Journalist 
Ubiquiti Edgerouter X site to site VPN setup and tutorial for reliable IPsec site to site connections: this quick-start guide gives you a practical, no-nonsense path to getting a secure tunnel up between two networks. Whether you’re linking a branch office to your home lab or connecting two remote sites for a small business, you’ll walk away with a solid, maintainable setup. Here’s a concise overview of what you’ll get:
- A step-by-step walkthrough for configuring IPsec site-to-site VPN on the Edgerouter X
- Real-world tips to keep latency low and tunnels stable
- Common pitfalls and how to avoid them
- A checklist to verify the tunnel after initial setup
- Quick reference commands you can copy-paste
Useful URLs and Resources text only
Apple Website – apple.com, Artificial Intelligence Wikipedia – en.wikipedia.org/wiki/Artificial_intelligence, Ubiquiti Documentation – help.ui.com, Netgate OpenVPN – openvpn.net, Reddit Networking – reddit.com/r/networking, MIT.edu VPN overview – mit.edu, WAN optimization resources – cisco.com, TechTarget VPN – techtarget.com
Why the Edgerouter X is a solid choice for IPsec site-to-site VPNs
The Edgerouter X is a compact, affordable device that handles IPsec well when you set it up correctly. It runs EdgeOS, which is a Linux-based router OS with a familiar CLI and a nice web UI. For many small offices or home labs, it provides:
- Low cost with decent performance for typical site-to-site traffic
- Flexible firewall rules and NAT options
- Clear logging and monitoring to troubleshoot VPNs
- A straightforward approach to creating IPsec tunnels with strong cryptography
If you’re running multiple sites or want to avoid a complex VPN stack, IPsec on the Edgerouter X is a great balance of simplicity and security.
Pre-setup checklist
Before you start, gather these details:
- Public IP addresses or dynamic DNS names of both sites
- Internal subnets at Site A and Site B for example, 192.168.1.0/24 and 192.168.2.0/24
- VPN peer public keys or pre-shared keys PSKs
- Preferred encryption and hashing methods AES-256, SHA-256, etc.
- Remote LAN ranges to reach across the tunnel
- Any NAT rules you’ll need to allow VPN traffic usually UDP 500 and 4500 for IPsec, plus ESP
Optional but helpful:
- A dynamic DNS provider if your public IPs aren’t static
- A plan for monitoring the VPN syslog, email alerts, or a monitoring tool
Step-by-step: configuring IPsec site-to-site VPN on Edgerouter X
Below is a practical workflow you can follow. I’ll keep it tight and actionable, with commands you can adapt to your specific IPs and subnets. Japanese vpn server 2026
1 Access the router and verify basic connectivity
- Connect to the Edgerouter X via its LAN IP in a web browser.
- Log in with your admin credentials.
- Confirm you can reach the internet from the router and that the WAN interface has a valid IP.
- Ping a remote host on the other site if available to verify basic reachability once VPN is up.
2 Create the VPN tunnel IPsec
In EdgeOS, IPsec tunnels are typically configured under VPN > IPsec or via CLI. Here’s a representative workflow you can adapt:
- Define the first tunnel with a descriptive name, for example: vpn-to-siteB
- Set the local and remote networks:
- Local network: Site A LAN e.g., 192.168.1.0/24
- Remote network: Site B LAN e.g., 192.168.2.0/24
- Configure the authentication method:
- If you’re using a PSK: set the pre-shared key to a strong random value
- If you’re using certificate-based auth: install the certificates on both sides
- Choose phase 1 and phase 2 proposals:
- Phase 1: IKEv2 or IKEv1 with AES-256, MODP 2048, SHA-256
- Phase 2: ESP with AES-256, AES-128, SHA-256; PFS group like MODP 2048
- Enable perfect forward secrecy PFS and set the lifetime e.g., 3600 seconds for Phase 1, 3600 seconds for Phase 2
Example parameters to adapt:
- Local IP: your site A public IP or DDNS hostname
- Remote IP: site B public IP or DDNS hostname
- PSK: your-strong-psk
3 Build the tunnel policies and rules
- Create firewall rules that allow IPsec traffic to pass:
- Allow UDP 500 IKE and UDP 4500 NAT-T
- Allow ESP protocol 50
- Add policy-based routing if you want only certain traffic to go over the VPN, otherwise you can use a route-based approach.
4 Define the interesting traffic LAN-to-LAN
- On Site A, specify that 192.168.1.0/24 your LAN can reach 192.168.2.0/24 remote LAN through the VPN
- Do the reciprocal rule on Site B
- If you’re using NAT, ensure you don’t NAT traffic between the VPN peers unless you actually need NAT-ted VPN traffic
5 Save, apply, and test
- Save the configuration
- Apply the changes
- Check the VPN status in EdgeOS:
- Look for tunnel state: up, IKE established, Phase 2 established
- Run a simple ping test from a host in Site A to a host in Site B to confirm connectivity
6 Troubleshooting common issues
- If the tunnel won’t start, verify:
- Shared PSK matches on both sides
- Phase 1 and Phase 2 proposals are identical on both ends
- Remote networks are correctly defined and aren’t overlapping with internal networks
- If you see “no matching IPsec policy,” double-check your subnets and encryption settings
- If the tunnel is intermittent, check:
- Network stability on the WANs
- NAT-T traversal if behind NAT
- Keep-alive/DPD Dead Peer Detection settings
- If you’re unable to reach the remote LAN, verify routing tables on both sides and ensure there are no conflicting static routes
7 Monitoring and maintenance tips
- Enable logging for IPsec events to quickly spot misconfigurations
- Set up simple alerts for tunnel down events
- Periodically review PSKs or certificates and rotate them if you suspect exposure
- Document the configuration details and keep backups of the EdgeOS config
Practical configuration sample generic
Note: Replace the placeholders with your actual IPs and subnets.
