26.02.2019. UniFi- USG VPN: How to Configure Site-o-Site VPN — Ubiuit Networks Support and Help Center UBNT SUPPORT Search / UniFi Enterprise / UniFi Configuration UniFi - USG VPN: How to Configure Site-to-Site VPN Overview This article describes how to configure a site-to-site VPN on a Unifi Security Gateway (USG). Table of Contents 1. Introduction 2. Auto IPsec VTI 3. Manual IPsec 3.1 Advanced Options 4, Firewall Rules for Auto and Dynamic Routing Enabled IPsec VPN 5. Firewall Rules for Policy-Based Manual VPN (Dynamic Routing Disabled) 6. OpenVPN 7.Related Articles Introduction Back Ton Asite to site VPN establishes a secure connection between two firewalls where the internal networks behind them can be interconnected. Configuring a site-to-site VPN in the UniFi dashboard can be done in Settings > Networks > Create New Network > Site to Site VPN. User Tips: * Auto IPsec VTI creates a site-to-site VPN with another USG that is managed ona different site within this same UniFi controller. Can't find what you're looking for? Ipselp.ubn.contan-slailes/960002426294UnF-USG.VPN-How-o-ConfgureSte-to-Ste-VPN 1826.02.2019. LUniFi- USG VPN: How to Configure Site-to-Site VPN — Ubiqut Networks Support and Help Center * Manual IPsec creates a site-to-site VPN tunnel to an externally managed USG, EdgeRouter, or another vendor's offering which supports IPsec. * OpenVPN is similar to Manual IPsec, in that it creates a tunnel to an externally managed device, just using OpenVPN instead of IPsec. IPsec is recommended for performance reasons. OpenVPN cannot be offloaded and can only be ran ona single CPU thread. Auto IPsec VTI Backto Top. ATTENTION: This VPN type (Auto) will not function if one or both USGs are behind a NAT router. This means that both USGs must have an internet routed address (non-RFC1918). In UniFi the Auto [IPsec VTI configuration allows an admin to create a VPN between two UniFi Security Gateways that are adopted into the same controller. Creating this VPN in the UniFi dashboard automatically configures the following: * Set the peer IP on each side of the tunnel to match the WAN interface address. * Adds the remote networks for each site. * Provisions a VTI interface on each USG to use for the VPN. Auto VPN VTI interfaces start with vtiO and increment as vti1, vti2, and so on, as more auto-VPNs are added. * Dynamically tracks IP changes on WAN. * Provisions a strong, randomly generated pre-shared key between the two USGs. NOTE: As of UniFi Controller version 5.8 only hub-and-spoke topologies are supported. Mesh topology is not yet configurable. Manual IPsec Backto Top Can't find what you're looking for? tps help.ubnt.convhelor-uslatiles/960002426234.UniF-USG-VPN-How-o-Configure-Ske-ta-Site-VPN 21826.02.2019. UniFi- USG VPN: How to Configure Site-o-Site VPN — Ubiuit Networks Support and Help Center Enabled: Allows an admin to enable or disable the VPN tunnel without erasing parameters. Remote Subnets: This section should be populated with the networks on the remote side of the VPN. /32 is not a valid subnet mask, Peer IP: Public IP of the remote gateway. This can also be the public IP of a gateway in front of a downstream router if the upstream gateway is port forwarding UDP ports 500 and 4500. Local WAN IP: Public IP of the USG adopted to the site in which this VPN is being configured. If this USG is behind NAT configure the address found on the WAN interface. To find the WAN interface IP navigate to Devices > USG Properties Panel > Details > WAN 1. Pre-shared Key: Create a strong shared key to input on each VPN endpoint. IPsec Profiles: * Customized: Uses parameters defined by an admin. * Azure Dynamic Routing: Uses parameters for connecting to a Microsoft Azure instance using VTI © Azure Static Routing: Uses parameters for connecting toa Microsoft Azure instance using policy- based