UniFi Site-to-Site IPsec VPN with Two Controllers

I have two UniFi USGs, each on its own local controller, and I wanted to set up a site-to-site IPsec VPN. Here’s what worked.

From my research, you can’t use Auto configuration when you have two controllers, so I used manual, mostly following advice in this thread.

IPsec only allows entering IP addresses, not hostnames, so if the IP addresses are dynamic and they change, you’ll need to update both sides again.

In my scenario:

  • Sites A and B each have their own subnet.
  • Sites A and B have public IPs visible to the USGs. No double-NAT involved.
  • Site A needs to be able to access Site B but not vice-versa, so we need to look at the firewall as well.

1. Set up the VPN at Site A, using Site B’s subnet and the public IP addresses of Site A and Site B, respectively, I used a password generator to create a 40-character Pre-Shared Key:

UniFi VPN 1

2. Set up the VPN at Site B, using Site A’s subnet, the public IP addresses of Site B and Site A, and the same Pre-Shared Key. (Note:  if the other side will be an EdgeOS device like an ER-X instead of a USG, turn off Dynamic Routing. See this post.)

UniFi VPN 2

3. Both sites already have firewall rules that block communication among private subnets (used for VLANs). See this post to set that up.

To allow Site A to access Site B, we need a new rule at Site B that creates an exception for packets coming from Site A’s subnet. Create a firewall Address Group for Site A’s subnet, then add this rule in LAN IN:

UniFi VPN 3

After creating the LAN IN rule, move it above the rule that blocks inter-VLAN communication:

UniFi VPN 4

4. Once both USGs have finished provisioning, you should now be able to ping from Site A to a pingable host behind Site B.

5. The dashboard will report that the VPN is down, but it’s not:

UniFi VPN 5

To check the VPN status, SSH into one USG and type show vpn ipsec sa:

UniFi VPN 6

8 thoughts on “UniFi Site-to-Site IPsec VPN with Two Controllers

  1. Mike

    Hi, thanks for your write up, when I tried it all I get is the following. Any idea?

    @ubnt:~$ show vpn ipsec sa
    (unnamed): #44, CONNECTING, IKEv1, bea5caedda75e526:516b03af439bbb03
    local ‘%any’ @ xxx.xxx.xxx.xxx
    remote ‘%any’ @ xxx.xxx.xxx.xxx
    AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    passive: ISAKMP_VENDOR MAIN_MODE

  2. Mark Berry Post author

    Mike, did you trying pinging from a device behind the first USG to a device behind the second USG? Not sure if it’s true for USG, but in general, sometimes you have to ping (or otherwise access the remote network) to get the tunnel to start.

    Also, are you using the string “%any” somewhere? I hard-coded the IP addresses in Peer IP, and they appear both before and after the @ sign in the show vpn output. Let me know if you get “%any” to work and how.

  3. Mark Berry Post author

    Good to hear! So what’s with the “%any”? Did you figure out how to get it to work behind dynamic IPs?

  4. Mike

    I honestly dont know why it returns %any, it was in the output. I have the ip’s hard coded too. To my knowledge you can’t really use any type of dynamic dns so I will just have to keep an eye on the ip’s and take it as “acceptable risk” though they ip’s don’t really change much, I do have my own dydns server so I will always able to “locate” them should they change. What firmware version are you running? I wonder if %any is a function of latest and greatest firmware.

  5. Mark Berry Post author

    Firmware is 4.4.22. I thought I’d seen threads about how to use dynamic IP (yeah it would have to be with a DynDNS type address) but I’m doing the same as you: hard-code and when it rarely breaks, scratch my head until I remember I need to update the IP.

  6. Roselyn Cudal

    Greetings Sir! the same with Sir Mike the status of the vpn is connecting, I even added some characters for the presharedkey just to make it longer and also the ‘%any’.
    I’m using both usg: usg4p and usg3p .
    The usg3p has a static wan IP while the usg4p is PPPoe behind a bridge mode modem.
    Thank you in advance sir!

  7. Mark Berry Post author

    Roselyn – sorry but pretty much everything I know is in the article. On my system, “show vpn ipsec sa” still does not return “%any @”. I would suggest contacting UniFi support via chat.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.