- Local network Site A: 192.168.1.0/24
- Remote network Site B: 192.168.2.0/24
- Site A public IP: x.x.x.x
- Site B public IP: y.y.y.y
- PSK: your-very-strong-psk
VPN setup summary example
- IKE version: IKEv2
- Encryption: AES-256
- PRF: SHA-256
- Integrity: SHA-256
- DH group: 14 2048-bit
- Perfect Forward Secrecy: enabled
- Phase 2: ESP AES-256 with SHA-256
- PFS: enabled
- Nat-T: enabled if behind NAT
Routing and firewall rules Is vpn legal in india in 2026: legality of vpn use, government rules, privacy rights, and how to choose a vpn in India
- Allow: UDP 500, UDP 4500, ESP protocol 50
- Permit internal LAN traffic to remote LAN through the VPN
- Optional: route-based policy route to VPN tunnel for 192.168.2.0/24, and vice versa
Performance expectations and real-world data
- Typical VPN throughput on Edgerouter X depends on hardware revision and traffic mix, but many setups achieve tens to low hundreds of Mbps for IPsec when well-tuned
- In environments with heavy encryption, consider enabling AES-NI acceleration and verify CPU load remains acceptable
- Latency-sensitive apps VoIP, video conferencing benefit from keeping MTU and MSS values optimized to prevent fragmentation
Security considerations
- Use strong PSKs or certificates and rotate them periodically
- Disable unused services on the Edgerouter X to minimize attack surface
- Keep EdgeOS firmware updated to protect against known exploits
- Segment networks where possible to limit blast radius if a VPN endpoint is compromised
Common mistakes to avoid
- Mismatched Phase 1/Phase 2 proposals across sites
- Overlapping subnets between Site A and Site B
- Not enabling NAT-T when devices sit behind NAT
- Relying on default firewall rules without explicit IPsec allowances
- Skipping backups of the configuration before making changes
Advanced tips for stability
- Use a dynamic DNS service if your public IP changes regularly, so the remote site can always reach you
- If you have multiple remote sites, consider creating a hub-and-spoke topology with a central site acting as the hub
- Enable DPD Dead Peer Detection in both ends to quickly recover from temporary network issues
- Consider a secondary, backup WAN connection if uptime is critical
Troubleshooting quick-reference commands CLI
- Show IPsec status:
- show vpn ipsec status
- Show VPN tunnel details:
- show vpn ipsec sa
- Check routing table for VPN routes:
- show ip route
- Test connectivity through the VPN:
- ping 192.168.2.10 source 192.168.1.100
- Review logs for IPsec events:
- show log | match ipsec
- Validate firewall rules for VPN traffic:
- show configuration commands | include vpn
Real-world examples and scenarios
- Small office to home lab: two sites with 192.168.1.0/24 and 192.168.2.0/24, static public IPs
- Setup is straightforward, often all traffic between subnets routes through the VPN
- Remote branch with dynamic IP: use a DDNS hostname on Site A and configure IPsec to use that hostname at the other end
- Ensure the remote site can resolve the hostname and update the IP when it changes
- Site-to-site with mixed NAT: enable NAT-T on both sides so VPN traffic can traverse NAT devices without breaking the tunnel
Best practices for long-term reliability
- Regularly review firewall rules and VPN configurations to keep them aligned with current network design
- Keep firmware updated to fix security vulnerabilities and improve VPN compatibility
- Maintain a clear change log so future admins understand why a tunnel was modified
- Back up the EdgeOS configuration after every major change
About maintenance windows and upgrades
- Plan maintenance during off-peak hours to minimize disruption
- After firmware updates, recheck VPN status and tunnels
- Validate connectivity with representative devices on both sides after any update
FAQ Section
What is an IPsec site-to-site VPN?
IPsec site-to-site VPN creates a secure tunnel between two networks over the internet, allowing devices on both sides to communicate as if they were on the same local network.
Can I use the Edgerouter X for IKEv2?
Yes, Edgerouter X supports IKEv2, which is generally more modern and efficient than IKEv1.
Do I need a static public IP for each site?
Static IPs simplify configuration, but you can use dynamic DNS with updates on both sides if you don’t have static IPs.
How do I verify the VPN tunnel is up?
Check the EdgeOS VPN status page or use the CLI to view IPsec SA status. Look for phases established and a stable tunnel state.
What if the tunnel drops randomly?
Investigate WAN stability, DPD/Keepalive settings, and ensure there are no IP conflicts or routing issues. Check logs for disconnect reasons. Intune per app vpn ios 2026
Should I use pre-shared keys or certificates?
PSKs are simpler for small deployments; certificates are more scalable and secure for larger environments.
How do I rotate the VPN PSK?
Update the PSK on both sides, then reinitialize the tunnel. Verify both ends come up cleanly after rotation.
How can I improve VPN performance?
Use strong encryption but consider hardware acceleration features, ensure MTU/MSS are optimized, and minimize unnecessary traffic across the VPN.
How do I handle overlapping networks?
Adjust internal subnets so there’s no overlap. If you must work with overlapping networks, you’ll need NAT or more complex routing rules to separate the traffic.