IPsec without VTI Manual IPsec: Advanced Options BacktoTop ADVANCED: These settings are meant to be configured by advanced users with networking knowledge. They apply to phase 1 and phase 2 of the IPsec process. Key Exchange Version: Select either IKEv1 or IKEv2. Encryption: Select AES-128, AES-256, or 3DES encryption. Hash: Select either SHA1 or MDS DH (Diffie-Hellman) Group: DH Groups 2, 5, 14, 15, 16, 19, 20, 21, 25, 26 are available. PFS (Perfect Forward Secrecy): Enable or disable. When PFS is enabled the phase 2 DH group is hardcoded to the same group that is selected in DH Group. Dynamic Routing: Enable or disable the use of a virtual tunnel interface (VT!). This will specify that the VPN configuration is either policy based (off) or route based (on). (N Can't find what you're looking for? hitps.help.ubnit.comhcor-usiricies/360002426234-UnF-USG-VPN-How-to-Configue-Sko-to-Site-VPN 3826.02.2019. UniFi- USG VPN: How to Configure Site-o-Site VPN — Ubiuit Networks Support and Help Center vti64 and increment as vti65, vti66, etc. as more manual VPNs are added) NOTE: The use of larger algorithms is more secure, but they come with the cost of aCPU overhead increase. For example, AES-256 will use more CPU resources than AES-128. AES-128 is the recommended encryption for most use-cases, Firewall Rules for Auto and Dynamic Routing Enabled |Psec VPN Backto Tor Firewall rules are automatically configured after the VPN is created to allow all traffic across the VPN. Firewall rules to block traffic traversing these types of VPNs should be created in Settings > Routing and Firewall > Firewall > LAN_IN. The source field should specify the remote network or address from the USG you're configuring, and destination field should specify the local network or address in which you want the traffic blocked. Firewall Rules for Policy-Based Manual VPN (Dynamic Routing Disabled) BacktoTop Firewall rules for policy-based VPN networks are automatically configured to allow UDP ports 500 and 4500 along with the ESP protocol on WAN_LOCAL. Additionally, rules are also created to allow traffic to and from the networks defined under "Remote Subnets" in the VPN network creation, The solution is to disable auto-frewall and then accommodate for what that does under the hood, by manually adding the proper rules on WAN_LOCAL, and excluding the IPsec traffic from NAT. Allthe requirements to control "incoming" IPsec traffic on a non-VTI VPN are as follows: 1. Navigate to Settings > Routing and Firewall 2..Add a WAN_LOCAL rule to accept ESP 3. Add a WAN_LOCAL rule to accept destination port UDP500/4500 4, Add WAN_IN rules matching what traffic you want to allow (with match inbound IPsec packets checked) - all incoming traffic will be blocked by default hitting the default deny at the bottom of the ruleset (implicit). For example, if your Local LAN is 192.168.150.0/24 and the remote subnet you want to allow to access your Can't find what you're looking for? tps help.ubnt.convhelor-uslatiles/960002426234.UniF-USG-VPN-How-o-Configure-Ske-ta-Site-VPN 41826.02.2019. UniFi- USG VPN: How to Configure Site-o-Site VPN — Ubiuit Networks Support and Help Center LAN is 192,168.250.0/24, then you will add 192,168.250.0/24 as the "source" and 192.168.150.0/24 as the “destination” for this rule. 5, Disable auto-firewall and reload |Ptables (reboot) 6. Add Source NAT exclude rules for the traffic you want to pass over the VPN. Your local LAN will be your source address. Example - 192.168.150.0/24 and the remote VPN subnet be your destination ex- 192.168.250.0/24. { “service”: ¢ “nat” 500": { “description": “TPsec*, “destination address": "192.168.250.0/26" » exclude": """", “outbound-interface": “etho", “protocol”: "all", “source”: ( "address": "192.168.150.0/24" b “type”: “masquerade” > x y h rvpns < psec": { ‘auto-firewall-nat-exclude": "disable" y