Help configuring site to site VPN with UniFi

[timeshifter]

Trying to establish a site to site VPN with a UniFi Security Gateway Pro 4. We got stuck. Not clear on Phase 1 / Phase 2 settings as UniFi doesn't identify what they're settings refer to. Also, the remote subnet is unclear.

The remote IPs we need to tunnel to is a list of 9 IPs. They look like public IPs, which the vendor confirmed as the application vendor set it up that way, I guess for client VPN connections. Anyway, I need to put those 9 IPs in. But the UniFi fields only allow for a subnet.

Tried putting in 74.156.22.33/32 so the subnet would be a single IP, but it would not save that. I could save it as 74.156.22.33/24 as a test, but of course that won't be a real fix. (Note the IP I put in here is just made up)

Here's a copy paste from the ticket with the vendor, who summarized it well:

"While on the phone you discovered that you were only able to put the entire /24 subnet in the Ubiquity for the remote subnet field and could not put a single host IP. Your plan is to get clarity from Ubiquity support on how to accomplish this. You also will look into the phase 2 settings as we could not tell if the encryption and hash were for the phase 1 or phase 2 part of the tunnel based on the screen shot. Let us know when you are ready to test the tunnel again."

 

[timeshifter]

TLDR - Ubiquiti says I can't use public IPs for remote network, bye bye. I say Cisco and others do. Ubiquiti - let me check. Now I'm on indefinite "hold" while the ticket switches from chat to email.

(05:48:42 AM) Stephen: Why are you using Public IP in remote subnet?, Unfortunatley it is not possible.
(05:51:48 AM) Stephen: Is there anything else I can help you with today?
(05:52:29 AM) timeshifter: So, the "Encryption Domain" on the worksheet I sent you would need to be private IPs?
(05:54:52 AM) Stephen: Remote subnet wont accept /32 subnet
(05:56:16 AM) timeshifter: what about the Phase 1 / Phase 2 question?
(05:57:11 AM) Stephen: phase1/phase2 config is same, only the ESP DH group can be set different
(05:59:37 AM) timeshifter: OK, please stand by, checking on why they're giving me public IPs
(06:00:12 AM) Stephen: ok
(06:07:42 AM) timeshifter: The vendor who's providing the other end of the tunnel has that setup working with Cisco ASA, FortiGate, SonicWall and others.
(06:09:36 AM) Stephen: Please try without /32 subnet
(06:09:54 AM) timeshifter: can you be more specific? just the IP?
(06:10:31 AM) Stephen: Please remove the subnet only
(06:11:46 AM) timeshifter: so if the IP is 74.156.22.33 then what do I put in the field for the Remote Subnet?
(06:12:00 AM) Stephen: Yes
(06:12:24 AM) timeshifter: What do I put in there?
(06:12:36 AM) Stephen: Just IP without subnet
(06:12:45 AM) timeshifter: I tried that several times
(06:12:58 AM) timeshifter: When I enter just the IP it puts a red bar under the field
(06:13:17 AM) Stephen: Okay, please give me a moment to check

(06:17:13 AM) Stephen: Okay, please let me check with my team and I will get back to you at this email timeshifter
(06:17:51 AM) Stephen: Can you please provide the UniFi OS support file?
(06:24:00 AM) timeshifter: just sent it back over email
(06:25:12 AM) Stephen: Thank you, I have received it.

I will check it and get back to you as soon as possible over email
(06:28:12 AM) Stephen: I am gong to go for now and I will keep in touch with you over email
(06:28:28 AM) timeshifter: OK, hoping to hear something ASAP, thanks
(06:28:55 AM) Stephen: Yes, I am taking this on high priority and I will keep in touh with you over email as well
(06:30:01 AM) timeshifter: thank you
(06:30:22 AM) Stephen: You are welcome!
(06:31:36 AM) *** Stephen left the chat ***

 

[marley1]

USG to USG does Easy/AutoVPN. We also do plenty of USG to PF Sense or Meraki to USG

 

[HCHTech]

How in blazes do you do a one-to-many site-to-site? That just doesn't make sense to me. Every site-to-site I have ever seen is one-to-one. I guess I just don't get it.

 

[YeOldeStonecat]

For "site to site VPN tunnels"....the "remote subnet" is what defines the internal network of "the other side"

Quick example...
Site A, internal network of 192.168.10.0/24
Site B, internal network of 10.50.1.0/24

So on the VPN config of the firewall at Site A, defining remote subnet is 10.50.1.0/24
And on the VPN config of the firewall at Site B, defining remote subnet is 192.168.10.0/24.

This tells the VPN routing how to route traffic for the "other site".

