From 10.52 USD

3.27 USD mo.  + 3  Months Extra

10 devices 1 User

See All Plans

30-Day Money-Back Guarantee

Receive a full refund if ApexGuard doesn’t meet your expectations.

Special Offer | Save 60%
GET APEX
GET APEX
Getting Started
Setup guide Frequently asked questions
General Information
Configuration Troubleshooting
Account & Billing
Account Billing
Platforms
Windows macOS Android iOS Linux Extensions Router

EdgeRouter and Ubiquiti Setup with ApexGuard

Learn how to use ApexGuard

Get started and stay protected

1. Gather IKEv2/IPsec Credentials from ApexGuard

  1. Log into your ApexGuard account.
  2. Navigate to: Advanced SettingsSet up ApexGuard manuallyService Credentials / IPsec credentials.
  3. Locate or create your IKEv2/IPsec pre-shared key (PSK) and note the server endpoint (e.g., ikev2.apexguard.com) and user-auth parameters.

Make sure you have the following info handy:

  • Server address (e.g., ikev2.apexguard.com or IP).
  • Pre-shared key (PSK) or certificates (if using cert-based auth).
  • Username/Password if using EAP for IKEv2.

2. Confirm Your EdgeRouter WAN Interface

  1. Identify your WAN interface (e.g., eth0) which connects to the internet.
  2. Check your LAN interface(s) (e.g., eth1, eth2, or switch0). You’ll need this info for NAT rules and firewall settings.

3. Enable IPsec and Create IKE/ESP Groups

EdgeOS uses “IKE Groups” (Phase 1) and “ESP Groups” (Phase 2) to define security proposals (encryption and hashing algorithms). Below is an example set with modern ciphers.

SSH into your EdgeRouter:

ssh ubnt@[router_ip_address]

Enter configuration mode:

configure

Enable IPsec processing on the WAN interface (if not already done):

set vpn ipsec ipsec-interfaces interface eth0

Replace eth0 with your actual WAN interface name.

Create/Modify IKE Group (Phase 1 proposal):

set vpn ipsec ike-group IKEV2 proposal 1 encryption aes256
set vpn ipsec ike-group IKEV2 proposal 1 hash sha512
set vpn ipsec ike-group IKEV2 lifetime 28800
set vpn ipsec ike-group IKEV2 ike-version 2

Create/Modify ESP Group (Phase 2 proposal):

set vpn ipsec esp-group ESPV2 proposal 1 encryption aes256
set vpn ipsec esp-group ESPV2 proposal 1 hash sha512
set vpn ipsec esp-group ESPV2 lifetime 3600

Commit and save:

commit
save

4. Configure the IPsec Peer (ApexGuard Server)

Now define the remote peer (ApexGuard’s IKEv2 server). This example uses a pre-shared key. If you have certificate-based or EAP-based auth, adjust accordingly.

In configuration mode:

configure

Set the remote peer (replace ikev2.apexguard.com with the actual server or IP):

set vpn ipsec site-to-site peer ikev2.apexguard.com authentication mode pre-shared-secret
set vpn ipsec site-to-site peer ikev2.apexguard.com authentication pre-shared-secret "YOUR_PSK_HERE"
set vpn ipsec site-to-site peer ikev2.apexguard.com ike-group IKEV2

Specify your local IP (the public IP on eth0), if needed:

set vpn ipsec site-to-site peer ikev2.apexguard.com local-address <your_public_ip_here>

If the router obtains its IP automatically (DHCP), you can omit local-address or set it explicitly if recommended by ApexGuard.