y > NOTES: * This example is for reference purpose. Make certain to adjust the addressing to your, networks when applying. * This configuration requires the use of a config. gateway,son file on the controller. See our article here to see more information, < . Can't find what you're looking for? tps help.ubnt.convhelor-uslatiles/960002426234-UniF-USG-VPN-How-to-Configure-Ske-to-Site-VPN26.02.2019. UniFi- USG VPN: How to Configure Site-o-Site VPN — Ubiuit Networks Support and Help Center OpenVPN Backto Ton. Enable: lows an admin to enable or disable the VPN tunnel without erasing parameters. Remote Subnets: This section should be populated with the networks on the remote side of the VPN. /32 is not a valid subnet mask at the time of writing. Remote Host: Public IP of the remote gateway or public IP of an upstream router in front of a USG. Remote Address/Port: Input an IP that does not overlap any of the previously defined networks. This address is only relevant to the OpenVPN tunnel endpoint on the remote gateway. The port input is used to define which UDP port the remote gateway is using to connect to the USG. Local Address/Port: Input an IP that does not overlap any of the previously defined networks. This address is only relevant to the OpenVPN tunnel endpoint on the local gateway (USG). The port input is used to define which UDP port the USG will use to connect to the remote gateway. Shared Secret Key: This key is not a user randomly password. It must be a 2048 bit key that is generated. The USG can generate this from CLI with the instructions below. CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PUTTY. 1. Generate the 2048 bit shared secret on the USG. generate vpn openvpn-key /config/auth/secret 2. Display the shared secret and copy the output toa text file. sudo cat /config/auth/secret * #2048 bit OpenVPN static key * BEGIN OpenVPN Static key VI 48fcBacsb96655a08e041de6263a4675

END OpenVPN Static key Vi- 3. Only include characters in Pre-Shared Secret field after the BEGIN line and before the END line. You may need to paste the output into a text editor toremoveline brea Can't find what you're looking for? tps help.ubnt.convhelor-uslatiles/960002426234-UniF-USG-VPN-How-to-Configure-Ske-to-Site-VPN 6826.02.2019. UniFi- USG VPN: How to Configure Site-o-Site VPN — Ubiguit Networks Support and Help Center NOTE: This type of VPN will need a WAN_LOCAL firewall rule on each side of the tunnel allowing the remote port to communicate. Related Articles Back to Top. UniF i - Verifying and Troubleshooting IPsec VPN on USG Was thisarticlehelpful? @ 9) 6outof6found:his helpful Letusknowwhatwe missed! 0) Send f v in & Feedback Don't see what you are looking for? Get advice from our Community or Submit a Help Ticket. UNIFI MMUNITY SUBMIT A REQUEST ~ Community Downloads Connect with thousands of experts Fingthe latest software for allot aroun the work: your products Training Academy Can't find what you're looking for? tps help.ubnt.convhelor-uslatles/960002426234-UniF-USG-VPN-How-o-Configure-Ske-to-Site-VPN 7826.02.2019. UniFi- USG VPN: How to Configure Site-o-Site VPN — Ubiuit Networks Support and Help Center Want to become a Ubiquit Reporta security vulnerability certified expert? you've found and get rewarded Subscribe to Newsletter Email Address Submit al 5 ve Company In the News Training Careers Ubiquiti Blog Courses Contact Us Product Updates Calendar Investors Newsletters Trainers Marketing Case Studies Become a Trainer Buy Now Social Ubiquiti Store ‘Community Finda Distributor Facebook Stock Locator Too! Twitter Become a Distributor YouTube UniFi Design Tool Ubiquiti Network Compliance Info | Warranty & RMA | Termsof Service | PrivacyPolicy | Legal Can't find what you're looking for? tps help.ubnt.convhelor-uslatles/960002426234-UniF-USG-VPN-How-o-Configure-Ske-to-Site-VPN 88