Help configuring site to site VPN with UniFi

On Sonicwalls, this is a setting you can change - allow response to pings (may be called ICMP Echo or similar). It wouldn't surprise me if it is also a setting on the USG Pro. At the very least, you should be able to create a firewall rule - here's a result from a quick google:

How to allow ICMP ping on a Unifi Security Gateway WAN Interface

I recently signed up with thinkbroadband for free Broadband Quality Meter (BQM) service. Once configured they send ICMP ping requests to my WAN IP address and collect the data to provide me with a picture of my broadband availability/ latency etc. They do all this for free and surface the data...
www.eddgrant.com www.eddgrant.com
 
Got over that hurdle, now able to ping to the firewall's public IP. Used the settings outlined in this post

Just spent 1.5 hours on the phone with Flexential. They couldn't get Phase 1 to come up. They say it's a cryptomap problem most likely due to the reuse of a subnet. Contrary to what I was told, 192.168.111.0/24 IS NOT available. Wish someone had caught that before I rebuilt the local network to use the new subnet.

Now I have two options. Set up a 1 to 1 source NAT or change my local subnet AGAIN.

Source NAT:
My understanding is this... They say that 192.168.223.0 is available. So, I won't change my actual local LAN again. I'll just do an extra NAT layer on my USG that will look like this:

PC1 192.168.223.101 <-> 192.168.111.101
PC2 192.168.222.102 <-> 192.168.111.102
etc

If I can find a few commands or settings to make that happen on the USG I'm gonna give that a try. Down the road I may go back and re-do the local network and eliminate that extra NAT.

PUBLIC IPs for remote domain:
The tech I spoke with agreed that using Public IPs are not the best practice but Storis just does it that way. He also said that the strategy of using static routes for each public IP to the site-to-site interface should work. He said that's the approach FortiNet takes.
 
Before I go down the rabbit hole of doing the extra NAT layer, I thought of something a little easier maybe. Set up a new network and assign it to LAN2 on the front of the USG. Plug a spare PC in to that port and let it be 192.168.223.101. If we can get the VPN up for that one PC then we take the next step.

Good idea?
 
The more I thought about it, this could be tested without putting a PC there, just set up the network for LAN2 with the new subnet 192.168.223.0/24. I can ping its gateway 192.168.223.1. Don't see why they can't apply that on their end and see if the tunnel will come up.

I just sent this note to the ticket:

"Our firewall has two LAN ports. I set up a new subnet for LAN2 using 192.168.223.0/24. I was thinking I could do this as a test and simply hook up a PC to the LAN2 port and use that subnet. But, the gateway address 192.168.223.1 is active and ping-able.

Can you try to bring up the tunnel using the new subnet 192.168.223.0 ?

I'm hoping this will see if we can get past Phase 1 without having to set up special NAT features or renumber our entire network. Of course we'll need to do one of those things eventually, but for now this should be a good test.

Please let me know what you think, and if you can try this please go ahead. "
 
Their response:

"I changed our side's remote domain from 192.168.111.0/24 to 192.168.223.0/24 and the VPN came up."

Woohoo. Let's go see if it actually works...
 
Almost works. Since there's no actual device on the LAN2 port to truly test we can't be too sure. Need to hook something up there to test.
 
Well over the course of the last 36 hours, spent a total of 2.5 hours on the phone with their techs over two separate calls, some of it on hold... nothing. The last guy I talked to sounded like he really new the UniFi stuff, but he stopped short of walking me through things, preferring to tell me where to look - i.e. Firewall WAN OUT, WAN In and LAN OUT.. Never got it up fully. Decided I'm bailing on UniFi for this, started studying FortiGate training module.

Anyway, tonight, for the hell of it I tried something...

I connected my hope network to theirs. Took about 5 minutes. Worked on the first try. Used Manual IPsec just like on the Storis connection (didn't use training wheels setup you can do when both sites are on UniFi controller together).
 
timeshifter said:
I've submitted an RMA request for the unit siting inadequate product support with a link to the open ticket. Maybe it will get their attention. Or maybe I'll just return it.
Click to expand...
Hah I tried something similar with Unifi DM Pro (v1) could not remote in. No communication, just sent me a new one. Good luck
 
timeshifter said:
Trying to establish a site to site VPN with a UniFi Security Gateway Pro 4. We got stuck. Not clear on Phase 1 / Phase 2 settings as UniFi doesn't identify what they're settings refer to. Also, the remote subnet is unclear.

The remote IPs we need to tunnel to is a list of 9 IPs. They look like public IPs, which the vendor confirmed as the application vendor set it up that way, I guess for client VPN connections. Anyway, I need to put those 9 IPs in. But the UniFi fields only allow for a subnet.

Tried putting in 74.156.22.33/32 so the subnet would be a single IP, but it would not save that. I could save it as 74.156.22.33/24 as a test, but of course that won't be a real fix. (Note the IP I put in here is just made up)

Here's a copy paste from the ticket with the vendor, who summarized it well:

"While on the phone you discovered that you were only able to put the entire /24 subnet in the Ubiquity for the remote subnet field and could not put a single host IP. Your plan is to get clarity from Ubiquity support on how to accomplish this. You also will look into the phase 2 settings as we could not tell if the encryption and hash were for the phase 1 or phase 2 part of the tunnel based on the screen shot. Let us know when you are ready to test the tunnel again."
Click to expand...
Tried to setup VPN with Unifi and several failed attempts lost interest. Put client on TeamViewer
 
You must log in or register to reply here.

Similar threads

Big Jim
site to site vpn with draytek routers
Replies
6
Views
277
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Which Unifi VPN should I be using here?
Replies
5
Views
400
Sky-Knight
Sky-Knight
HCHTech
Automating certificate deployment for RDP over VPN
Replies
10
Views
537
YeOldeStonecat
YeOldeStonecat
NETWizz
Access Lists
Replies
0
Views
561
NETWizz
NETWizz
YeOldeStonecat
A fun project....summertime mansions....1x Starlink getting installed, share to 4x buildings
Replies
8
Views
252
YeOldeStonecat
YeOldeStonecat
Back
Top