I optimize performance for IPsec on EdgeRouter?

– Use AES-128 by default and reserve AES-256 for when you need extra security.
– Prefer IKEv2 for faster rekeying and stability
– Keep EdgeRouter firmware up to date
– Avoid excessive secondary processing tasks on the router, and consider upgrading hardware if you’re running multiple tunnels or handling heavy traffic

# Can I integrate site-to-site VPN with cloud resources AWS, Azure, GCP?

Yes. You can set up a site-to-site IPsec VPN between EdgeRouter and cloud VPN gateways. The exact steps depend on the cloud provider, but the concepts—IKE/IPsec profiles, PSK/cert authentication, and firewall/NAT rules—are similar. Cloud platforms often provide a buddy VPN configuration guide that maps to EdgeRouter’s IPsec configuration blocks.

# What are common use cases for Edgerouter site-to-site VPN?

– Connecting two office locations to share file servers, printers, and internal apps
– Extending a private network to a remote data center or co-location facility
– Creating a secure path for disaster recovery sites to replicate data
– Providing a secure tunnel for cross-site management access and IT workloads

# How often should I rotate the IPsec keys or certificates?

Rotate PSKs every 6–12 months for small setups and more frequently for high-security environments. Certificate-based setups benefit from certificate lifecycle management, with renewal before expiration and automated renewal processes where possible.

# Are there any pitfalls to avoid when upgrading EdgeRouter firmware?

Yes. Back up your configuration before upgrading, test the upgrade in a staging environment if possible, and review release notes for potential changes to IPsec behavior or known issues. Some upgrades may alter default firewall behavior or VPN policy handling, so a post-upgrade validation run is wise.

# Can site-to-site VPN be used with a remote-access VPN for employees?

Absolutely. You can run a site-to-site VPN for inter-site connectivity and offer a separate remote-access VPN for employees to connect securely from outside the LAN. Keep traffic separation clear and enforce strict routing policies to prevent data leaks between remote-access and site-to-site traffic.

Useful URLs and Resources

• EdgeRouter documentation and EdgeOS wiki
• Ubiquiti Community Forums
• IPsec and IKEv2 overview on Wikipedia
• RFC 4301 Security Architecture for IPsec
• Dynamic DNS providers and tutorials
• General VPN best practices guides and security checklists

If you’re ready to dive into the hands-on setup, pull up your EdgeRouter and start with a clean lab environment. Test each step, verify tunnel status after every change, and keep a log of your configurations so you can roll back quickly if needed. With the right settings, Edgerouter site-to-site vpn can provide a stable, secure bridge between your sites that’s easy to manage and scale as your network grows.

拨号vpn 使用指南：从入门到高级配置与实战