Contents x
    UniFi USG
    • 27 Mar 2025
    • 4 Minutes to read
    • Contributors
      Contents

      UniFi USG

      • Updated on 27 Mar 2025
      • 4 Minutes to read
      • Contributors
        Article summary

        Introduction

        This guide will lead you through the procedure to establish a Site-to-Site VPN tunnel between your Harmony SASE network and the UniFi USG environment.

        Breakdown of topics

        1. Pre-requisites
        2. Configuration Steps
        3. Verifying the Setup
        4. Troubleshooting
        5. Support Contacts

        Pre-requisites

        To successfully follow this guide, ensure that:

        1. Have an active Harmony SASE account with an existing network.
        2. Have the Harmony SASE application installed on your devices.
        3. Maintain an operational UniFi USG setup with the necessary administrative privileges.

        Configuration Steps

        Important
        If you operate onUniFi Controller 5.13.29 and above, please switch to Classic Mode first.

        Configuring an IPSec tunnel in the Management Platform

        1. Under Network in the Management Platform on the left side, select the network name in which you'd like to set the tunnel.
        2. Locate the desired gateway, and select the three-dotted menu (...).
          360009228460ScreenShot2020-02-23at100928.png
        3. Select Add Tunnel and then IPSec Site-2-Site Tunnel.

        The following window displays:

        360009232679ScreenShot2020-02-23at112938.png


        4. In the General Settings section, fill in the following information:


        • Name: Choose whatever name you find suitable for the tunnel.
        • Shared Secret: Enter a string of your own or use Generate.
        • Public IP: Enter the public IP of the UniFi USG device.
        • Remote IP: Enter the public IP of the UniFi USG device.
        • Perimeter 81 Gateway Proposal Subnets: By default, this should be set to 10.255.0.0/16.
        • Remote Gateway Proposal Subnets: Click Specified Subnets and specify according to your local LAN Subnets.
        1. In the Advanced Settings section, complete the following information:
        • IKE Version:IKEv2 if the Firewall version supports it, IKEv1 otherwise. 
        • IKE Lifetime: 8h
        • Tunnel Lifetime: 8h
        • Dead Peer Detection Delay: 10s
        • Dead Peer Detection Timeout: 30s
        • Encryption (Phase 1): aes256
        • Encryption (Phase 2): aes256
        • Integrity (Phase 1): sha1
        • Integrity (Phase 2): sha1
        • Diffie-Hellman Groups (Phase 1): 21
        • Diffie-Hellman Groups (Phase 1): 21

        Leave the rest of the fields with the default values (as shown in the image below).

        Configuring the tunnel in the UniFi - USG Management Interface

        1. Open the UniFi - USG management interface.
        2. In the left panel, select VPN, and then click the Site-to-Site VPN tab.
        3. In the VPN Type field, select IPsec.
        4. In the Name field, enter a name for the network.
        5. In the Pre-shared key field, enter the shared key you chose on the management portal. 
        6. In the Local IP field, enter the public IP of the UniFi USG firewall.
        7. In the Remote IP/ Hostname field, enter the Harmony SASE gateway IP.
        8. In the VPN Method field, select Route Based.
        9. In the Remote Network(s) field, select Static.
        10. Click Add.
        11. In the Subnet field, click Edit to enter the Harmony SASE network subnet. The default value is 10.255.0.0/16.
        12. In the Advanced field, select Manual.
        13. From the Key Exchange Version list, select IKEv2 if the firewall version supports, else select IKEv1.
        14. In the IKE field, specify these:
          1. Encryption - AES-256
          2. Hash - SHA1
          3. DH Group - 21
          4. Lifetime - 28800
        15. In the ESP field, specify these:
          1. Encryption - AES-256
          2. Hash - SHA1
          3. DH Group - 21
          4. Lifetime - 3600
        16. Select the Perfect Forward Secrecy (PFS) checkbox.
        17. In these fields, select the Auto checkbox:
          • Local Authentication ID
          • Remote Authentication ID
          • Maximum Transmission Unit
        18. From the Route Distance list, set a distance.
        19. Click Add.
        Interconnectivity
        If you need to create a Route-Based IPSEC Site-to-Site between Harmony SASE and your Ubiquiti network, you can check "Enable Dynamic Routing."
        • After doing this, you must add any other Subnet used under "Remote Subnets" and ensure a reverse traffic route is created under Static Routes in the UniFi device for each connected subnet to go back via the Harmony SASE Interface.
        • This would also require you to go back to the Harmony SASE Tunnel you created on the Perimeter81 Admin workspace and change "Perimeter 81 Gateway Proposal Subnets" and "Remote Gateway Proposal Subnets" to Any (0.0.0.0/0).
        • You will also need to create separate Static Routing on Harmony SASE. More information can be found in the following article: How to Setup Interconnectivity (Cloud-Agnostic) Between Connected Sites.

        Configuring firewall and static routing

        Next, let's add static routes from the Harmony SASE subnet (10.255.0.0/16) to the local network and from the local network to the Harmony SASE subnet (10.255.0.0/16) to the local network through the VPN tunnel gateway. Also, it's necessary to create firewall rules to allow this traffic.

        1. Go to Routing & Firewall > Static Routes > Create New Route.
        • Choose a name.
        • Enable the route.
        • Enter the Harmony SASE subnet (by default it's 10.255.0.0/16) in Destination Network.
          360009232779ScreenShot2020-02-23at113738.png
        • Make sure to choose the interface you created in the previous section.
        1. Create a firewall rule that allows traffic from the Harmony SASE subnet to the LAN Network.
          360009232140ScreenShot2020-02-23at141155.png

        In case IPS/IDS is enabled on the UniFi:

        To establish a tunnel with the Harmony SASE network in version 7 and above of the UniFi firewall, you must create an exception within your Threat detection system.
        To add a "Threat Management Allow List" entry:

        1. Click on the Firewall & Security tab.
        2. Click Create New Allow List
        3. Select the Site-2-Site network you created earlier (In the step titled "Configuring the tunnel in the UniFi - USG Management Interface")
        4. Save your changes.

        Verifying the Setup

        After following the above steps, your tunnel should be active.
        To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
        It should indicate that the tunnel is "Up", signifying a successful connection.
        Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.

        Troubleshooting

        If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

        Support Contacts

        If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.


        Was this article helpful?
        What's Next