UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

UniFi Network - Site-to-Site VPNs with Third-Party Gateways

For the best experience, we recommend that all sites use a UniFi gateway. UniFi site-to-site VPNs have been designed for optimal compatibility with each other. Some third-party gateways  allow the configuration of settings that are unavailable in the UniFi Network application because they are set automatically. These settings must still match for your site-to-site VPN to function

This article explores considerations for interoperating with third-party gateways. All device-specific assistance should be directed to the third-party manufacturer.

Route-Based VPNs vs. Policy-Based VPNs

Route-based VPNs create a single VPN tunnel between each gateway’s virtual tunnel interface (VTI). Policy-based VPNs to create a tunnel per network combination.

For example, take two gateways. Gateway A has three local networks being shared. Gateway B has two local networks being shared. A route-based VPN has a single tunnel routing all network traffic. A policy-based VPN creates six tunnels, one between each individual network being shared.

If your third-party gateway does not allow you to choose between these, it likely only supports policy-based VPNs.

Phase 1 vs. Phase 2 Encryption Settings

Encryption and hashing settings are the same for phase 1 and 2. Third-party gateways need to be configured with matching values for both phases.

IPsec VPN Lifetimes

Phase 1 has a lifetime of 28,800 seconds and Phase 2 has a lifetime of 3,600 seconds. Third-party gateways need to match both durations.

IKEv2 Compatibility

UniFi gateways implement IKEv2 protocol optimizations that some third-party gateways do not support. If you’re unable to establish your VPN, or your connection drops when using IKEv2, we recommend switching both gateways to IKEv1.

Perfect Forward Secrecy (PFS)

UniFi gateways allow you to customize PFS DH groups. This is not supported by some third-party gateways. If your VPN connection drops frequently, then try disabling PFS on both gateways.

Site-to-Site VPNs Behind NAT

A site-to-site VPN cannot be established if any supporting gateway is behind NAT.

Automatic Sharing of All Local Networks

UniFi gateways automatically share all local networks within their site-to-site VPN. Please ensure that each gateway is configured to include all of the local networks of its remote counterpart(s).

Main Mode vs. Aggressive Mode

UniFi gateways only support Main Mode. A site-to-site VPN cannot be established if a  third-party gateway is set to Aggressive Mode.

Dead Peer Detection (DPD)

DPD does not need to match on all gateways, but we recommend disabling it on the third-party gateways if you are having setup or connection issues.

Static Routes

UniFi gateways automatically add the static routes necessary to send traffic over the VPN. Do not add any additional static routes or you may experience communication failures.

DH Group Numbers

DH Group numbers can vary between manufacturers. Please refer to the list below:

DH Group Number

Bit / Description

1

768-bit Modular Exponential (MODP) algorithm.

2

1024-bit MODP algorithm.

5

1536-bit MODP algorithm.

14

2048-bit MODP group.

15

3072-bit MODP algorithm.

16

4096-bit MODP algorithm.

19

256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.

20

384-bit random ECP groups algorithm.

21

521-bit random ECP groups algorithm.

24

2048-bit MODP Group with 256-bit prime order subgroup.

Was this article helpful?
25 out of 42 found this helpful