unifi-usg

Setting up the Privatise Tunnel

1. Go to Site to Site under the Managed Company Portal.

2. Add the Remote Gateway IP. This is the public IP of your Unifi location.

3. Add the Remote Network IP and Subnet. This is the network IP and subnet of your Unifi location.

4. IKE version should be IKEv2.

5. Add your preshared key. You can create one on by searching for a psk generation website. Make sure to save it to a location as you'll need it later for your Unifi box.

6. Key lifetime should be 20000

7. Phase1 and Phase2 should both be AES256-SHA1-D2.

8. Set aggressive mode to No.

Configuring UniFi

Open the UniFi - USG management interface.

In the left panel, select Networks, then select Create New Network.

Select Site to Site VPN > Manual IPsec and fill in with the following information:

Enable this Site-to-Site VPN
Remote Subnets: Enter the Privatise ROC Subnet. This is 10.8.0.0/16.
Peer IP: Enter the public IP of the ROC as seen under ROC on Demand. 
Local WAN IP: Enter the public IP of the UniFi SCG.
Pre-shared key: Use the preshared key you created in the previous step.

Enter the name of the VPN Gateway (Privatise for example).

In the Advanced Options fill in the following information:

Key Exchange Version: IKEv2
Encryption: AES-256
Hash: SHA1
DH Group: 2
PFS: Enable
Dynamic Routing: Disable

Go to Routing & Firewall > Static Routes > Create New Route.

Choose a name.
Enable the route.
Enter the Privatise subnet provided by support in Destination Network.

Make sure to choose the interface you created in the previous section.

Create a firewall rule that allows traffic from the Privatise subnet to the LAN Network.

If the connection doesn't automatically start from the UniFi, edit the connection in the Site to Site and save it to restart the tunnel from the Privatise end.

  • unifi-usg.txt
  • Last modified: 2022/01/18 08:44
  • by rafi