How To Configure Site to Site VPN On Unifi Controller 7.0.22
In this tutorial you will learn how to configure Unifi UDM PRO Site to Site VPN on Unifi Controller 7.0.22.
A site-to-site virtual private network (VPN) is a connection between two or more networks, such as a corporate network and a branch office network. Many organizations use site-to-site VPNs to leverage an internet connection for private traffic as an alternative to using private MPLS circuits.
Site-to-site VPNs are frequently used by companies with multiple offices in different geographic locations that need to access and use the corporate network on an ongoing basis. With a site-to-site VPN, a company can securely connect its corporate network with its remote offices to communicate and share resources with them as a single network.
Let’s get started.
Make sure you are on Unifi Controller Version 7.0.22. I will be using a Unifi UDM Pro for this configuration.
Step 1: Log into your Main Office Unifi Controller.
Step 2: Click Settings
Step 3: Click VPN
Step 4: Scroll down until you locate the Site-to-Site VPN Section. Afterwards click Create Site-to-Site VPN button.
Step 5: Now Let’s configure the Site-to-Site VPN Network.
- Network Name: Since we are logged into the Main Office Unifi Controller, we will set this network name to reflect the Branch Office we are connecting to.
- VPN Protocol: Select, Manual IPsec.
- Pre-shared Key: Use a strong key. This key will be needed when you setup the Branch Site-To-Site VPN settings.
- Server Address: Here we will select from drop down or manually enter what WAN IP address you want your Site-To-Site VPN traffic to go through.
Step 6: Scroll down until you locate Remote Device Configurations.
Step 7: Under Remote Gateway/Subnets you will want to enter your Branch primary LAN subnet. In my case they are using 192.168.10.0/24, once your address is entered you will be prompted to create the policy. Click Create.
Step 8: Under Remote IP Address enter the WAN IP address of the Branch Office.
Step 9: Since you are connecting to another UDM Pro with Site-to-Site VPN on the same controller version, Auto can be left as is. If your using other firewall/vpn type, you will have to select Manual and make sure your additional settings match up with your branch office or main office.
Step 10: Click the Add Network button. Your VPN connection should have been successfully created.
Step 11: Log into your Branch Office Unifi controller.
Step 12: Follow the steps starting from Step 2 and configure your Branch UDN PRO VPN to connect to Main Office.
Reminders:
- Use the same pre-shared key.
- Server Address is what you specified for the main office to connect to.
- Remote Gateway/subnets is the Main Office primary LAN.
- Remote IP Address is the Wan IP of the main office you specified for Site To Site VPN.
Step 13: Open Command Prompt and test some pings.
I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.
Discover more from Patrick Domingues
Subscribe to get the latest posts sent to your email.
Hi,
Thanks for your tutorial.
I have set this up on Network 7.0.22 in exactly the same way as you describe.
On my “Main office” UDM-Pro (my home) my primary network is 192.168.22.0/24
On my “Branch office” UDM (my basement) my primary network is 192.168.17.0/24
I have set the remote network on my “Main office” UDM-Pro to 192.168.17.0/24
I have set the remote network on my “Branch office” UDM to 192.168.22.0/24
When I connect, connection is instant.
it seems to work great.
But I just can’t make a connection from a device on “Main office” to a device on “Branch office”.
Not even trying to ping the UDM or UDM Pro.
Trying a trace route from “Main office” device to UDM in “Branch office”:
% traceroute 192.168.17.1
traceroute to 192.168.17.1 (192.168.17.1), 64 hops max, 52 byte packets
1 unifi (192.168.22.1) 2.590 ms * 0.495 ms
2 * unifi (192.168.22.1) 0.611 ms !H *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * unifi (192.168.22.1) 0.961 ms !H
10 unifi (192.168.22.1) 0.904 ms !H * *
11 * * *
12 unifi (192.168.22.1) 0.673 ms !H * 0.522 ms !H
%
I have today upgraded to 7.0.25. Connection works great, but I still I can’t make a connection between sites.
Any ideas on why it isn’t working?
