UniFi Gateway - Site-to-Site IPsec VPN with Third-Party Gateways (Advanced)

IPsec is a Site-to-Site VPN found in the Teleport & VPN section of your Network application that allows you to connect a UniFi gateway to a remote location. A UniFi Gateway or UniFi Cloud Gateway is required.

How does it work?

IPsec Site-to-Site VPNs use a Pre-Shared Key for authentication. A unique key is automatically generated but a custom key can be used as well.

Additionally, the following information is required:

• Server Address: Use the IP address assigned to the WAN port or enter a manual address.
• Shared Remote Subnets: Network(s) used at the remote location.
• Remote IP: Public IP address of the remote location.

Interoperability

In order to set up a successful VPN to a third-party gateway, the following information needs to match:

• Route-Based or Policy-Based VPN
• Remote and local subnets
• Key Exchange Version
• Encryption, Hash, and Lifetimes 
• Diffie-Hellman (DH) Groups and Perfect Forward Secrecy (PFS)
• Remote and local server IP address

Route-Based or Policy-Based VPN

• UniFi gateways use Route-Based VPNs by default. Switching to a Policy-Based VPN is done by unchecking the Route-Based VPN option.
• Route-Based VPNs use Virtual Tunnel Interfaces (VTIs) and automatically created static routes.
• Policy-Based VPNs exchange the remote and local subnets. These need to match exactly between the two gateways.
• It is not possible to use a Route-Based VPN on one gateway and a Policy-Based on the other. The VPN type needs to match.

Note: If the third-party gateway doesn't provide an option to select a Route-Based or Policy-Based VPN, then it likely only supports Policy-Based.

Remote and Local Subnets

• UniFi gateways automatically share all local networks over the Site-to-Site VPN.
• It is not possible to only use certain local networks for the VPN.
• When using Policy-Based VPNs, ensure that the third-party gateway includes all the local networks used on the UniFi gateway. 

Note: It is a requirement for Policy-Based VPNs that the remote and local subnets match. If this is not the case, then the VPN may only partially establish or disconnect.

Key Exchange Version

• Both IKEv1 and IKEv2 are supported on UniFi gateways.
• IKEv2 on UniFi gateways use optimizations that some third-party gateways do not support.
• If the VPN does not establish or disconnects when using IKEv2, then we recommend switching to IKEv1.

Encryption, Hash, and Lifetimes

• The encryption and hashing values are used for both Phase 1 (IKE) and Phase 2 (ESP).
• It is not possible to use different encryption/hashing for each phase.
• The IKE lifetime is set to 28800 seconds and the ESP lifetime is set to 3600 seconds.
• The third-party gateway should match the lifetimes used by the UniFi gateway.

Diffie-Hellman (DH) Groups and Perfect Forward Secrecy (PFS)

• DH groups are referred to by the number, i.e. DH Group 14.
• Third-party gateways may use MODP notation instead , i.e. 2048-bit which equates to group 14.
• UniFi gateways support PFS and can use different DH groups for Phase 1 (IKE) and Phase 2 (ESP).
• PFS may not be supported on third-party gateways or the implementation is not compatible. 
• If the VPN does not establish or disconnects when using PFS, then we recommend disabling this feature.

VPN Mode

• UniFi gateways only support Main Mode.
• Site-to-Site VPNs cannot be established if the third-party gateway is using Aggressive Mode.

Frequently Asked Questions