DDNS Site-to-Site IPsec VPN by Ubiquiti Networks EdgeRouter ER-X

I've been using ER-X from Ubiquiti Networks for more than half year. It is covered with metal chassis and its functionality is as solid as it looks, though it is cheaper than $50. One is used in my house and the other is used in my parents' house.

Now it is time to establish site-to-site IPsec VPN. Google says that site-to-site IPsec with DDNS is troublesome.

To be honest, I have 3 more ER-X for trying this site-to-site VPN without breaking existing internet connection, so I have 5 ER-X in total😀. The ER-X on the left of the picture emulates ISP and the internet, it offers PPPoE service and DNS. The two ER-X on the right correspond to routers in my home and my parents' home. After this experiment, some will be sent to my brothers.

As far as I studied from many posts, using pre-shared-key (PSK) for DDNS is the source of trouble. Using PSK is only good when IP address is used to specify the remote site.

When one needs to establish site-to-site VPN and both side use DDNS, RSA or x509 look promising.
The post on the Ubiquiti forum looks attractive to me, but the post uses VTI and the setting itself was not sufficient for my case.

Here is what I found and working on my test bench. Note that firmware version is 1.9.1.1.
site0 local network:192.168.20.0/24,  DDNS of WAN:site0.example.net
site1 local network:192.168.30.0/24,  DDNS of WAN:site1.example.net

Preparing RSA key on the both side

In CLI of both site, run the following command to generate RSA key.

ubnt@site0:~$ generate vpn rsa-key bits 4096

Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key

Your new local RSA key has been generated
The public portion of the key is:

SOME_VERY_LONG_STRING

You need to copy the SOME_VERY_LONG_STRING to your local text file.

Register the public key of the counter part

 On site0,

configure

set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key

set vpn rsa-keys rsa-key-name site1 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE1

commit

On site1,

configure

set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key

set vpn rsa-keys rsa-key-name site0 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE0

commit

Open Firewall for remote site

Surprisingly, packets from the remote site come via pppoe0 (or whatever an interface you use to connect the internet). Usually an interface which is used for the internet connection has the most strict rules, so a rule to accept such packet is necessary. (configure, commit, and save are omitted in the following lists).

On site0,

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description FromSite1
set firewall name WAN_LOCAL rule 60 destination address 192.168.20.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.30.0/24

On site1,

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description FromSite0
set firewall name WAN_LOCAL rule 60 destination address 192.168.30.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.20.0/24

Notice that "WAN_LOCAL" and "rule 60" depend on your configuration. So adding via GUI is much easier.

 Configure other VPN settings

On site0

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site1.example.com authentication id site0
set vpn ipsec site-to-site peer site1.example.com authentication mode rsa
set vpn ipsec site-to-site peer site1.example.com authentication remote-id site1
set vpn ipsec site-to-site peer site1.example.com authentication rsa-key-name site1
set vpn ipsec site-to-site peer site1.example.com connection-type initiate
set vpn ipsec site-to-site peer site1.example.com description ToSite1
set vpn ipsec site-to-site peer site1.example.com ike-group FOO0
set vpn ipsec site-to-site peer site1.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site1.example.com local-address any
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site1.example.com tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer site1.example.com tunnel 1 remote prefix 192.168.30.0/24

On site1,

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site0.example.com authentication id site1
set vpn ipsec site-to-site peer site0.example.com authentication mode rsa
set vpn ipsec site-to-site peer site0.example.com authentication remote-id site0
set vpn ipsec site-to-site peer site0.example.com authentication rsa-key-name site0
set vpn ipsec site-to-site peer site0.example.com connection-type initiate
set vpn ipsec site-to-site peer site0.example.com description ToSite0
set vpn ipsec site-to-site peer site0.example.com ike-group FOO0
set vpn ipsec site-to-site peer site0.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site0.example.com local-address any
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site0.example.com tunnel 1 local prefix 192.168.30.0/24
set vpn ipsec site-to-site peer site0.example.com tunnel 1 remote prefix 192.168.20.0/24

The setting in brown color is what I found necessary to connect each other.

Good luck! 

DNS Hosting and DDNS of changeip.com

Recently I registered some domain and want to use it for Dynamic DNS.
I googled for DDNS services which allows to use my own  domain.
Some service costs more than $10 / month, which seems to be for business purpose.


I found ChangeIP offers DNS hosting for $9 / year and DDNS for $6 / year which is cheapest service I could find for using my own domain.

I hit a trouble that my domain was not shown on their WEB control panel even after paid fee and delegated authority to DNS serves of changeip.com.
I asked via their support ticket, they answered promptly and fixed my problem.
Of course  no issue is better, but still quick and correct support is impressive.

Overall

I'm satisfied with the service. I hope more people use the service, then their business succeeds and I can keep using the  service in the good price 😄

Pros:

• Competitive price ($9/year for DNS hosting and $6/year for DDNS of the domain)
• Rapid DDNS update (TTL is 30sec which I've never seen in free DDNS services)
• Quick support
• Useful knowledge base 

Cons:

• Wizard  or easy tutorial for initial setting does not exist
• Knowledge base is good, but standard manual is helpful.