All Linux HowTo's

IPSec Site-to-Site VPN between Unifi and pfSense

In this article, we’re assuming we have multiple sites (remote offices) using Unifi networking gear, and a central network (in Azure or AWS for example) running pfSense as the firewall. We want an IPSec site-to-site VPN between them in a spoke topology. The Unifi networks will connect to the pfSense using site-to-site VPNs. There are a few gotchas. The biggest issue is the lack of options within the Unifi console. This is likely because they want you to use Unifi at both ends. But in the real world, that’s unlikely.

Why not use OpenVPN? Because I have no idea how Unifi has implemented it.

We’re focusing on IPSec phase 1. That’s where the NAT issues will be and it matters what IP address you use in your settings. Phase 2 is fully private networking and shouldn’t be your source of pain.  In this example, the remote site has a Unifi security gateway connected to a 4G router (that’s not really relevant but helps you get an idea of what we’re working with).

Some networking details:

On the Unifi management portal, go to Devices, USG, Details, WAN 1. Note the IP Address. For me it is “192.168.x.x”. That address is what we enter into the “Local WAN IP” field in the example below. Additionally, we enter the public IP address of the pfSense in the “Peer IP” field.

On the pfSense side, we enter the public IP address of the Unifi remote site in the “Remote Gateway” field [1]. Enter the public IP address of the pfSense in the “My identifier” field. And enter the Unifi’s “WAN 1” address (as discussed above) in the “Peer identifier” field. While you’re there, check the crypto settings to make sure your matches. More specifically, make sure your Unifi crypto settings match your pfSense crypto settings. Unfortunately (at this time) you can’t modify anything “time” (re-keying, etc) related on the Unifi side but fortunately the Unifi settings seem to match the pfSense settings well.

[1] If you don’t know your Unifi’s public IP address, use this method to find it: In the Unifi management portal, go to Devices, Click on a device (not the USG), Tools, Debug Terminal, Open Terminal, enter “curl https://www.agix.com.au/ip.php” and make a note of the IP address it returns, that’s your public IP address.

 

 

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.