Can I run more than one VPN tunnel on the same Edgerouter X?
Yes, you can configure multiple IPsec tunnels, but ensure each tunnel has unique local/remote networks and distinct credentials. How to setup vpn on edgerouter x with OpenVPN client, server, and site-to-site options for EdgeRouter X 2026
Is NAT-T required?
If either site sits behind NAT, NAT-T is typically required to allow IPsec to traverse NAT devices.
What’s the recommended lifetime for IPSec SA?
A common setup uses 3600 seconds 1 hour for Phase 1 and Phase 2, but you can tailor this to your policy and stability needs.
How do I back up my Edgerouter X configuration?
In the web UI, go to System > Backup, then download the backup file. Store it securely and annotate with date and changes.
How can I monitor VPN health long-term?
Set up logs and alerts for VPN events, and consider integrating with a monitoring system that tracks uptime and latency between sites.
What should I do if I need to migrate to a new site?
Prepare new subnets, adjust VPN peer settings to reflect the new endpoints, and test connectivity thoroughly before decommissioning the old tunnel. Free vpn for microsoft edge 2026
How do I troubleshoot DNS on VPN-connected hosts?
Ensure DNS servers are reachable through the VPN, and verify that split-tunnel DNS or full-tunnel DNS configurations aren’t conflicting with local DNS settings.
Can I use a hybrid VPN approach with other services?
Yes, you can run IPsec site-to-site alongside other VPN types, but keep routing and policy rules clear to avoid traffic leakage or conflicts.
Welcome to our practical guide on getting a solid, reliable IPSec site-to-site VPN using the Ubiquiti EdgeRouter X. If you’re a small business owner, IT hobbyist, or someone who just wants a rock-solid connection between two offices, you’ve come to the right place. I’ll walk you through everything you need: from prep work and hardware basics to step-by-step configuration, common pitfalls, and performance tuning. Think of this as my go-to checklist that I actually use in real life.
Quick fact: a well-implemented IPSec site-to-site VPN can cut latency, improve reliability, and keep traffic private between distant networks without extra hardware at each hop. For EdgeRouter X users, the key is clean routing, clean firewall rules, and matching tunnel settings on both ends.
What you’ll gain from this guide Does microsoft edge have a firewall 2026
- A clear, step-by-step setup process you can follow end-to-end
- Real-world tips to avoid common EdgeRouter X VPN pitfalls
- Performance tweaks to maximize throughput and minimize latency
- A verification checklist to confirm the VPN is healthy and stable
- Access to useful resources and reference data to keep things current
Table of contents
- Quick setup overview
- Getting started: hardware, firmware, and prerequisites
- Planning your VPN: peer networks, subnets, and security
- Step-by-step EdgeRouter X site-to-site VPN setup
- Verifying and troubleshooting the VPN
- Performance tuning and best practices
- Advanced topics: dual VPNs, failover, and monitoring
- Practical examples: common topologies
- Resources and references
- Frequently asked questions
Quick setup overview
- Goal: Create a stable IPSec site-to-site VPN between two EdgeRouter X devices or between EdgeRouter X and another IPSec-capable device so traffic between networks 10.1.0.0/24 and 172.16.0.0/16 example subnets flows privately over the Internet.
- Core steps: define networks, configure ISAKMP/IKE phase, set up IPsec tunnel, create policies and routes, apply firewall rules, test, and monitor.
- Key considerations: accurate peer IPs, matching subnets, firewall allowances, and consistent MTU/ MSS values to avoid fragmentation.
Getting started: hardware, firmware, and prerequisites
- EdgeRouter X hardware basics
- 5-port switch, dual-core MIPS CPU, 256 MB RAM typical
- Supports IPsec, OpenVPN, and various routing features
- Firmware and software
- EdgeOS the EdgeRouter’s operating system regularly receives updates. Ensure you’re on a stable release that supports IPsec site-to-site well.
