Peer 1 Site-to-Site Configuration

IPsec Configuration

Phase 1 Configuration

  • Navigate to VPN > IPsec

  • Click Add P1

  • Set Key Exchange version to IKEv2

  • Set Internet Protocol to IPv4

  • Set Interface to WAN

  • Set Remote Gateway to 10.129.0.10

  • Set Authentication Method to Mutual PSK

  • Set My identifier to My IP address

  • Set Peer identifier to Peer IP address

  • Set Pre-Shared Key to 01234567

  • Set Encryption:

    • Algorithm to AES

    • Key length to 256 bit

    • Hash to SHA256

    • DH Group to 14 (2048 bit)

  • Set Lifetime as 28800

  • Click Save

Phase 2 Configuration

  • On the newly created Phase 1 entry, click Show Phase 2 Entries

  • Click Add P2

  • Set Mode to Routed (VTI)

  • Set Local Network to 10.131.2.2 and mask 30

  • Set Remote Network to 10.131.2.1

  • Set Protocol to ESP

  • Set Encryption Algorithms to AES and 256 bit

  • Uncheck all other Encryption Algorithms entries

  • Set Hash Algorithms to SHA256

  • Uncheck all other Hash Algorithms entries

  • Set PFS key group to 14 (2048 bit)

  • Set Lifetime as 3600

  • Click Save

  • Click Apply Changes

Interface Configuration

  • Navigate to Interfaces > Interface Assignments

  • From the Available network ports list, choose ipsecNNNN (IPsec VTI) (The ID number will vary)

  • Click Add

  • Note the newly created interface name, such as OPTX

  • Navigate to Interfaces > OPTX

  • Check Enable

  • Click Save

  • Click Apply Changes

Routing Configuration

  • Navigate to System > Package Manager and install the FRR package

  • Browse to Services > FRR Global/Zebra

  • Check Enable FRR

  • Set Master Password to any value

    Note

    This is a requirement for the zebra management daemon to run, this password is not used by clients.

  • Check Enable logging

  • Set Router ID to 192.168.1.1

    In this case, it is the LAN interface IP address, assuming it will always be available for routing between LAN subnets.

  • Click Save

  • Navigate to the [BGP] tab

  • Check Enable BGP Routing

  • Check Log Adjacency Changes

  • Set Local AS to 65001

  • Set Router ID to 192.168.1.1

  • Set Networks to Distribute to 192.168.1.0/24

  • Click Save

  • Navigate to the Advanced tab

  • Check Disable eBGP Require Policy

  • Click Save

  • Navigate to the Neighbors tab

  • Click Add

  • Set Name/Address to 10.131.1.1 (TNSR VTI interface IP address)

  • Set Remote AS to 65000

  • Click Save

At this point, routes to 192.168.0.0/24, 192.168.2.0/24, and 192.168.3.0/24 will be learned by BGP and installed in the routing table. If it is not so, check Status > FRR on the BGP tab. That page contains useful BGP troubleshooting information. Additionally, check the routing log at Status > System Logs on the Routing tab under System.

Firewall Configuration

To allow connections into the local LAN from remote IPsec sites, create pass rules under Firewall > Rules on the IPsec tab. Set the Source on these rules to the remote LAN or whichever network is the source of the traffic to allow.

For simplicity, this example has a rule to pass IPv4 traffic from any source to any destination since the only IPsec interface traffic will be from 192.168.0.0/22.

NAT Configuration

TNSR will perform NAT for this peer, so outbound NAT is not necessary. It may be left at the default, which will not touch IPsec traffic, or outbound NAT may be disabled entirely.