Phases...for IKE...you'll often also see "DH"....which is for Diffie Hellman. Those are just basically the two steps of IKE for authentication. Phase 1 sets up the negotiation for Phase 2.

Now, I thought this was for a "site to site VPN tunnel"...but from your post, it looks like you're just trying to setup a VPN to a single public host, like an Azure hosted server or something. Usually a firewall is setup in front of an Azure server, you VPN to that, route though the NAT, and access to host. Sorta looks like they want you to do a client to server VPN, more than a site to site VPN.

I've never set up something like this with a VPN, except waaaaaaaay back in the NT 4 server and very early Server 2000 days....when we would expose port 1723...port forwarded to the server, and the user would use the PPTP VPN dial up adapter to VPN into the server. Of course that is a suicide setup these days for a Windows Server to have that exposed to the internet.

Looks like the "host" they have supports an L2TP/IPSec VPN connection, based on the dialog above, but...I'm not sure how to handle the field for the remote subnet here....never did a setup that didn't have a remote subnet...from a router. Mobile client side...sure. ..but I'd use a client designed for the host. Without knowing how to trick that "remote subnet" part...may be all 0's?

Not sure. Maybe @Sky-Knight might know.

 

[HCHTech]

The remote IPs we need to tunnel to is a list of 9 IPs. They look like public IPs, which the vendor confirmed as the application vendor set it up that way, I guess for client VPN connections.

This doesn't make sense. There is something that the vendor isn't explaining well or you haven't gotten to the right person there who actually understands it.

If a vendor is going to have a non-standard setup and require that you, as a client connect to that setup, then they need to be on the hook for making it work. Don't make their problem your problem. Get their tech folks on the phone, make them remote into your PC and configure the USG Pro. If they list it as supported, then fine - make them support it.

 

[Sky-Knight]

IPSec with IKEv1 only supports 1:1 network tunnels.

You need IKEv2 to do 1:M.

Now, I haven't done this with Unifi gear, so I'm not sure how to get the routing right. BUT, most vendors allow that remote network field to be a comma separated list when IKEv2.

You mentioned 9 IPs with 74.156.22.33 as one of them. Is that the first one? If so the network would be 74.156.22.33/28. That's 74.156.22.32-47.

Not as tight as 9 obviously, but perhaps tight enough?

 

[HCHTech]

IPSec with IKEv1 only supports 1:1 network tunnels.

You need IKEv2 to do 1:M.

TIL - what do you know.

 

[timeshifter]

Now, I haven't done this with Unifi gear, so I'm not sure how to get the routing right. BUT, most vendors allow that remote network field to be a comma separated list when IKEv2.

You mentioned 9 IPs with 74.156.22.33 as one of them. Is that the first one? If so the network would be 74.156.22.33/28. That's 74.156.22.32-47.

Not as tight as 9 obviously, but perhaps tight enough?

Yesterday they asked me to SSH into the USG and provide the output from this:

sudo cat /etc/ipsec.conf

I did that am haven't heard anything back yet (a day later).

I wonder if there'd be a way to enter a comma separated list through an SSH connecting using terminal commands?

 

[timeshifter]

If a vendor is going to have a non-standard setup and require that you, as a client connect to that setup, then they need to be on the hook for making it work. Don't make their problem your problem. Get their tech folks on the phone, make them remote into your PC and configure the USG Pro. If they list it as supported, then fine - make them support it.

That's been the frustrating part, who supports what. Early on I asked my sales contact to get me a list of equipment they support. He responded with Cisco ASA, Cisco Meraki and Sonicwall.

Later I was able to talk to their support and asked if other equipment worked and if they had any clients using Ubiquiti and was told they did.

Next when I'm talking to the actual hosting company (I guess they sub to the app provider we're contracted with) I was told they like Cisco AS and FortiGate. One guy was pretty helpful and figured we could make it work and helped as much as he could.

 

[timeshifter]

How frustrating!

Started chat with tech support Monday night. Got bumped to Tier 2 and email support. One response on Wednesday and I supplied information they asked for. It's Friday night at 10:00 PM. Crickets.

I thought holding on the phone for Meraki for an hour was bad.

 

[HCHTech]

I was on chat with Intel yesterday trying to sort out a problem with their BMC (their out-of-band management solution equivalent to iDRAC or iLO). 5 transfers over 45 minutes until I got to the right department, and then they wanted to kick me to email support. I basically declined - "NO. Too long to resolve this way - that why you offer and I selected chat for support.". Incredibly, that swayed them. Another 10 minutes while the guy looked up the disappointing resolution (there is no way to show storage health from BMC, in case anyone cares). Big-vendor support just keeps getting worse and worse, IMO.