- Network prerequisites
- Public IP on each side static is ideal; dynamic can work with dynamic DNS and a stable policy
- Subnets you control behind each EdgeRouter X e.g., 10.1.0.0/24 on Site A and 172.16.0.0/16 on Site B
- Basic firewall rules permitting VPN traffic IPsec ESP, AH if needed, UDP 500, UDP 4500 for NAT-T
Planning your VPN: peer networks, subnets, and security
- Subnet planning
- Avoid overlapping subnets to prevent routing ambiguity
- Document both sides clearly; a simple table helps
- Security choices
- Encryption: AES-256 GCM or AES-256 CBC with SHA-256 for integrity
- DH group: 14 2048-bit or higher for better security; many devices default to 2 or 5, which might be slower
- PFS: Enable Perfect Forward Secrecy for forward secrecy
- Network topology examples
- Site A: 10.1.0.0/24, Site B: 172.16.0.0/16
- Site A: 192.168.10.0/24, Site B: 192.168.20.0/24
- Performance expectations
- IPSec on EdgeRouter X can handle tens to hundreds of Mbps depending on traffic mix and CPU load
- Real-world speed often depends on packet size, crypto mode, and MTU
Step-by-step EdgeRouter X site-to-site VPN setup
Note: This walkthrough uses a typical case where Site A uses 10.1.0.0/24 and Site B uses 172.16.0.0/16. Adjust subnets to your environment. Zscaler service edge status 2026
- Prepare the EdgeRouter X at both sites
- Access the EdgeRouter X web UI https://192.0.2.1 or your device IP
- Confirm firmware is up to date
- Write down each side’s public IP and internal subnet
- Backup current configuration export the config and save it
- Create a basic routing plan
- Ensure there are no conflicting static routes
- Confirm there’s a default route to the Internet on each site
- Create local LAN networks in the routing table for clarity
- Define the VPN peers and networks
- Site A: Local LAN 10.1.0.0/24, Remote LAN 172.16.0.0/16
- Site B: Local LAN 172.16.0.0/16, Remote LAN 10.1.0.0/24
- Peer IPs: Site A public IP a.b.c.d, Site B public IP e.f.g.h
- Configure the IPSec tunnel Phase 1 and Phase 2
- Phase 1 ISAKMP/IKE
- Authentication: Pre-Shared Key PSK
- Encryption: AES-256
- Hash: SHA-256
- DH Group: 14 2048-bit
- Lifetime: 28800 seconds 8 hours or 3600 seconds 1 hour depending on policy
- Phase 2 IPSec
- Protocol: ESP
- Encryption: AES-256-GCM or AES-256-CBC if GCM not supported by both sides
- Integrity: If using CBC, SHA-256
- PFS: Enabled Group 14
- Lifetime: 3600 seconds 1 hour or 7200 seconds 2 hours
- Create the VPN tunnel policy and firewall rules
- VPN policy: allow IPsec ESP, ISAKMP, UDP 500, UDP 4500
- LAN firewall rules: permit private subnets to tunnel endpoints as needed
- NAT rules: disable NAT for traffic between the two VPN subnets no NAT-T for site-to-site traffic
- Route setup
- Static routes or policy-based routing
- Route traffic destined for the remote subnet via the VPN tunnel
- Ensure the default route remains to the Internet for other traffic
- Apply and save configuration
- Apply changes on Site A
- Repeat steps 3–7 on Site B with mirrored settings
- Save configurations on both sides
- Verify connectivity
- Ping a host in the remote LAN from a host on Site A
- Check VPN status in EdgeOS: VPN > IPSec > Tunnels, verify “up” state
- Use traceroute to ensure traffic traverses the VPN tunnel
- Common gotchas you’ll likely encounter
- Subnet overlap: double-check both LAN subnets don’t overlap
- PSK mismatch: copy-paste errors are common; re-type/paste carefully
- MTU fragmentation: if large packets drop, adjust MTU/MSS
- NAT traversal: ensure NAT-T is enabled on both sides if behind NAT
Table: example configuration summary
| Item | Site A 10.1.0.0/24 | Site B 172.16.0.0/16 |
|---|---|---|
| Public IP | a.b.c.d | e.f.g.h |
| Remote LAN | 172.16.0.0/16 | 10.1.0.0/24 |
| Phase 1 IKE | AES-256, SHA-256, DH14, PSK | AES-256, SHA-256, DH14, PSK |
| Phase 2 IPSec | AES-256-GCM or CBC, PFS on, ESP | AES-256-GCM or CBC, PFS on, ESP |
| Lifetime | 28800s | 28800s |
Section: Verifying and troubleshooting the VPN
- Status checks
- EdgeRouter X: VPN → IPSec → Tunnels → status should show up
- Check for correct SPI values and shared keys
- Diagnostic commands you can run
- ping 172.16.0.1 from 10.1.0.0/24 host
- traceroute to a remote host to confirm path
- show vpn ikeSa and show vpn ipsec sa in CLI if available
- Common issues and fixes
- Phase 1 fails: verify PSK, exchange mode, and firewall rules
- Phase 2 fails: ensure matching transform sets, lifetimes, and PFS settings
- Traffic not routing through VPN: validate policies and static routes
- Real-world troubleshooting steps
- Temporarily disable NAT on both ends for VPN-only traffic
- Increase IKE/ESP lifetimes to filter out renegotiations
- Capture logs to identify mismatches in proposals
Performance tuning and best practices
- Hardware considerations
- EdgeRouter X is capable, but performance depends on traffic type
- Use AES-256-GCM if both sides support it for better performance in some cases
- MTU and fragmentation
- Start with MTU 1500 and adjust if you see fragmentation or VPN packet loss
- Consider MSS clamping on VPN traffic to avoid TCP fragmentation
- Crypto settings
- Prefer AES-256-GCM for higher throughput and integrity
- Use DH group 14 or higher for stronger keys
- Redundancy and failover
- If you need HA, consider running two VPN tunnels with different WAN paths
- Implement a watchdog mechanism to failover if the primary tunnel goes down
- Monitoring and alerts
- Regularly check VPN tunnel uptime and latency
- Set up alerts for tunnel down, high packet loss, or high jitter
- Security notes: keep PSKs in a secure vault and rotate them periodically
Advanced topics: dual VPNs, failover, and monitoring
- Dual VPNs for reliability
- Create two separate IPSec tunnels with different peer IPs or different ISPs
- Use routing policies to prefer primary tunnel and keep a backup ready
- Failover strategies
- Use VPN keep-alives and dynamic routing to switch traffic to the healthy tunnel
- Consider BGP if your networks are larger and require complex routing
- Monitoring approaches
- Use SNMP, NetFlow, or a dedicated monitoring tool to track VPN health
- Log correlation: track tunnel events and correlate with network outages
Practical examples: common topologies Как установить vpn на айфон 2026
- Example Topology 1: Branch office to main office
- Site A: 10.1.0.0/24 at HQ
- Site B: 172.16.0.0/16 at branch
- Single VPN tunnel with static routes to remote LAN
- Example Topology 2: Two branches to a central data center
- Central DC uses 192.168.100.0/24
- Branch 1 uses 10.2.0.0/24; Branch 2 uses 10.3.0.0/24
- VPNs from each branch to DC with separate tunnels, enable failover and monitoring
- Example Topology 3: EdgeRouter X with a cloud VPN gateway
- Site A: 10.1.0.0/24
- Site B: Cloud VPN gateway remote LAN
- Tunnels and routes configured to route intra-branch traffic via VPN while internet traffic exits through local ISP
Tables: quick reference for common settings
Table 1: Recommended IPSec transform sets example
| Transform | Site A | Site B | Notes |
|---|---|---|---|
| Encryption | AES-256-GCM | AES-256-GCM | Preferred if supported on both sides |
| Integrity | SHA-256 | SHA-256 | If using CBC, SHA-256 remains compatible |
| DH Group | 14 | 14 | 2048-bit, balance of speed and security |
| PFS | On | On | Ensure perfect forward secrecy |
Table 2: Troubleshooting quick guide
| Symptom | Likely cause | Quick fix |
|---|---|---|
| VPN shows down | PSK mismatch | Re-enter PSK on both sides |
| Traffic not routing through VPN | Incorrect routes | Add static routes or adjust policy routing |
| High packet loss on VPN | MTU mismatch | Lower MTU or MSS clamp |
| Intermittent connectivity | NAT-T or firewall rules | Confirm UDP 500/4500 are open and NAT-T enabled |
FAQ section
Frequently Asked Questions
What is IPSec site-to-site VPN?
