UniFi Video is a legacy product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

EdgeRouter - Site-to-Site IPsec VPN to USG


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a USG.

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Devices used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Setting up a Policy-Based VPN
  3. Related Articles


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?


  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES


  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Setting up a Policy-Based VPN

Back to Top


The and networks will be allowed to communicate with each other over the VPN.

GUI: Access the EdgeRouter Web UI.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Description: ipsec
Local IP:
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet:
Remote subnet:

2. Apply the changes.

GUI: Access the UniFi Controller Web Portal.

1. Navigate to the Settings  settings.png  to create a new IPsec network using a custom profile.

Settings > Networks > +Create New Network

Name: ipsec
Purpose: Site-to-Site VPN
VPN Type: Manual IPsec
Enabled: Enable this Site-to-Site VPN
Remote Subnets:
Peer IP:
Local WAN IP:
Pre-Shared Key: <secret>
IPsec Profile: Customized

Expand (+) Advanced Options

Key Exchange Version: IKEv1
Encryption: AES-128
DH Group: 14
PFS: Enable Perfect Forward Secrecy / Check
Dynamic Routing: Disable / Uncheck
NOTE: The USG will use the all corporate networks as the local subnet(identifiers)for the IPsec connection.

2. Apply the changes.

Related Articles

Back to Top

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

EdgeRouter - Route-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
28 out of 48 found this helpful