IPsec is a Site-to-Site VPN that allows you to connect a UniFi gateway to a remote location. You can access it from Network Settings > Teleport & VPN.
How Does it Work?
IPsec Site-to-Site VPNs use a Pre-Shared Key for authentication. A unique key is automatically generated, but a custom key can be used as well.
Additionally, the following information is required:
- Server Address: Use the IP address assigned to the WAN port or enter a manual address.
- Shared Remote Subnets: Network(s) used at the remote location.
- Remote IP: Public IP address of the remote location.
In order to set up a successful VPN, the following information needs to match between the gateways:
- VPN Protocol
- Pre-shared Key
- Remote and local server IP address
- Remote and local subnets
- Key Exchange Version, Encryption, Hash, and DH Groups (when using Manual settings)
- Perfect Forward Secrecy (when using Manual settings)
- Route-Based VPN (when using Manual settings)
Note: When configuring a Site-to-Site VPN between two UniFi gateways, we recommend to use the Auto settings.
Frequently Asked Questions
IPsec encrypts your traffic and secures the VPN connection. It also uses an automatically generated unique key for authentication.
Check if one of the gateways is assigned a private IP address and is behind another router.
If both gateways are using public IP addresses, then verify if the configuration matches.
To test connectivity over the VPN, try pinging between two clients instead of to or from the UniFi gateway itself.
When using Windows clients for testing, also ensure that the ping traffic is allowed through the Windows firewall.
We recommend to use IPsec Site-to-Site VPNs on a UniFi Gateway that has access to a public IP address. Any performance or port forwarding issues on the upstream router can cause the VPN to disconnect.
If this is not an option, then configure the authentication IDs. For example, an IPsec Site-to-Site VPN is set up between the below UniFi Gateways:
- UniFi Gateway Site A - WAN IP 192.168.5.1 (behind NAT)
- ISP modem/router Site A - WAN IP 203.0.113.1 (public IP)
- UniFi Gateway Site B - WAN IP IP 198.51.100.1 (public IP)
The VPN is set up between the public IP addresses 203.0.113.1 > 198.51.100.1.
When Site B receives the IPsec VPN peer request from Site A, it will contain both the 192.168.5.1 and 203.0.113.1 IP addresses. However, Site B is only configured to peer with 203.0.113.1 causing a mismatch. To resolve this, configure 203.0.113.1 as the Local Authentication ID on Site A.
The reverse is also possible. The 192.168.5.1 IP address can be configured as the Remote Authentication ID on site B.
Besides IP addresses, authentication IDs also support hostnames, email addresses and distinguished names.
No, these are automatically created.