IPSec site-to-site VPN is a secure tunnel between two networks over the Internet using IPSec to protect traffic in transit.
Can EdgeRouter X handle site-to-site VPNs?
Yes. EdgeRouter X supports IPSec VPNs with appropriate configuration and matching policies. Vpn for edge browser: how to choose, install, and optimize a VPN for Microsoft Edge in 2026
Do I need a static IP for each site?
Static IPs simplify setup, but dynamic IPs can work with dynamic DNS and stable policies. Expect more maintenance with dynamic IPs.
What are the best encryption settings?
AES-256 with SHA-256, DH Group 14, and PFS enabled are solid defaults for balance of security and performance.
How do I verify the VPN is up?
Check the EdgeRouter’s IPSec status page for tunnel status, verify that tunnels show as up, and ping hosts on the remote network.
How can I troubleshoot Phase 1 failures?
Review PSK, IKE proposals, and firewall rules. Ensure both sides share identical IKE and IPsec settings.
How do I avoid NAT issues?
Disable NAT for traffic between the two VPN subnets, or use a NAT exemption rule if necessary. Make sure NAT-T is enabled if one side is behind NAT. Zenmate free vpn best vpn for edge: ultimate guide to Edge compatibility, speed, privacy, pricing, and top alternatives 2026
What performance should I expect?
Performance varies by traffic type and CPU load. EdgeRouter X can reach tens to hundreds of Mbps in ideal conditions, especially with AES-256-GCM.
How often should I rotate PSKs?
Rotating PSKs every 6–12 months is common, but align with your security policy. Keep a log of changes.
What monitoring should I set up?
Track tunnel uptime, latency, packet loss, and traffic volumes. Set alerts for tunnel down events and significant changes.
Resources and references
- Ubiquiti Networks – EdgeRouter documentation and forums
- IPSec standard references and best practices
- Network performance blogs and case studies for small-business VPNs
- Your ISP service status for reliable Internet connectivity
Useful URLs and Resources unclickable text Vpn server edgerouter x 2026
- EdgeRouter X official product page – ubiquiti.com/products/edge-router-x
- EdgeOS VPN documentation – help.ubnt.com/hc/en-us/categories/115000507466-EdgeRouter
- IPSec basics guide – en.wikipedia.org/wiki/IPsec
- NAT traversal overview – en.wikipedia.org/wiki/NAT-Traversal
- AES-GCM performance data – en.wikipedia.org/wiki/Galois/Counter_Mode
- Dynamic DNS service options – dyn.com, no-ip.com
- Router security best practices – sANS.org or reputable security blogs
If you want, I can tailor this to your exact subnets and provide you with a ready-to-paste configuration for both sites. Just share the public IPs, your local subnets, and whether you’re using a single VPN tunnel or dual tunnels for redundancy.
Ubiquiti edgerouter x site to site vpn is possible and straightforward with IPsec on EdgeRouter X. In this guide, you’ll learn how to set up a robust site-to-site IPsec VPN between an EdgeRouter X and a remote gateway, whether that gateway is another ERX, a Fortinet device, a Cisco ASA, or any VPN-capable router. I’ll break down the prerequisites, the exact steps with friendly explanations, common pitfalls, and best practices so you can get your network securely talking to a branch office or home lab. Think of this as your practical, no-fluff walkthrough that covers planning, config, testing, and maintenance. And if you’re looking for extra privacy on top of your site-to-site work, NordVPN often has promos you can take advantage of—here’s a quick promo you might consider:
Useful URLs and Resources:
- Ubiquiti Networks official EdgeRouter X product page – ubnt.com/products/edgerouter-x
- EdgeRouter X Quick Start Guide – help.ubnt.com
- Ubiquiti EdgeOS IPsec VPN documentation – help.ubnt.com/hc/en-us/articles/204965310-IPsec-VPN
- Site-to-site VPN concepts and best practices – en.wikipedia.org/wiki/Virtual_private_network
- General firewall and VPN testing tips – smallnetbuilder.com
Introduction wrap-up: this guide is designed to be practical for real-world networks, not just theory. You’ll find a step-by-step approach you can follow on a home lab, a small business, or a multi-site WAN. I’ll cover the two most common scenarios: 1 ERX at one site connecting to another EdgeRouter-based site, and 2 ERX connecting to a non-ERX device like a Fortinet or Cisco ASA. By the end, you’ll be able to implement a secure IPsec tunnel, route traffic across it, and validate the tunnel’s health.
