This guide will lead you through the procedure to establish a Site-to-Site VPN tunnel between your Perimeter 81 network and the UniFi USG environment.
Configuring an IPSec tunnel in the Management Platform
- Under Network in the Management Platform on the left side, select the network name in which you'd like to set the tunnel.
- Locate the desired gateway, and select the three-dotted menu (...).
- Select Add Tunnel and then IPSec Site-2-Site Tunnel.
The following window displays:
4. In the General Settings section, fill in the following information:
- Name: Choose whatever name you find suitable for the tunnel.
- Shared Secret: Enter a string of your own or use Generate.
- Public IP: Enter the public IP of the UniFi USG device.
- Remote IP: Enter the public IP of the UniFi USG device.
- Perimeter 81 Gateway Proposal Subnets: By default, this should be set to 10.255.0.0/16.
- Remote Gateway Proposal Subnets: Click Specified Subnets and specify according to your local LAN Subnets.
- In the Advanced Settings section, complete the following information:
- IKE Version:IKEv2 if the Firewall version supports it, IKEv1 otherwise.
- IKE Lifetime: 8h
- Tunnel Lifetime: 8h
- Dead Peer Detection Delay: 10s
- Dead Peer Detection Timeout: 30s
- Encryption (Phase 1): aes256
- Encryption (Phase 2): aes256
- Integrity (Phase 1): sha1
- Integrity (Phase 2): sha1
- Diffie-Hellman Groups (Phase 1): 21
- Diffie-Hellman Groups (Phase 1): 21
Leave the rest of the fields with the default values (as shown in the image below).
Configuring the tunnel in the UniFi - USG Management Interface
- Open the UniFi - USG management interface.
- In the left panel, select Networks, then select Create New Network:
- Select Site to Site VPN > Manual IPsec and fill in the following information:
- Enable this Site-to-Site VPN
- Remote Subnets: Enter the Perimeter 81 subnet (by default, it's 10.255.0.0/16).
- Peer IP: Enter the public IP of the location server.
- Local WAN IP: Enter the public IP of the UniFi SCG.
- Pre-shared key: Enter the Shared Key you chose on the Management Portal.
- In the Advanced Options, fill in the following information:
- Key Exchange Version: IKEv2 if the Firewall version supports it, IKEv1 otherwise.
- Encryption: AES-256
- Hash: SHA1
- DH Group: 21
- PFS: Enable
- Dynamic Routing: Disable
- After doing this, you must add any other Subnet used under "Remote Subnets" and ensure a reverse traffic route is created under Static Routes in the UniFi device for each connected subnet to go back via the Perimeter81 Interface.
- This would also require you to go back to the Perimeter81 Tunnel you created on the Perimeter81 Admin workspace and change "Perimeter 81 Gateway Proposal Subnets" and "Remote Gateway Proposal Subnets" to Any (0.0.0.0/0).
- You will also need to create separate Static Routing on Perimeter81. More information can be found in the following article: How to Setup Interconnectivity (Cloud-Agnostic) Between Connected Sites.
Configuring firewall and static routing
Next, let's add static routes from the Perimeter 81 subnet (10.255.0.0/16) to the local network and from the local network to the Perimeter 81 subnet (10.255.0.0/16) to the local network through the VPN tunnel gateway. Also, it's necessary to create firewall rules to allow this traffic.
- Go to Routing & Firewall > Static Routes > Create New Route.
- Choose a name.
- Enable the route.
- Enter the Perimeter 81 subnet (by default it's 10.255.0.0/16) in Destination Network.
- Make sure to choose the interface you created in the previous section.
- Create a firewall rule that allows traffic from the Perimeter 81 subnet to the LAN Network.
In case IPS/IDS is enabled on the UniFi:
To establish a tunnel with the Perimeter 81 network in version 7 and above of the UniFi firewall, you must create an exception within your Threat detection system.
To add a "Threat Management Allow List" entry:
- Click on the Firewall & Security tab.
- Click Create New Allow List
- Select the Site-2-Site network you created earlier (In the step titled "Configuring the tunnel in the UniFi - USG Management Interface")
- Save your changes.