Extensive testing with different routers and cloud provider IPsec offerings has shown that these IPsec clients will significantly underperform an instance or server running IPsec. Running IPsec on a router should only be done when it is not possible to configure a pritunl-link client with port forwarding. Additionally many failover features will be unsupported when not using pritunl-link clients for IPsec.
This documentation will configure IPsec running on an EdgeRouter connecting to Pritunl Link. Refer to the Ubiquiti EdgeRouter documentation for running a Pritunl Link client on an EdgeRouter network.
Pritunl Link has support for the Ubiquiti EdgeRouters using IPsec links with a static host. A static host in Pritunl Link is a IPsec client that is not running the pritunl-link application. This allows connecting on-site routers that have support for IPsec. Using a static host will have some limitations such as not being able to automatically update changes to the link configuration. Most limitations such as failover support have been fixed or improved in recent Pritunl releases. For high bandwidth links it is recommended to run pritunl-link on a server using the Ubiquiti EdgeRouter guide. The EdgeRouter will have limited IPsec performance.
It is important to first enable IPsec hardware offloading on the EdgeRouter. Without hardware offloading the IPsec connection will consume significant CPU power and will have very limited bandwidth. Refer to EdgeRouter Hardware Offloading Explained for information on configuring hardware offloading. The command
show ubnt offload should show IPsec offloading enabled.
The EdgeRouters have relatively limited CPU power, high bandwidth configurations should use a dedicated server running behind the EdgeRouter. During testing with an EdgeRouter ERPoe-5 bandwidth averaged around 75 megabits/sec.
Static hosts are not able to automatically pull changes to the link configuration from the Pritunl server. Because of this the link configuration must be fully completed and all non-static hosts must be deployed first. The non-static hosts will push the public address of the host to the Pritunl server, this must be done before configuring the static host. If it's necessary to deploy a static host before non-static hosts the public address must be manually configured on the non-static hosts.
To configure a EdgeRouter static host first create a location for the EdgeRouter network then click Add Host in the location. Then click Advanced at the top right and enable Static Host. Set the Public Address to the public IP address of the EdgeRouter. If an IPv6 link is being configured also set the IPv6 Address.
Once done a Get EdgeRouter Conf button will be displayed on the right side of the host. Click this to get the configuration for the EdgeRouter. Connect to the EdgeRouter with SSH then run the command
configure and paste these commands into the configuration mode. Then run
save. This will configure all the needed options and the router will then connect and route the traffic to the networks.
show vpn ipsec status,
show vpn ipsec state and
sudo ipsec statusall will show the status of the IPsec connection on the EdgeRouter.
Updated almost 2 years ago