Now it is time to establish site-to-site IPsec VPN. Google says that site-to-site IPsec with DDNS is troublesome.
To be honest, I have 3 more ER-X for trying this site-to-site VPN without breaking existing internet connection, so I have 5 ER-X in total😀. The ER-X on the left of the picture emulates ISP and the internet, it offers PPPoE service and DNS. The two ER-X on the right correspond to routers in my home and my parents' home. After this experiment, some will be sent to my brothers.
As far as I studied from many posts, using pre-shared-key (PSK) for DDNS is the source of trouble. Using PSK is only good when IP address is used to specify the remote site.
When one needs to establish site-to-site VPN and both side use DDNS, RSA or x509 look promising.
The post on the Ubiquiti forum looks attractive to me, but the post uses VTI and the setting itself was not sufficient for my case.
Here is what I found and working on my test bench. Note that firmware version is 1.9.1.1.
site0 local network:192.168.20.0/24, DDNS of WAN:site0.example.net
site1 local network:192.168.30.0/24, DDNS of WAN:site1.example.net
Preparing RSA key on the both side
In CLI of both site, run the following command to generate RSA key.You need to copy the SOME_VERY_LONG_STRING to your local text file.ubnt@site0:~$ generate vpn rsa-key bits 4096 Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key Your new local RSA key has been generated The public portion of the key is: SOME_VERY_LONG_STRING
Register the public key of the counter part
On site0,configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name site1 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE1
commit
On site1,
configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name site0 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE0
commit
Open Firewall for remote site
Surprisingly, packets from the remote site come via pppoe0 (or whatever an interface you use to connect the internet). Usually an interface which is used for the internet connection has the most strict rules, so a rule to accept such packet is necessary. (configure, commit, and save are omitted in the following lists).On site0,
set firewall name WAN_LOCAL rule 60 action acceptOn site1,
set firewall name WAN_LOCAL rule 60 description FromSite1
set firewall name WAN_LOCAL rule 60 destination address 192.168.20.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.30.0/24
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description FromSite0
set firewall name WAN_LOCAL rule 60 destination address 192.168.30.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.20.0/24
Notice that "WAN_LOCAL" and "rule 60" depend on your configuration. So adding via GUI is much easier.
Configure other VPN settings
On site0set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site1.example.com authentication id site0
set vpn ipsec site-to-site peer site1.example.com authentication mode rsa
set vpn ipsec site-to-site peer site1.example.com authentication remote-id site1
set vpn ipsec site-to-site peer site1.example.com authentication rsa-key-name site1
set vpn ipsec site-to-site peer site1.example.com connection-type initiate
set vpn ipsec site-to-site peer site1.example.com description ToSite1
set vpn ipsec site-to-site peer site1.example.com ike-group FOO0
set vpn ipsec site-to-site peer site1.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site1.example.com local-address any
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site1.example.com tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer site1.example.com tunnel 1 remote prefix 192.168.30.0/24
On site1,
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site0.example.com authentication id site1
set vpn ipsec site-to-site peer site0.example.com authentication mode rsa
set vpn ipsec site-to-site peer site0.example.com authentication remote-id site0
set vpn ipsec site-to-site peer site0.example.com authentication rsa-key-name site0
set vpn ipsec site-to-site peer site0.example.com connection-type initiate
set vpn ipsec site-to-site peer site0.example.com description ToSite0
set vpn ipsec site-to-site peer site0.example.com ike-group FOO0
set vpn ipsec site-to-site peer site0.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site0.example.com local-address any
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site0.example.com tunnel 1 local prefix 192.168.30.0/24
set vpn ipsec site-to-site peer site0.example.com tunnel 1 remote prefix 192.168.20.0/24
The setting in brown color is what I found necessary to connect each other.
Good luck!