Why site-to-site VPN with Ubiquiti EdgeRouter X matters
Site-to-site VPN gives you a secure tunnel between geographically separated networks. For small businesses or remote teams, it replaces risky, unsecured public-internet access with encrypted paths for all inter-site traffic. Here’s why this setup is popular with the EdgeRouter X: Which vpn is fastest 2026
- Cost-effective performance: EdgeRouter X punches above its price range for VPN chores, offering solid IPsec functionality without a pricey appliance.
- Flexible routing: You can route specific subnets through the VPN or use it as a default path for inter-site traffic.
- Compatibility: IPsec is a standard, so you can connect ERX to many remote gateways other ERXs, Fortinet, Cisco, Palo Alto, etc. without proprietary lock-in.
- Security-conscious defaults: AES-256, SHA-256, and PFS groups are standard options you can enable to harden the tunnel.
If you’re new to EdgeRouter X, think of it as a small but capable platform running EdgeOS. You’ll manage VPNs with the EdgeOS command line CLI or the graphical user interface GUI. In practice, a lot of the work happens in the CLI, but you’ll hear about the GUI options as well.
Prerequisites and planning: getting your ducks in a row
Before you jump into the config, gather these essentials and map your network:
- Public IP addresses or dynamic DNS for both gateways: You’ll need the remote gateway’s public IP or a resolvable hostname if dynamic. If you have a dynamic IP on either end, plan for Dynamic DNS DDNS updates so the tunnel can re-establish when IPs change.
- Local network subnets: Decide which subnets will be reachable across the VPN. For example, your ERX might be 192.168.1.0/24 on-site and 10.20.0.0/24 on the remote site.
- Remote network subnets: The subnets on the other end that you want to reach.
- VPN credentials: A pre-shared key PSK is the simplest option. If you’re in a more advanced environment, you can use certificates, but PSK is the most approachable starting point.
- Encryption and IKE policy: AES-256 or AES-128 if you need to conserve CPU cycles, SHA-256 hash, perfect forward secrecy PFS group e.g., 14 or 24, and IKEv2 for stability if possible. EdgeRouter supports IKEv2, which is generally preferred for modern networks.
- Firewall readiness: Ensure your firewall rules allow IPsec UDP 500 for IKE, UDP 4500 for NAT-T, and IPsec ESP where applicable and that traffic can traverse the tunnel.
- Backups: Take a quick backup of your current EdgeRouter X config you’ll thank yourself if you need to revert.
Tip: If you’re new to VPNs, keep a simple test tunnel first one subnet pair to verify basic connectivity, then extend to additional networks.
Step-by-step guide: configure EdgeRouter X for site-to-site IPsec
Below is a practical, high-detail workflow you can adapt to your actual hardware and partner gateway. The commands assume you’re using the EdgeRouter X via SSH or the console. If you prefer the GUI, many of these settings map to the same concepts.
Note: Replace placeholders such as
- Prepare IPsec-related groups and defaults
-
Create a generic IKE IKEv2 group with strong encryption and a reasonable lifetime.
- set vpn ipsec ike-group IKE-GROUP proposal 1 encryption aes256
- set vpn ipsec ike-group IKE-GROUP proposal 1 hash sha256
- set vpn ipsec ike-group IKE-GROUP lifetime 3600
-
Create an ESP IPsec group with strong encryption for the tunnel payload:
- set vpn ipsec esp-group ESP-GROUP proposal 1 encryption aes256
- set vpn ipsec esp-group ESP-GROUP proposal 1 hash sha256
- set vpn ipsec esp-group ESP-GROUP lifetime 3600
- Bind IPsec to your interface
- Specify which network interface’s traffic should be protected by IPsec often eth0 or eth1, depending on your setup.
- set vpn ipsec ipsec-interfaces interface eth0
- Define the site-to-site peer your remote gateway
-
Replace
with the public IP address or hostname of the remote gateway. -
Replace
with your pre-shared key. -
Configure the IKE and ESP groups you created. Windscribe vpn firefox: The Ultimate Guide to Using Windscribe on Firefox for Privacy, Speed, and Streaming in 2026
- set vpn ipsec site-to-site peer
authentication mode pre-shared-secret - set vpn ipsec site-to-site peer
authentication pre-shared-secret - set vpn ipsec site-to-site peer
ike-group IKE-GROUP - set vpn ipsec site-to-site peer
esp-group ESP-GROUP - set vpn ipsec site-to-site peer
local-subnet - set vpn ipsec site-to-site peer
remote-subnet
- set vpn ipsec site-to-site peer
-
If your remote gateway uses IKEv2 only, ensure both ends are configured for IKEv2. Some devices default to IKEv1. make sure IKEv2 is enabled on both sides if possible.
- Optional: enable NAT-T for NAT traversal
- If either gateway is behind NAT, NAT-T helps negotiate the tunnel through NAT devices.
- set vpn ipsec nat-t enable
- Even if not behind NAT, NAT-T typically remains harmless and compatible.
