I have two UniFi USGs, each on its own local controller, and I wanted to set up a site-to-site IPsec VPN. Here’s what worked.
From my research, you can’t use Auto configuration when you have two controllers, so I used manual, mostly following advice in this thread.
IPsec only allows entering IP addresses, not hostnames, so if the IP addresses are dynamic and they change, you’ll need to update both sides again.
In my scenario:
- Sites A and B each have their own subnet.
- Sites A and B have public IPs visible to the USGs. No double-NAT involved.
- Site A needs to be able to access Site B but not vice-versa, so we need to look at the firewall as well.
1. Set up the VPN at Site A, using Site B’s subnet and the public IP addresses of Site A and Site B, respectively, I used a password generator to create a 40-character Pre-Shared Key:
2. Set up the VPN at Site B, using Site A’s subnet, the public IP addresses of Site B and Site A, and the same Pre-Shared Key. (Note: if the other side will be an EdgeOS device like an ER-X instead of a USG, turn off Dynamic Routing. See this post.)
3. Both sites already have firewall rules that block communication among private subnets (used for VLANs). See this post to set that up.
To allow Site A to access Site B, we need a new rule at Site B that creates an exception for packets coming from Site A’s subnet. Create a firewall Address Group for Site A’s subnet, then add this rule in LAN IN:
After creating the LAN IN rule, move it above the rule that blocks inter-VLAN communication:
4. Once both USGs have finished provisioning, you should now be able to ping from Site A to a pingable host behind Site B.
5. The dashboard will report that the VPN is down, but it’s not:
To check the VPN status, SSH into one USG and type show vpn ipsec sa: