Configuring Perimeter 81 Site-To-Site with UniFi - USG Devices

The following procedure demonstrates how to configure the VPN tunnels on the UniFi - USG devices using the management interface. Please follow the steps below:

 Configure an IPSec Tunnel at the Perimeter 81 Management Portal

1. Under Network in the Management Portal on the left side, select the name of the network in which you'd like to set the tunnel.

2. Locate the desired gateway, and select the three-dotted menu (...).

3. Select Add Tunnel and then IPSec Site-2-Site Tunnel.Screen_Shot_2020-02-23_at_10.09.28.png

The following window displays:

Screen_Shot_2020-02-23_at_11.29.38.png

4. In the General Settings section fill in the following information:

  • Name: Choose whatever name you find suitable for the tunnel.
  • Shared Secret: Enter a string of your own or use Generate.
  • Public IP: Enter the public IP of the UniFi USG device.
  • Remote IP: Enter the public IP of the UniFi USG device.
  • Perimeter 81 Gateway Proposal Subnets: By default, this should be set to 10.255.0.0/16. 
  • Remote Gateway Proposal Subnets: Click Specified Subnets and specify according to your local LAN Subnets.

5. In the Advanced Settings section complete the following information:

  • Diffie-Hellman Groups (Phase 1): 21
  • Diffie-Hellman Groups (Phase 2): 21

Leave the rest of the fields with the default values (as shown in the attached screenshot).

Screen_Shot_2020-02-23_at_11.22.01.png

 

Configure the Tunnel at the UniFi - USG Management Interface

1. Open the UniFi - USG management interface.

2. In the left panel, select Networks, then select Create New NetworkScreen_Shot_2020-02-23_at_10.57.52.png

3. Select Site to Site VPN > Manual IPsec and fill in with the following information:

  • Enable this Site-to-Site VPN
  • Remote Subnets: Enter the Perimeter 81 subnet (by default it's 10.255.0.0/16).
  • Peer IP: Enter the public IP of the location server.
  • Local WAN IP: Enter the public IP of the UniFi SCG.
  • Pre-shared key: Enter the Shared Key you chose on the Perimeter 81 Management Portal.Screen_Shot_2020-02-23_at_10.59.26_copy.png

 4. In the Advanced Options fill in with the following information:

  • Key Exchange Version: IKEv2
  • Encryption: AES-256
  • Hash: SHA1
  • DH Group: 21
  • PFS: Enable
  • Dynamic Routing: Disable

Screen_Shot_2020-02-23_at_11.17.53.png

 Configure Firewall and Static Routing

It is necessary to add static routes from the Perimeter 81 subnet (10.255.0.0/16) to the local network and from the local network to the Perimeter 81 subnet (10.255.0.0/16) to the local network through the VPN tunnel gateway. Also, it's necessary to create firewall rules to allow this traffic.

1. