IPsec is a Site-to-Site VPN found in the Teleport & VPN section of your Network application that allows you to connect a UniFi gateway to a remote location.
Refer to the advanced article when setting up a Site-to-Site VPN to a third-party gateway.
Requirements
- A UniFi gateway or UniFi OS Console with an integrated Next-Gen gateway.
How does it work?
IPsec Site-to-Site VPNs use a Pre-shared Key for authentication. A unique key is automatically generated but a custom key can be used as well.
Additionally, the following information is required:
- Server Address: Use the IP address assigned to the WAN port or enter a manual address.
- Shared Remote Subnets: Network(s) used at the remote location.
- Remote IP: Public IP address of the remote location.
In order to set up a successful VPN, the following information needs to match between the gateways:
- VPN Protocol
- Pre-shared Key
- Remote and local server IP address
- Remote and local subnets
- Key Exchange Version, Encryption, Hash, and DH Groups (when using Manual settings)
- Perfect Forward Secrecy (when using Manual settings)
- Route-Based VPN (when using Manual settings)
Note: When configuring a Site-to-Site VPN between two UniFi gateways, we recommend to use the Auto settings.
Frequently Asked Questions
1. Are IPsec Site-to-Site VPNs secure?
IPsec encrypts your traffic and secures the VPN connection. It also uses an automatically generated unique key for authentication. |
2. What should I do if the VPN does not establish?
Check if one of the gateways is assigned a private IP address and is behind another router. |
3. What should I do if I am not able to communicate over the VPN?
To test connectivity over the VPN, try pinging between two clients instead of to or from the UniFi gateway itself. |
4. Can IPsec Site-to-Site VPNs be used when the UniFi gateway is behind NAT?
No, this is not possible even when forwarding ports on the upstream router. |
5. Do I need to manually create firewall rules or static routes for the VPN?
No, these are automatically created. |