How to make Site to Site VPN with Ubiquiti UniFi work

We’ve rolled out Ubiquiti’s UniFi hardware for many customers, it’s a great alternative to Cisco Meraki given their high price point and required licensing, for small businesses. We host dashboards at Linode and AWS for central management, and are able to create secondary admins for sites where required.

I have 4 sites that I replaced Sonicwall’s at with UniFi USGs and 4Ps, all joined to the same dashboard in different sites.

When creating the “Auto VPN”  I noticed that for one, there was only an option to “daisy chain” the sites, instead of a hub/spoke/mesh hybrid that I would usually deploy based on traffic logic. I decided to try it out as with this certain client there was a version of the “chain” that would work.

Result: I could ping any of the servers from any of the servers, and figured it should be working fine. NSLOOKUP returned accurate results and I could ping both with “server” and “server.domain.local” without any issue. I could browse to \\server and see the list of shares. REPADMIN /showreps appeared to be showing that replication was going on between domain controllers.

Issue: I couldn’t actually get into any share under \\server. Upon clicking “shared” (\\server\shared) – it would hang for a few minutes, then just return me to \\server.

Solution: I removed the Auto VPN connections and started setting up the Manual IPsec, tedious yes, but whatever it takes… I tinkered around for a long time, but in the end found that the default settings for the connection do not work either and were producing very similar results. What did work however was:

Key Exchange Version: IKEv2

Encryption: AES-128

Hash: SHA1

DH Group: 14

PFS Enabled

Dynamic Routing Disabled (This was the final adjustment before it started working)

Unifi USG VPN site to site working settings

 

  • Edi Mange

    Helpful, was looking at playing around with some of these!