UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP
Support Resources
Store
Support Resources
UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP Store

UniFi Gateway - Site-to-Site IPsec VPN

IPsec is a Site-to-Site VPN found in the Teleport & VPN section of your Network application that allows you to connect a UniFi gateway to a remote location.

Refer to the advanced article when setting up a Site-to-Site VPN to a third-party gateway.

Requirements

How does it work?

IPsec Site-to-Site VPNs use a Pre-shared Key for authentication. A unique key is automatically generated but a custom key can be used as well.

Additionally, the following information is required:

  • Server Address: Use the IP address assigned to the WAN port or enter a manual address.
  • Shared Remote Subnets: Network(s) used at the remote location.
  • Remote IP: Public IP address of the remote location.

In order to set up a successful VPN, the following information needs to match between the gateways:

  • VPN Protocol
  • Pre-shared Key
  • Remote and local server IP address
  • Remote and local subnets
  • Key Exchange Version, Encryption, Hash, and DH Groups (when using Manual settings)
  • Perfect Forward Secrecy (when using Manual settings)
  • Route-Based VPN (when using Manual settings)

Note: When configuring a Site-to-Site VPN between two UniFi gateways, we recommend to use the Auto settings.

Frequently Asked Questions

1. Are IPsec Site-to-Site VPNs secure?

IPsec encrypts your traffic and secures the VPN connection. It also uses an automatically generated unique key for authentication.
2. What should I do if the VPN does not establish?

Check if one of the gateways is assigned a private IP address and is behind another router.

If both gateways are using public IP addresses, then verify if the configuration matches.
3. What should I do if I am not able to communicate over the VPN?

To test connectivity over the VPN, try pinging between two clients instead of to or from the UniFi gateway itself.

If the ping is not working, then verify if there are any Firewall or Traffic Rules configured that may prevent connectivity.

When using Windows clients for testing, also ensure that the ping traffic is allowed through the Windows firewall.
4. Can IPsec Site-to-Site VPNs be used when the UniFi gateway is behind NAT?

No, this is not possible even when forwarding ports on the upstream router. 
5. Do I need to manually create firewall rules or static routes for the VPN?

No, these are automatically created.
Was this article helpful?
288 out of 924 found this helpful