Assign the ESP group:

set vpn ipsec site-to-site peer ikev2.apexguard.com esp-group ESPV2

Define the local and remote subnets to encrypt (site-to-site). If you want all traffic from your LAN to go through the VPN, set 0.0.0.0/0 on the remote side, or consult ApexGuard’s recommended approach:

set vpn ipsec site-to-site peer ikev2.apexguard.com tunnel 1 local subnet 192.168.1.0/24
set vpn ipsec site-to-site peer ikev2.apexguard.com tunnel 1 remote subnet 0.0.0.0/0

Commit and save:

commit
save

5. (Optional) Configure XAUTH/EAP for IKEv2 User Authentication

set vpn ipsec site-to-site peer ikev2.apexguard.com authentication mode 'xauth'   # or eap
set vpn ipsec site-to-site peer ikev2.apexguard.com authentication id 'YOUR_USERNAME'
set vpn ipsec site-to-site peer ikev2.apexguard.com authentication remote-id 'SERVER_ID'
# ... Additional lines depending on ApexGuard’s EAP config requirements

Similarly, if using certificate-based auth, you would need to:

  1. Upload your CA and client certs into /config/auth/ on the router (via SCP or an SFTP client).

Reference them in the config:

set vpn ipsec site-to-site peer ikev2.apexguard.com authentication mode 'rsa'
set vpn ipsec site-to-site peer ikev2.apexguard.com authentication certificate <client_cert_file>
set vpn ipsec site-to-site peer ikev2.apexguard.com authentication private-key <client_key_file>
set vpn ipsec site-to-site peer ikev2.apexguard.com authentication ca-certificate <ca_cert_file>

6. Configure NAT and Firewall Rules

If you want traffic from your LAN (e.g., 192.168.1.0/24) to route out the ApexGuard VPN, you typically need a NAT masquerade rule (outbound NAT via IPsec) and possibly firewall adjustments. You may also need policy-based routing. Below is an example:

NAT Rule (masquerade LAN traffic out the IPsec tunnel):

configure
set service nat rule 5000 description 'IPsec outbound NAT for LAN'
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 translation address masquerade
commit
save

Important: On some EdgeRouter/EdgeOS builds, you might need to rely on auto-firewall-nat-exclude or policy-based routing instead, depending on how ApexGuard expects traffic to flow.

Firewall
If you have a local firewall on eth0 (WAN), ensure IPsec traffic (UDP/500, UDP/4500, ESP) is allowed:

set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow IPsec IKEv2'
set firewall name WAN_LOCAL rule 10 destination port 500,4500
set firewall name WAN_LOCAL rule 10 protocol udp
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description 'Allow IPsec ESP'
set firewall name WAN_LOCAL rule 20 protocol esp
commit
save

Note: Adjust the exact firewall names, rule numbers, and interface references (e.g., WAN_IN, WAN_LOCAL) per your existing setup.

7. Verify the Connection

Check IPsec status:

run show vpn ipsec sa
  1. Look for an ESTABLISHED status or “INSTALLED SA” for the peer ikev2.apexguard.com.

View logs:

run show log

You should see lines indicating successful IKE negotiation:

IPsec SA established tunnel mode ...
  1. Test traffic:
    • From a LAN client (e.g., a PC on 192.168.1.x), browse to “What’s my IP” or check your IP info on the ApexGuard website to confirm your traffic is passing through the VPN.
    • If configured site-to-site, try pinging a remote IP through the tunnel.

8. Additional Commands

Disable the IPsec Tunnel

configure
set vpn ipsec site-to-site peer ikev2.apexguard.com disable
commit
save

This prevents the router from initiating or responding to the specified peer.

Re-Enable the IPsec Tunnel

configure
delete vpn ipsec site-to-site peer ikev2.apexguard.com disable
commit
save

Switch to a Different ApexGuard Server

Edit the peer configuration to point to a new server (e.g., ikev2-us.apexguard.com):

configure
set vpn ipsec site-to-site peer ikev2.apexguard.com disable  # (optional) temporarily disable old server
delete vpn ipsec site-to-site peer ikev2.apexguard.com
set vpn ipsec site-to-site peer ikev2-us.apexguard.com ...
commit
save

Or simply update the existing peer:

configure
set vpn ipsec site-to-site peer ikev2.apexguard.com authentication pre-shared-secret "NEW_PSK"
# And so on
commit
save

Was this article helpful?

Thank you, you're making us better!

Related articles

Configuring IPFire Firewall to Connect to ApexGuard Setting Up ApexGuard on AsusWRT-Merlin Firmware Setting Up ApexGuard on TP-Link Routers Which Router Should I Use with ApexGuard?