- Fine-tune additional settings optional but recommended
-
Dead Peer Detection DPD to keep the tunnel healthy and re-establish quickly:
- set vpn ipsec dpd-interval 10
- set vpn ipsec dpd-timeout 30
-
PFS perfect forward secrecy can be enforced in the ESP or IKE groups. if you want to explicitly require PFS, configure the PFS group at the IKE level.
-
Local and remote IDs for some devices, mutual ID verification helps avoid mismatches:
- set vpn ipsec site-to-site peer
local-id - set vpn ipsec site-to-site peer
remote-id
- set vpn ipsec site-to-site peer
- Add firewall rules to allow VPN traffic and tunnel traffic
- Create or adjust firewall rules to permit IPsec traffic:
- allow in support for UDP 500 IKE
- allow in support for UDP 4500 NAT-T
- allow ESP protocol 50 if needed
- Ensure inter-site traffic is allowed to flow across the tunnel and reach remote subnets.
- Define routing: ensure remote networks are reachable
- Add routes so traffic destined for the remote subnet goes through the IPsec tunnel:
- set protocols static route
next-hop prohibited - or use policy routing to route specific traffic through the VPN
- set protocols static route
- Commit, save, and apply
- commit
- save
- restart or re-establish the VPN to ensure the new configuration takes effect
- Verify the tunnel status and connectivity
- Use the EdgeRouter’s CLI or GUI to verify:
- show vpn ipsec sa to view active security associations
- show vpn ipsec status
- show interfaces detail for tunnel status
- Test connectivity:
- ping a host on the remote subnet from a host on the local subnet
- traceroute to a remote host to confirm traffic routing
- If you don’t see a tunnel, double-check:
- PSK matches on both sides
- local/remote subnets are correct
- firewall rules aren’t blocking IPsec or tunnel traffic
- both gateways actually have matching IKE/ESP proposals
- Post-setup hardening and best practices
- Use AES-256 and SHA-256 as the base for both IKE and ESP, whenever possible.
- Enable Perfect Forward Secrecy with a reasonable group e.g., ECDH group 14 or higher to ensure session keys aren’t derived from a single point.
- If you expect dynamic IPs, configure a reliable DDNS on the remote gateway and ensure your EdgeRouter X is set up to chase that hostname or IP.
- Regularly monitor tunnel health and log activity to detect potential issues early.
- Consider enabling a secondary VPN path a backup VPN or multiple subnets if your network requires high availability.
Common scenarios: ERX talking to different kinds of gateways
EdgeRouter X-to-EdgeRouter X Vpn premium price in 2026: what it costs, what you get, and how to save
- This is the most common home-office setup. Use symmetrical local/remote subnets, same encryption preferences, and PSK on both sides. The workflow is basically identical on both devices. you only need to mirror the config.
ERX to Fortinet FortiGate
- Fortinet devices typically support IPsec with strong defaults. Ensure you align IKEv2, AES-256, SHA-256, and a PFS group. On the FortiGate side, you may create a VPN Tunnel with a matching remote gateway IP, PSK, and the same local/remote subnets. On ERX, the peer is the FortiGate’s public IP and its remote-subnet must mirror what the FortiGate expects.
ERX to Cisco ASA
- ASA VPNs can be a bit finicky about IDs and Phase 2 settings. Ensure the Phase 1 IKE and Phase 2 IPsec proposals align exactly. If the ASA uses a certificate-based setup, you’ll have to switch from PSK to a cert-based arrangement, which EdgeRouter also supports though IKEv2 with certificates is a more involved configuration.
ERX with dynamic DNS at either end
- If one or both ends have dynamic public IPs, set up a DDNS hostname on the gateway that changes, and use that hostname for the peer configuration. Ensure that the remote gateway can resolve your DDNS hostname to the current IP.
Failover and redundancy tips
- If you need high availability, consider building two VPN tunnels with two remote gateways or two separate internet connections and use policy-based routing to prefer one tunnel, with automatic failover to the second when the first is down.
- Periodically test failover by simulating a gateway outage to ensure traffic routes correctly through the remaining tunnel.
Security best practices and quick optimization tips
- Encryption and integrity: AES-256 with SHA-256 is a solid baseline. Avoid legacy algorithms like DES or MD5.
- PFS: Always enable PFS for Phase 2 the ESP group. Use a modern ECDH group like group 14 or higher if your devices support it.
- Key management: Use strong PSKs. If you can implement certificate-based authentication, that’s even better for rotation and management.
- Firmware updates: Keep EdgeOS updated to benefit from security fixes and improved VPN behavior.
- Network segmentation: Don’t route everything through the VPN by default unless necessary. If you don’t need the entire site’s traffic across the tunnel, limit routing to specific subnets to reduce load and potential exposure.
- Logging and monitoring: Enable VPN logs and set up alerts for tunnel down events. Regularly review connection history to catch anomalies.
Real-world tips to speed up deployment and avoid headaches
- Start small: Test with a single pair of subnets, confirm the tunnel comes up and traffic passes, then expand to additional subnets.
- Use consistent subnet planning: Avoid overlapping IP ranges between local and remote networks.
- Keep a clear naming convention: Name your VPN tunnels clearly in the EdgeRouter config e.g., VPN_SITE_A_TO_SITE_B to avoid confusion as you scale.
- Document your settings: Save your final working configuration and write down the exact PSK, remote IP, and subnet mappings so you don’t forget later.
