Help configuring site to site VPN with UniFi

"That brand". Well I'll not take that at face value. When I'm told that my reply is what model?

I'd be pushing them to send me an actual config of a successful client side appliance. Of course the IP's can be changed but I'd want to see what they are doing.
 
Sounds like a bad nightmare. But the whole public IP thing still has me confused. Typically the destination assigns the IP's to the incoming tunnel adapter which acts as the "gateway" to the remote LAN. They look like they are in 2 groups. Are they sequential? As in 1.1.1.2, 1.1.1.3, etc?

I did a little digging around and it does appear that this type configuration has been used in the past.
 
Markverhyden said:
They look like they are in 2 groups. Are they sequential? As in 1.1.1.2, 1.1.1.3, etc?
Click to expand...
Unfortunately, no. Two out of the nine are. But the rest are not really close.

Earlier today I thought maybe I could simply create 9 static routes, one for each unique public IP. The route would send that traffic to the site-to-site interface. Kinda a crap shoot maybe.

Looks like this in the GUI

vpn5.png


I sent this message to Flexential support on the open ticket:

"Could this be a valid way to solve this problem? Set up 9 static routes, 1 for each of the public IPs on the encryption domain. An example would look like this" (with the above screenshot attached)

Their response:

"To clarify our understanding you are asking us if setting up static routes on your firewall will bring this tunnel up? As previously stated we do not manage the remote firewall (your end) and cannot offer support on the Ubiquiti device. Our previous notes indicate you were working with Ubiquiti to come up with a solution of how the VPN tunnel should be set up on your side. Upon review the tunnel has been configured on our end and we are currently awaiting for you to complete the configurations on your side. If you need any further assistance please let us know."

Aaarrrggghhhh!!!!
 
timeshifter said:
Unfortunately, no. Two out of the nine are. But the rest are not really close.

Earlier today I thought maybe I could simply create 9 static routes, one for each unique public IP. The route would send that traffic to the site-to-site interface. Kinda a crap shoot maybe.

Looks like this in the GUI

vpn5.png


I sent this message to Flexential support on the open ticket:

"Could this be a valid way to solve this problem? Set up 9 static routes, 1 for each of the public IPs on the encryption domain. An example would look like this" (with the above screenshot attached)

Their response:

"To clarify our understanding you are asking us if setting up static routes on your firewall will bring this tunnel up? As previously stated we do not manage the remote firewall (your end) and cannot offer support on the Ubiquiti device. Our previous notes indicate you were working with Ubiquiti to come up with a solution of how the VPN tunnel should be set up on your side. Upon review the tunnel has been configured on our end and we are currently awaiting for you to complete the configurations on your side. If you need any further assistance please let us know."

Aaarrrggghhhh!!!!
Click to expand...
I just a little searching, as well as testing, and you can create a IPSEC VPN site to site in a USG with no remote subnet. So that may be an option. The link below might help you with this even though it's for Palo.

Site-to-Site VPN with Static Routing

docs.paloaltonetworks.com docs.paloaltonetworks.com
 
Markverhyden said:
you can create a IPSEC VPN site to site in a USG with no remote subnet.
Click to expand...
OK, I'm trying to do that, then I realized, isn't that what I've done so far?

I've left the "Remote Subnets" field blank. I've put in a made up private IP like 10.0.0.0/24. I can save that config. It's only when I try any kind of public IP that it won't save.

As a follow up, I can't ping that IP I set up as a static route from the customer's network. If I disable the static route I can. Maybe the tunnel hasn't come up.
 
timeshifter said:
OK, I'm trying to do that, then I realized, isn't that what I've done so far?

I've left the "Remote Subnets" field blank. I've put in a made up private IP like 10.0.0.0/24. I can save that config. It's only when I try any kind of public IP that it won't save.

As a follow up, I can't ping that IP I set up as a static route from the customer's network. If I disable the static route I can. Maybe the tunnel hasn't come up.
Click to expand...
See the pic below. I fill in all the blanks. I did not click add remote subnet and was able to save the config. I'm on a USG3 running 4.4.56.5449062. That other link states that since there is no remote subnet the traffic will follow fw rules. Which would be the static routes.

Screen Shot 2021-11-15 at 9.27.29 AM.png
 
Last edited:
Markverhyden said:
See the pic below. I fill in all the blanks. I did not click add remote subnet and was able to save the config. I'm on a USG3 running 4.4.56.5449062. That other link states that since there is no remote subnet the traffic will follow fw rules. Which would be the static routes.

View attachment 13222
Click to expand...
I can't read the labels, but that looks like the same screen I posted in my post #15 in this thread?
 
timeshifter said:
I can't read the labels, but that looks like the same screen I posted in my post #15 in this thread?
Click to expand...
Yes it is. The default in a new IPSEC VPN network is there is no field for a remote subnet so you click on the "+ add subnet" hyper link to add one. But you don't want one. Just don't click on that. If you using an existing config then click on the X hyperlink to delete all of them. They is not used with the static links.
 
I despise Unifi routers, they're just a giant chore to work with. I've never liked anything from them that does layer 3. Their layer 2 stuff is great... layer 3? Not so much.

Also, IPSec is for the birds.
 
Finally got a response on my support ticket with Ubiquiti:

"I apologize for the delay in getting back to you.