Another example - It took 3 WEEKS to get an iDRAC license I paid for on 10/22 from Dell. 8 email messages back and forth, and I think my sales guy finally called and yelled at someone to shake it loose.

 

[timeshifter]

I've submitted an RMA request for the unit siting inadequate product support with a link to the open ticket. Maybe it will get their attention. Or maybe I'll just return it.

 

[Markverhyden]

The topology as I understand it

<site1> ---<site1natrouter> --- <site1modem> --- <Internet> --- <site2modem> --- <site2natrouter> --- <site2>

Site2 being the remote with the public IP's. IP's, public and private, have to be assigned to an interface, so what interface are they assigned to? Where are they located in the path above?

Generally speaking site to site VPN provides the tunnel and NAT between two different public IP's and two different private IP subnets. Well at least they should. In the past I've split a /24 private subnet into two blocks one at each end. It did work but can be a real problem.

 

[timeshifter]

Here's the configuration worksheet the vendor provided (with IPs partially by me)

Site2 being the remote with the public IP's. IP's, public and private, have to be assigned to an interface, so what interface are they assigned to? Where are they located in the path above?

The UniFi controller GUI doesn't refer to it in that language. Site 2 is what they're calling the Remote Subnet. Normally you'd put something like 192.168.123.0/24 in there. It will accept that. Problem is that they're not providing Private IPs for me to use, but Public IPs. There's no way that I've found to enter a single public IP in that field, the GUI won't validate and permit that entry.

 

[timeshifter]

Wonder if this will work?

Create a static route. Any traffic for any of those 9 unique public IPs should be sent to the Site to Site interface. Looks like this in the UniFi controller. (For distance, I guessed and put 30)

 

[Markverhyden]

The Unifi GUI, like other GUI's, usually include field validation. Since a typical use is NATing from public to private I doubt it'll work since it's expecting PRIVATEIP/xx. Yes, you can drop to CLI and add each PUBLICIP/32. But as soon as the device power cycles it'll pull the GUI config so the changes will be overwritten. And when putting in mask's you want to stick with the correct one. Don't use another /xx just because it'll stay.

Not sure about the static route option.

I don't have a Pro 4 but Im sure the settings are the same in my 3. There are some parameters they provided for ike, which you can't set. I tested putting in a couple of /32 public IP's and got "invalid payload" which is what I'm sure you got. Which, to me, confirms all Unifi will except is is privateip/xx.

As far as other Ubiquiti stuff. Edgemax might give you the flexibility since it doesn't have to be connected to a cloud controller. It's been a while but I do remember doing some manual editing for VPN in the config file.

I looked up Flexential and they're a colo company. What's actually going on if you can explain.

 

[timeshifter]

My customer is a retail store in the home furnishings business. They are switching their business management, point of sale, etc to Storis

Software Solutions for Home Furnishings Retailers | STORIS

STORIS is the leading provider of software solutions and professional services for home furnishings, bedding, & appliance retailers, enhancing customer experiences and creating operational efficiencies. Learn more.

www.storis.com

Storis told me we'd need a site to site VPN for their system. When we started to have implementation questions those were handed over to Flexential, who as you mentioned seems to be their colo.

 

[Markverhyden]

So Storis doesn't offer installation or installation support as part of the purchase/service? Not trying to keep you from making money but every time I've installed a POS system there has always been vendor support. Many systems I've worked with even ship their own router. All the customer needs to do is provide a patch cord with Internet. It can even be double NAT'ed.

Sounds like the Pro 4 is new so I'd get my money back. Does IUnet/Flexential have a list of supported hardware?

 

[timeshifter]

Getting help with this has been like pulling teeth. Before the ink was dry I began asking about what equipment they recommended or supported. I was expecting some kind of document with equipment and settings and instructions. All I got was an email that said Cisco ASA, Meraki and SonicWall or any device that will do site to site VPN IKEv2 (forget exact spec as I’m on my phone now and don’t have it handy, but they indicated I could use any quality firewall).

I asked about Ubiquiti. Eventually I talked to a support rep with Storis who said they had sites using the brand. He sent me that worksheet. When I asked him about what I put in, as I was not an expert I was stonewalled. Frustrating. I asked a friend who translated and it took me all of two minutes to understand it.

Then I started working with the colo to configure my equipment. We got stuck on the issue of how to put the public IP in and was told I’d have to get help from Ubiquiti. That rep was optimistic and helpful and felt like we could make it work with what we had, just this last little hurdle.

That rep did say that they use Cisco ASA and Fortigate. He said he’d recommend Fortigate and could walk me through that one. They’re encouraging their renewing users to switch. No official supported list.

Last rep at colo was cold and pretty much said he couldn’t provide support aka help me figure out my equipment.