IPsec is a Site-to-Site VPN found in the Teleport & VPN section of your Network application that allows you to connect a UniFi gateway to a remote location.
Requirements
- A UniFi gateway or UniFi OS Console with an integrated Next-Gen gateway.
How does it work?
IPsec Site-to-Site VPNs use a Pre-shared Key for authentication. A unique key is automatically generated but a custom key can be used as well.
Additionally, the following information is required:
- Server Address: Use the IP address assigned to the WAN port or enter a manual address.
- Shared Remote Subnets: Network(s) used at the remote location.
- Remote IP: Public IP address of the remote location.
Interoperability
In order to set up a successful VPN to a third-party gateway, the following information needs to match:
- Route-Based or Policy-Based VPN
- Remote and local subnets
- Key Exchange Version
- Encryption, Hash, and Lifetimes
- Diffie-Hellman (DH) Groups and Perfect Forward Secrecy (PFS)
- Remote and local server IP address
Route-Based or Policy-Based VPN
- UniFi gateways use Route-Based VPNs by default. Switching to a Policy-Based VPN is done by unchecking the Route-Based VPN option.
- Route-Based VPNs use Virtual Tunnel Interfaces (VTIs) and automatically created static routes.
- Policy-Based VPNs exchange the remote and local subnets. These need to match exactly between the two gateways.
- It is not possible to use a Route-Based VPN on one gateway and a Policy-Based on the other. The VPN type needs to match.
Note: If the third-party gateway doesn't provide an option to select a Route-Based or Policy-Based VPN, then it likely only supports Policy-Based.
Remote and Local Subnets
- UniFi gateways automatically share all local networks over the Site-to-Site VPN.
- It is not possible to only use certain local networks for the VPN.
- When using Policy-Based VPNs, ensure that the third-party gateway includes all the local networks used on the UniFi gateway.
Note: It is a requirement for Policy-Based VPNs that the remote and local subnets match. If this is not the case, then the VPN may only partially establish or disconnect.
Key Exchange Version
- Both IKEv1 and IKEv2 are supported on UniFi gateways.
- IKEv2 on UniFi gateways use optimizations that some third-party gateways do not support.
- If the VPN does not establish or disconnects when using IKEv2, then we recommend switching to IKEv1.
Encryption, Hash, and Lifetimes
- The encryption and hashing values are used for both Phase 1 (IKE) and Phase 2 (ESP).
- It is not possible to use different encryption/hashing for each phase.
- The IKE lifetime is set to 28800 seconds and the ESP lifetime is set to 3600 seconds.
- The third-party gateway should match the lifetimes used by the UniFi gateway.
Diffie-Hellman (DH) Groups and Perfect Forward Secrecy (PFS)
- DH groups are referred to by the number, i.e. DH Group 14.
- Third-party gateways may use MODP notation instead , i.e. 2048-bit which equates to group 14.
- UniFi gateways support PFS and can use different DH groups for Phase 1 (IKE) and Phase 2 (ESP).
- PFS may not be supported on third-party gateways or the implementation is not compatible.
- If the VPN does not establish or disconnects when using PFS, then we recommend disabling this feature.
VPN Mode
- UniFi gateways only support Main Mode.
- Site-to-Site VPNs cannot be established if the third-party gateway is using Aggressive Mode.
Frequently Asked Questions
1. How do I know if I am using a Policy-Based or Route-Based VPN?
Route-Based VPNs are categorized by the usage of Virtual Tunnel Interfaces (VTIs). When using a Route-Based VPN, the Security Association (SA) will be set to 0.0.0.0/0 and routes for the remote subnet are used with the VTI as the next-hop. |
2. What should I do if the VPN does not establish?
Check if one of the gateways is assigned a private IP address and is behind another router. |
3. What should I do if I am not able to communicate over the VPN?
To test connectivity over the VPN, try pinging between two clients instead of to or from the UniFi gateway itself. |
4. Can IPsec Site-to-Site VPNs be used when the UniFi gateway is behind NAT?
No, this is not possible even when forwarding ports on the upstream router. |
5. Do I need to manually create firewall rules or static routes for the VPN?
No, these are automatically created. |