Ubiquiti Edge Router VPN with SonicWall
Ubiquiti Edge Router VPN with SonicWall
by Jeff on August 27th, 2015 1 Comment »
 , ,

I just spent all day trying to setup a new VPN connection between a Ubiquiti Edge Router Light (ERL) and a SonicWALL TZ210. While there are several articles and blogs out there which pointed me in the right direction, I still encountered issues. I wanted to jot down my notes before I forget them.

I started off by following this wiki article from Ubiquiti’s wiki site. In this example, I will use the following IP Address
Local Site Public IP: 1.1.1.1
Local Site Private IP: 192.168.1.0/24
Remote Site Public IP: 2.2.2.2
Remote Site Private IP: 10.10.1.0/24

Ubiquiti ERL Configuration – Local Site

[shell]
[email protected]:~$ configure
[edit]
[email protected]# set vpn ipsec esp-group ESPSonicWallVPN
[email protected]# set vpn ipsec esp-group ESPSonicWallVPN compression disabled
[email protected]# set vpn ipsec esp-group ESPSonicWallVPN lifetime 3600
[email protected]# set vpn ipsec esp-group ESPSonicWallVPN mode tunnel
[email protected]# set vpn ipsec esp-group ESPSonicWallVPN pfs disable
[email protected]# set vpn ipsec esp-group ESPSonicWallVPN proposal 1
[email protected]# set vpn ipsec esp-group ESPSonicWallVPN proposal 1 encryption aes128
[email protected]# set vpn ipsec esp-group ESPSonicWallVPN proposal 1 hash sha1
[email protected]# set vpn ipsec ike-group IKESonicWallVPN
[email protected]# set vpn ipsec ike-group IKESonicWallVPN lifetime 28800
[email protected]# set vpn ipsec ike-group IKESonicWallVPN proposal 1
[email protected]# set vpn ipsec ike-group IKESonicWallVPN proposal 1 dh-group 2
[email protected]# set vpn ipsec ike-group IKESonicWallVPN proposal 1 encryption aes128
[email protected]# set vpn ipsec ike-group IKESonicWallVPN proposal 1 hash sha1
[email protected]# set vpn ipsec ipsec-interfaces interface eth0
[email protected]# set vpn ipsec logging log-modes all
[email protected]# set vpn ipsec logging log-modes control
[email protected]# set vpn ipsec nat-traversal enable
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 local-address 1.1.1.1
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 authentication mode pre-shared-secret
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret mysecretvpnkey1010
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 connection-type initiate
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 default-esp-group ESPSonicWallVPN
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 ike-group IKESonicWallVPN
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 allow-nat-networks disable
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 allow-public-networks disable
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 esp-group ESPSonicWallVPN
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 local prefix 192.168.1.0/24
[email protected]# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 remote prefix 10.10.1.0/24
[email protected]# commit
[email protected]# save
[email protected]# quit
[/shell]

SonicWall Configuration

Log into the web management of your SonicWall device and click VPN, then click “Add…”

General

  • Policy Type: Site to Site
  • Authentication Method: IKE using Preshared Secret
  • Name: Any name you want
  • IPsec Primary Gateway Name or Address: Public IP of your Ubiquiti
  • IPsec Secondary Gateway Name or Address: Blank
  • Shared Secret: mysecretvpnkey1010
  • Confirm Shared Secret: mysecretvpnkey1010
  • Local IKE ID: IP Address – Public IP Of your SonicWall
  • Peer IKE ID: IP Address – Public IP Of your Ubiquiti

SonicWallConfig-General

Network

  • Choose local network form list: Firewalled Subnets
  • Choose destination network from list: Ubiquity LAN Network

SonicWallConfig-Network

Proposals

Ike (Phase 1) Proposal

  • Exchange: Main Mode
  • DH Group: Group 2
  • Encryption: AES-128
  • Authentication: SHA1
  • Lime Time (seconds): 28800

Ike (Phase 2) Proposal

  • Protocol: ESP
  • Encryption: AES-128
  • Authentication: SHA1
  • Uncheck Perfect Forward Secrecy
  • Life Time (seconds): 3600

SonicWallConfig-proposals

Advanced

Leave everything unchecked and set the VPN Policy Bound to dropdown to your WAN interface name
SonicWallConfig-advanced

Troubleshooting

After configuring both devices, I saw that the tunnel came online but was not passing any traffic. After hours of playing around, I finally found the setting in the Ubiquiti device.

  1. Log into the Ubiquiti through the web portal (default username is ubnt, default password is ubnt)
  2. Click the “Config Tree” menu item in the top right
  3. In the left menu tree, expand “vpn->ipsec”

The “auto-update” field was blank on my device. After entering 3600 in the field and saving the config, data started to flow.


One Comment

    TehArchitect says:

    Thank you SO much for this write up, I was about to take my ERLite out back and end it. The GUI clearly does not work for VPN setups

Leave a Reply

Your email address will not be published. Required fields are marked *