Static Host IPSec Setup

Pritunl Pritunl VPN
1

Trying to follow the static host guide here: Ubiquiti EdgeRouter Static

When I setup this up in pritunl (v1.30.3431.73) the config doesn’t seem to work as expected. When clicking the Get EdgeRouter Config it only outputs the following:

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec ike-group pritunl lifetime 10800
set vpn ipsec ike-group pritunl key-exchange ikev2
set vpn ipsec ike-group pritunl proposal 1 dh-group 19
set vpn ipsec ike-group pritunl proposal 1 encryption aes128
set vpn ipsec ike-group pritunl proposal 1 hash sha256

set vpn ipsec esp-group pritunl lifetime 3600
set vpn ipsec esp-group pritunl pfs dh-group19
set vpn ipsec esp-group pritunl proposal 1 encryption aes128
set vpn ipsec esp-group pritunl proposal 1 hash sha256

How do I:

  • Get the site to site peer section to show up
  • Configure the pre-shared key
  • Update the encryption routines/dh-group (setting the preferred cipher on the Link doesn’t change anything)

Essentially trying to get IPSec to work for static hosts and running into issues. Any help would be appreciated. Our use case cannot use pritunl-link.

2

All non-static hosts must be configured first. This allows the pritunl-link hosts to send the public IP address to the Pritunl server to include in the configuration. The Pritunl server does not function as a link host and pritunl-link should not be run on the same instance as a Pritunl server. Each link must have at least two locations with at least one host in each location.

3

Thanks @Zach. I didn’t realize the pritunl server itself couldn’t serve as a ipsec endpoint. Adding in a pritunl-link based host looks to help the configuration along.

Is there any capability to control the IKE version and PSK?

4

The key can be reset by clicking rekey link, it can’t be modified manually. The only IPsec options available are the preferred IKE and ESP cipher in the link settings available by clicking the name of the link. Force preferred cipher can also be set to require configure only these ciphers. Both of these options apply only to pritunl-link clients. Other clients would need to be configured to match these options.