Unfortunately, it's not possible to use /32 mask in the remote subnet address. You can use /30. You can find the workaround in the below-given link.

https://community.ui.com/questions/...et-at-32/bc293f87-9ed0-4503-878d-709f8a587e6c

Regarding the Phase1 and Phase2 question, it's not possible to configure the Phase2 on the USG. Phase2 has the same config as phase1 except for the lifetime values. The default lifetime for phase1 is 28800s and phase2 3600s. You need to make the changes on the peer router to match it with the USG.

Hope that's helpful. If you have any other questions, please let us know!"
 
Sounds like you are screwed. Get them to give you make and model of a device that will work, return the Ubiquiti router and get the one they specify. I'm with @Markverhyden , when they say "any quality firewall", respond, "Such as? Be specific." Ultimately, you've found out the hard way that the USG-Pro doesn't offer the settings they need. You just need to get them to give you specifics on the appliance that will, then buy that thing. Stomp you feet a bit, you should get the answers.

You'll probably end up eating the cost of the Ubiquiti. Need a good, slightly-used USG Pro in your shop per chance? I have exactly one of these in the field, it's at a church who couldn't swallow the price of a SonicWall, but it's been trouble-free since 11/19 although we're not doing anything fancy with it.
 
Just got back and checked that thread you linked to @timeshifter. I was able to create a IPSEC site to site with no remote subnet and then add a static route with an IP/32 entry. Of course I don't have any time to test it but it looks like that concept should work.

Screen Shot 2021-11-15 at 6.21.16 PM.png
 

Attachments

  • Screen Shot 2021-11-15 at 6.19.45 PM.png
    Screen Shot 2021-11-15 at 6.19.45 PM.png
    122.1 KB · Views: 4
  • Screen Shot 2021-11-15 at 6.17.34 PM.png
    Screen Shot 2021-11-15 at 6.17.34 PM.png
    21.7 KB · Views: 4
Thanks Mark! I feel pretty good that using a static route may solve the problem of the remote subnet. However, revisiting the other issue, I wonder if this is the final nail in the coffin as @HCHTech alluded to.

Ubiquiti said: "Regarding the Phase1 and Phase2 question, it's not possible to configure the Phase2 on the USG. Phase2 has the same config as phase1 except for the lifetime values. The default lifetime for phase1 is 28800s and phase2 3600s. You need to make the changes on the peer router to match it with the USG."

The configuration worksheet calls for 86,400 default lifetime for Phase 1 and Phase 2. USG seems hard coded for 28,800 and 3,600. And they're telling me to tell the vendor to change it on their end, which I doubt they'd be willing to do.
 
It's 4th and 15 from deep in our own territory. The punter has entered the game and is about to kick UniFi downfield.

Two quarterbacks on the sideline. Meraki MX64 and FortiGate 60E. MX64 and his brothers have played on my team and I know the family well. However, 60E is a new kid but he's knows how to pick this defense apart.
 
Been an interesting thread to follow. Big time props to @Markverhyden for his assists in this one!
I've had nothing to offer here since I've never setup a site to site L2TP/IPSec VPN that doesn't define a private class C subnet on the remote side.

As big of a fan of Ubiquiti as I am, we keep their gateways for just very simple networks, where you don't have servers behind them with port forwards, and don't have client to HQ VPNs. We had done a couple of site to site VPNs with UI gateways at both ends. I find them to just work "OK" for that. Need occasional reboots. So we only use them for the most basic of client needs, else...they get Untangle!

Anyways, interesting thread. Could possibly do this with an EdgeRouter, BUT...at that point, stick to something the "host" here says they can support.
 
Wait, the coach calls timeout.

Flexential support: “I have set the lifetimes to match the values you've provided. Please let us know if we will need to make any further changes on our end.”
 
Grab some more popcorn boys and girls...

Working with Flexential support, getting close now that they've updated the timeouts to match what UniFi hard codes. Excited to see if the tunnel comes up. Confirming all the Phase 1 settings, they can't get Phase 1 to come up.

Also, the support agent I spoke with at Flexential today confirmed that Storis customers use a variety of firewalls - Cisco, Meraki, Sonicwall, Palo Alto and Ubiquiti. Yes, they have some using Ubiquiti.

Anyway, here's the fun part. HE CAN'T PING MY IP. (public IP of our network, static IP assigned to USG). Yes, the Internet works from the site, it's not down, it's working fine.

Neither can I. I'm at a restaurant on their WiFi. Tried through my phone hotspot too. It seems to die on a hop that's getting close. So now it's time to call Spectrum.
 
Guess pings are blocked by default on USG Pro 4. Can't ping the other two I've got out there, and they're all set to default settings more or less. One of the Meraki I've got out there will respond.

Spectrum did find some coding problem on account / static IP, but not related apparently.
 
You must log in or register to reply here.

Similar threads

Big Jim
site to site vpn with draytek routers
Replies
6
Views
278
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Which Unifi VPN should I be using here?
Replies
5
Views
402
Sky-Knight
Sky-Knight
HCHTech
Automating certificate deployment for RDP over VPN
Replies
10
Views
539
YeOldeStonecat
YeOldeStonecat
NETWizz
Access Lists
Replies
0
Views
563
NETWizz
NETWizz
YeOldeStonecat
A fun project....summertime mansions....1x Starlink getting installed, share to 4x buildings
Replies
8
Views
255
YeOldeStonecat
YeOldeStonecat
Back
Top