---
title: "UniFi USG"
slug: "configuring-perimeter-site-to-site-with-unifi-usg-devices"
updated: 2026-04-07T09:02:14Z
published: 2026-04-07T09:02:14Z
canonical: "support.perimeter81.com/configuring-perimeter-site-to-site-with-unifi-usg-devices"
stale: true
---
> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.
# UniFi USG
## Introduction
This guide will lead you through the procedure to establish a Site-to-Site VPN tunnel between your Check Point SASE network and the UniFi USG environment.
**Breakdown of topics**
1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts
## Pre-requisites
To successfully follow this guide, ensure that:
1. Have an active Check Point SASE account with an existing network.
2. Have the Check Point SASE application installed on your devices.
3. Maintain an operational UniFi USG setup with the necessary administrative privileges.
## Configuration Steps
ImportantIf you operate on UniFi Controller 5.13.29 and above, please switch to *Classic Mode* first.
## Configuring an IPSec tunnel in the Management Platform
1. Under **Network** in the **Management Platform** on the left side, select the network name in which you'd like to set the tunnel.
2. Locate the desired gateway, and select the three-dotted menu (...).
3. Select **Add Tunnel** and then **IPSec Site-2-Site Tunnel**.
4. In the **General Settings** section, specify these:
- **Name:** Choose whatever name you find suitable for the tunnel.
- **Shared Secret:** Enter a string of your own or use Generate.
- **Public IP:** Enter the public IP of the UniFi USG device.
- **Remote IP:** Enter the public IP of the UniFi USG device.
- **Perimeter 81 Gateway Proposal Subnets:** By default, this should be set to 10.255.0.0/16.
- **Remote Gateway Proposal Subnets:** Click **Specified Subnets** and specify according to your local LAN Subnets.
1. In the **Advanced Settings** section, specify these:
- **IKE Version:**V2 if the Firewall version supports it, V1 otherwise.
- **IKE Lifetime:** 8h
- **Tunnel Lifetime:** 8h
- **Dead Peer Detection Delay:** 10s
- **Dead Peer Detection Timeout:**30s
- **Phase 1**:
- **Encryption (Phase 1):** aes256
- **Integrity (Phase 1):** sha1
- **Key Exchange Method:** ecp521
- **Phase 2**:
- **Encryption (Phase 2):**aes256
- **Integrity (Phase 2):** sha1
- **Key Exchange Method****:** ecp521
Leave the rest of the fields with the default values.
## **Configuring the tunnel in the UniFi - USG Management Interface**
1. Open the UniFi - USG management interface.
2. In the left panel, select **VPN**, and then click the **Site-to-Site VPN** tab.
3. In the **VPN Type** field, select **IPsec**.
4. In the **Name**field, enter a name for the network.
5. In the **Pre-shared key**field, enter the shared key you chose on the management portal.
6. In the **Local IP** field, enter the public IP of the UniFi USG firewall.
7. In the**Remote IP/ Hostname** field, enter the Check Point SASE gateway IP.
8. In the **VPN Method** field, select **Route Based**.
9. In the **Remote Network(s**) field, select **Static**.
10. Click **Add**.
11. In the **Subnet**field, click **Edit**to enter the Check Point SASE network subnet. The default value is **10.255.0.0/16**.
12. In the **Advanced**field, select **Manual**.
13. From the **Key Exchange Version** list, select **IKEv2**if the firewall version supports, else select **IKEv1**.
14. In the **IKE**field, specify these:
1. **Encryption**- AES-256
2. **Hash** - SHA1
3. **DH****Group**- 21
4. **Lifetime**- 28800
15. In the **ESP**field, specify these:
1. **Encryption**- AES-256
2. **Hash**- SHA1
3. **DH****Group** - 21
4. **Lifetime** - 3600
16. Select the **Perfect Forward Secrecy (PFS)** checkbox.
17. In these fields, select the **Auto**checkbox:
- **Local Authentication ID**
- **Remote Authentication ID**
- **Maximum Transmission Unit**
18. From the **Route****Distance**list, set a distance.
19. Click **Add**.
InterconnectivityIf you need to create a ***Route-Based*********IPSEC Site-to-Site between Check Point SASE and your Ubiquiti network, you can check "Enable Dynamic Routing."
- After doing this, you must add any other Subnet used under "Remote Subnets" and ensure a reverse traffic route is created under Static Routes in the UniFi device for each connected subnet to go back via the Check Point SASE Interface.
- This would also require you to go back to the Check Point SASE Tunnel you created on the Perimeter81 Admin workspace and change "Perimeter 81 Gateway Proposal Subnets" and "Remote Gateway Proposal Subnets" to Any (0.0.0.0/0).
- You will also need to create separate Static Routing on Check Point SASE. More information can be found in the following article: [How to Setup Interconnectivity (Cloud-Agnostic) Between Connected Sites](https://portal.document360.io/v1/docs/site-to-site-interconnectivity-and-full-site-to-gateway-tunneling).
## Configuring firewall and static routing
Next, let's add static routes from the Check Point SASE subnet (10.255.0.0/16) to the local *network* and from the local network to the Check Point SASE subnet (10.255.0.0/16) to the local network through the VPN tunnel gateway. Also, it's necessary to create firewall rules to allow this traffic.
1. Go to **Routing & Firewall** > **Static Routes** > **Create New Route.**
- Choose a name.
- Enable the route.
- Enter the Check Point SASE subnet (by default it's 10.255.0.0/16) in **Destination Network**.
- Make sure to choose the **interface** you created in the previous section.
1. Create a firewall rule that allows traffic from the Check Point SASE subnet to the LAN Network.
## In case IPS/IDS is enabled on the UniFi:
To establish a tunnel with the Check Point SASE network in version 7 and above of the UniFi firewall, you must create an exception within your Threat detection system. **To add a "Threat Management Allow List" entry:**
1. Click on the **Firewall & Security**tab.
2. Click **Create New Allow List******
3. Select the*Site-2-Site network you created earlier* (In the step titled "**Configuring the tunnel in the UniFi - USG Management Interface**")
4. Save your changes.
## Verifying the Setup
After following the above steps, your tunnel should be active. To verify, go to your Check Point SASE dashboard, locate the tunnel you just created, and check the tunnel status. It should indicate that the tunnel is "Up", signifying a successful connection. Next, connect to your network using the Check Point SASE agent and attempt to access one of the resources in your environment.
## Troubleshooting
If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.
## Support Contacts
If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.