Cloud Gateways WiFi Switching Camera Security Door Access New Integrations Accessory Tech Identity
UISP
Support Dropdown arrow
Store
User
Help Center UniFi Help Articles UISP Help Articles Community UniFi Design Center UISP Design Center Contact Support Tech Specs Large Project Assistance Professional Phone Support
Sign Up UniFi Site Manager
Ubiquiti Logo Ubiquiti Logo
User User
Sign Up UniFi Site Manager
Cloud Gateways WiFi Switching Cameras & Security Door Access New Integrations Accessory Tech Identity UISP Store

Support

Help Center UniFi Help Articles UISP Help Articles Community Contact Support Tech Specs Large Project Assistance Professional Phone Support

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UniFi Design Center UISP Design Center
  1. Ubiquiti Support and Help Center
  2. UISP
  3. UISP Wired
  4. EdgeRouter
  5. EdgeRouter VPN Configuration
Help Center
Back to Top

EdgeRouter - Site-to-Site IPsec VPN to USG

2023-11-23 23:09:15 UTC

Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a USG.

NOTES & REQUIREMENTS:

Applicable to the latest EdgeOS firmware on all EdgeRouter models.
Devices used in this article:

FAQ

Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Setting up a Policy-Based VPN

Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.

GUI: Access the EdgeRouter Web UI.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

GUI: Access the UniFi Controller Web Portal.

1. Navigate to the Settings  settings.png  to create a new IPsec network using a custom profile.

Settings > Networks > +Create New Network

Name: ipsec
Purpose: Site-to-Site VPN
VPN Type: Manual IPsec
Enabled: Enable this Site-to-Site VPN
Remote Subnets: 192.168.1.0/24
Peer IP: 203.0.113.1
Local WAN IP: 192.0.2.1
Pre-Shared Key: <secret>
IPsec Profile: Customized

Expand (+) Advanced Options

Key Exchange Version: IKEv1
Encryption: AES-128
HASH: SHA1
DH Group: 14
PFS: Enable Perfect Forward Secrecy / Check
Dynamic Routing: Disable / Uncheck
NOTE: The USG will use the all corporate networks as the local subnet(identifiers)for the IPsec connection.

2. Apply the changes.

Was this article helpful?
31 out of 59 found this helpful