Troubleshooting quick-start checklist
- Tunnel status: Check show vpn ipsec status and show vpn ipsec sa for active security associations.
- Phase 1 vs Phase 2: If Phase 1 fails, verify PSK, IKE group, and remote identity. If Phase 2 fails, verify ESP group, local/remote subnets, and firewall rules.
- NAT-T: If you’re behind NAT and the tunnel isn’t forming, ensure NAT-T is enabled and UDP ports 500 and 4500 are open to the remote gateway.
- Firewall: Confirm that on both sides, firewall rules permit IKE and IPsec ESP traffic and that inter-site traffic is allowed through the tunnel.
- Subnet overlap: Ensure there are no overlapping IP ranges that would cause routing conflicts when traffic crosses the VPN.
Real-world use cases and success stories
- Small business branch connect: A two-site setup where an ERX at headquarters connects to a partner office via IPsec VPN, enabling secure printing, file sharing, and centralized backups across the tunnels.
- Home lab and remote work: A home office with an ERX Terraforming to a lab environment on another site, allowing testing of VPN failover and remote management without exposing traffic to the open internet.
- Multi-site expansion: As your network grows, you can add more ERX gateways, create spare tunnels for redundancy, and build out a scalable hub-and-spoke model with consistent encryption standards.
Performance considerations: what to realistically expect
- EdgeRouter X is a budget-friendly device. Don’t expect enterprise-class throughput, but you can expect solid performance for typical small-office workloads, including multiple VPN tunnels, basic firewalling, and general routing.
- VPN performance depends on several factors:
- Encryption and integrity algorithms AES-256 and SHA-256 are more demanding than AES-128 and SHA-1
- Hardware capabilities of the ERX CPU, memory
- The amount of traffic and the size of the remote networks
- The quality and speed of your internet connections on both ends
- Practical takeaway: plan for hundreds of Mbps of VPN throughput under typical loads, not multi-gigabit speeds. If you need higher throughput, you might consider a higher-end EdgeRouter model or a dedicated VPN appliance.
Frequently Asked Questions
What is Ubiquiti EdgeRouter X best used for?
EdgeRouter X is a compact, affordable router suitable for small offices, home labs, and networks needing reliable routing and VPN capabilities without breaking the bank.
Can EdgeRouter X do site-to-site VPN with IPsec?
Yes. EdgeRouter X supports IPsec site-to-site VPNs, including IKEv2, which makes it a flexible choice for connecting to other ERX devices or third-party gateways.
Which VPN type should I use on ERX?
IKEv2 with IPsec is generally recommended for reliability and performance. It’s widely supported across various vendors and tends to be more stable than IKEv1.
How do I connect ERX to a Fortinet FortiGate?
You’ll configure a matching IPsec site-to-site tunnel on both sides. Align IKEv2 settings, encryption AES-256, hash SHA-256, and the same local/remote subnets. Double-check the PSK on both ends.
What if my IP address changes?
If you have dynamic IPs, use a Dynamic DNS DDNS setup on at least one gateway and configure the other side to point to the hostname. This helps the tunnel reestablish automatically when IPs change.
How do I test the VPN tunnel?
Ping a host on the remote subnet from a host on your local subnet, check the VPN status in EdgeOS, and inspect the security associations with show vpn ipsec sa. Look for tunnels that are up and traffic flows across the tunnel.
Can I use certificate-based authentication with ERX?
Yes, EdgeRouter X can be configured to use certificates for IPsec authentication, though it’s more involved than PSK. It’s a good option if you’re managing many tunnels or require stronger key management.
How do I troubleshoot a tunnel that won’t come up?
Verify PSK matches, confirm the remote gateway’s IP address is reachable, ensure the subnets don’t overlap, check firewall rules, and review logs for Phase 1 or Phase 2 negotiation errors. Rebooting one side and re-confirming the config can help, but avoid rebooting during critical business hours if possible.
Do I need to open additional ports on my firewall for IPsec?
Yes, you typically need UDP 500 IKE and UDP 4500 NAT-T open, and ESP IP protocol 50 allowed through if your firewall requires it. Some setups can work with NAT-T, but it’s safer to allow these ports.
Should I prefer ERX for a multi-site VPN?
ERX is a solid choice for small to mid-sized deployments needing reliable IPsec tunnels at a low cost. If you’re expanding to multiple sites with high throughput demands, you might look at higher-end EdgeRouter models or dedicated VPN appliances for better performance.
Can I run more than one VPN tunnel from a single ERX?
Absolutely. ERX can manage multiple VPN tunnels, each with its own peer, local/remote subnets, and policies. Just be mindful of CPU load and ensure your config stays organized to avoid conflicts.
How often should I back up EdgeRouter X configurations?
As often as you make changes to VPNs, firewall rules, or routing. A quick backup after a successful VPN deployment is a good habit, and quarterly backups are a sensible minimum.
Final notes: keep it simple, secure, and scalable
Setting up a site-to-site VPN with Ubiquiti EdgeRouter X is very doable, even for beginners who are comfortable with the command line. The key is to plan, mirror settings on both ends, and test thoroughly. Start simple, then scale up as your network grows. With the right configuration, you’ll have a reliable, secure tunnel that keeps your inter-site traffic private without adding complexity to your everyday network management.
If you’re looking to add a layer of privacy for additional online activity beyond the VPN itself or want to experiment with secure remote access, consider the NordVPN promo linked above. It’s a straightforward way to protect endpoints outside of your VPN tunnel and can be a great complement to a well-planned site-to-site VPN strategy.