Configuring Perimeter 81 Site-To-Site with Edgemax Device

Configuring Perimeter 81 Site-To-Site with Edgemax Device

The following procedure demonstrates how to configure a VPN tunnel on the Edgemax device using the management interface. Please follow the steps below:

1. Go to the Gateway in your network from which you want to create the tunnel to Edgemax.

2. Select the three-dotted menu (...) and select Add Tunnel.

3. Select IPSec Site-2-Site Tunnel and select Continue.

General Settings

Enter the General settings:

Name - Set the name for the Tunnel.

Shared Secret - Put the same Shared secret you set in Edgemax.

Public IP and Remote ID - enter Edgemax VPN Gateway Public IP address.

In Perimeter 81 Gateway Proposal Subnets, select Any or Specific Subnet.

In Remote Gateway Proposal Subnets put your Edgemax subnet/s.

Advanced Settings

Enter the Advanced settings:

Screen_Shot_2020-04-02_at_7.24.07_AM.png

  • IKE Version - V1

  • IKE Lifetime - 8h

  • Tunnel Lifetime - 1h

  • Dead Peer Detection Delay - 15s

  • Dead Peer Detection Timeout - 30s

  • Encryption (Phase 1) - aes256

  • Encryption (Phase 2) - aes256
  • Integrity (Phase 1) - sha1
  • Integrity (Phase 2) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2
  • Deffie-Hellman Groups (Phase 1) - 2

4. Select Add Tunnel.

Configuring the Edgemax device

1. On the Edgemax router go to the CLI and enter configuration mode.
Configure

2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.
set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs).
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30

4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the remote peering address (replace <secret> with your desired passphrase and <Your Perimeter81 Gateway IP> with the Gateway IP you got from P81).
set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> description ipsec
set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> local-address <Your Edgerouter WAN IP>

6. Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> ike-group FOO0
set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> vti bind vti0
set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> vti esp-group FOO0

7. Configure the virtual tunnel interface (vti0) and assign it an IP address (this is just an internal IP address for the Virtual Tunnel Interface - IP can be anything that you do not use on any of your sites)
set interfaces vti vti0 address 192.168.20.20/32

8. Create a static route for the Perimeter 81 subnet (in this case the default 10.255.0.0/16)
set protocols static interface-route 10.255.0.0/16 next-hop-interface vti0

9. Commit the changes and save the configuration.
commit ; save

10. Go back to the GUI, click VPN -> site to site connection.

11. Verify that the peer associated with the Gateway IP you got from P81 has:
Remote subnet: 10.255.0.0/16 (or the local P81 gateway that you selected)
Local subnet: All the subnet range (CIDR) of your LAN devices

 

 

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.