Thanks
Tony
Hello Tony,
Thank you for the visit. Unifi allows all traffic to pass through lan to lan unless Unifi deems it a threat. Under Firewall & Security, scroll down until you find Threat Management Allow list and add the Lans you mentioned for both directions. See if that works. Also, if you are using Comcast as your ISP are you in advanced bridge mode?
Hello Patrick,
Thanks for your reply.
I have Threat Management turned off completely on both UDM Pro and UDM.
I am not using Comcast as ISP.
When I connect through the standard VPN I can connect to devices on the remote network without any problem.
Thanks
Tony
Hi Patrick,
I’m having a similar issue, I cannot ping any device from either network. All settings were configured like you have listed here. I also have threat management off. I wonder what I’m missing, I made sure both USG’s are on the same version, restarted both. Any suggestions are greatly appreciated. Many Thanks!
Hello,
Are you able to ping the USG on either end but not internal devices?
Within Firewall & Security, locate Threat Management Allow List and allow the subnets for each location.
Hi Patrick, It works! That is so bizzare I actually have to turn ON threat management, set it to low and then added the allow list because otherwise the allow list is grayed out. To make things even more confusing I was able to turn of threat protection after the VPN started working.
I have a previously set up VPN migrated from an old USG to the trashcan looking UDM. Works as it did before, except I still cannot ping or access the UDM – accessing or pinging any device on the LAN works great. Traffic capture from the remote end says that the packets are going out, but no reply is ever received from the UDMs LAN IP. What rule needs to be defined or what setting changed to allow access to the UDM lan IP over the VPN for config of the UDM as it cannot be adopted by my central controller?
Hello Dan,
Thank you for the visit. Let’s see what can be done. Since I do not fully know the current state let’s start with one of the basic steps.
Locate and click on system log on each device. From the opposite side of the VPN access the UDM do you see any sort of detections dropping the access?
If that is the case add the subnet that is accessing the UDM to the Security Detection Allow List under Firewall & Security.
Hello I have site to site VPN from Cisco to UDM the tunnel is up now on the server at the data where the cisco lives I can ping hosts on UDM Subnet but I can not ping the UDM gateway
Any Ideas?
Hello Cody,
Create a ICMP allow rule.
ICMP is enable rule is place on the lan In?
I think the issue is I am trying to do policy based vpn and UDM doesn’t support that from what I have been reading.
But we tried route based VPN between the UDM pro and the 5508 Cisco asa and every 5 to 30 minutes the tunnel collapses
Any idea how to make the tunnel more stable? Right now Using
ikev2
aes-256
sha512
DH 21
PFS disable
DPD disable
Dynamic route enable
Phase 1 lifetime 28800
Phase 2 lifetime 3600
I would start by lowering the encryption requirements ikev1, aes128, MD5. Phase 1 86400 phase 2 28800.
Does the UDM pro support to to multi-site… example UDM pro is the main office and two branch offices run USG,, is this possible for site to multi-site?
Hello Water,
Yes, it is possible to create multi-site vpn.
Patrick, have you had experience with this? I’m trying to configure a client with 4 sites in different cities to use UDM Pros for their site-to-site vpn connection. I need these 4 sites to be able to communicate with one another but I can only seem to get one pair to work at a time. So site A can connect to site B, but then I can’t get C or D to connect to A or B.
Hello James,
It is possible. Make sure each primary Lan is on a different subnet. It’s been a while but from what I remember you will need a block of static wan IP addresses one static ip per each vpn connection.
how to setup magic VPN site to site, or manual. udm-se
Quick question; do I need a static WAN IP for each UDM or if setting up a remote location to a primary, can I have a dynamic WAN IP at the secondary and have it always be the one to establish the connection to the primary (which does have a static IP)? The connection is only required for some occasional synchronization of keyfob data for some access gates, everything else at the remote site will go out over the local WAN connection
Hello Tim,
Technically not best practice but yes you could do that.
Ok, it wouldn’t require reconfiguring the VPN at the remote site if the public IP address changed, right? Since the remote site device would proactively reach out and establish the connection to the primary site based on that site’s static IP data if it ever was rebooted or lost connection?
Hello, Patrick.
Very good article. Lots of good information.
What is missing is a good way to troubleshoot the VPN connections from the command line. Unifi is very lacking in this type of documentation.