Hello - I am using an ASA to ERL3 ipsec site-to-site vpn, and it is working! However I am having one problem with the config.
I would like to terminate the VPN on the ERL side on a bridge - (The ERL is for some remote equipment management, I have two devices there and only need about 200kb of bandwidth. I would rather not use a switch and performance isn't an issue.)
When I put the ip address on a physical port, everything works as expected (the second port is however useless). When I put the VPN address on the bridge, packets from the bridged ports cannot communicate with the bridge address (doing a packet capture, all I see are ARP requests).
ubnt:~$ show interfaces bridge br1 capture
Capturing traffic on br1 ...
10:50:51.141035 ARP, Request who-has 10.255.224.241 tell 10.255.224.243, length 46
10:50:52.109955 ARP, Request who-has 10.255.224.241 tell 10.255.224.243, length 46
10:50:53.110527 ARP, Request who-has 10.255.224.241 tell 10.255.224.243, length 46
Here is my config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
bridge br1 {
address 10.255.224.241/29
bridged-conntrack disable
promiscuous disable
}
ethernet eth0 {
address 70.90.*.*/28
duplex auto
speed auto
}
ethernet eth1 {
bridge-group {
bridge br1
}
duplex auto
speed auto
}
ethernet eth2 {
bridge-group {
bridge br1
}
duplex auto
speed auto
}
loopback lo {
}
}
protocols {
}
service {
gui {
http-port 80
https-port 443
older-ciphers enable
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 70.90.*.*
host-name ubnt
name-server 172.27.13.3
name-server 172.30.15.4
ntp {
server 172.16.54.248 {
}
server 172.30.15.56 {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
}
ipv6 {
forwarding disable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
disable-uniqreqids
esp-group vpntunnel {
compression disable
lifetime 1800
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group vpntunnel {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal disable
site-to-site {
peer *.*.*.* {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group vpntunnel
ikev2-reauth inherit
local-address 70.90.*.*
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group vpntunnel
local {
prefix 10.255.224.240/29
}
remote {
prefix 0.0.0.0/0
}
}
}
}
}
}ubnt:~$ show version
Version: v1.8.5
Build ID: 4884695
Build on: 06/08/16 10:57
Copyright: 2012-2016 Ubiquiti Networks, Inc.
HW model: EdgeRouter Lite 3-Port
HW S/N: 44D9E74023D4
Uptime: 11:05:02 up 1:24, 1 user, load average: 0.18, 0.16, 0.15
Thanks!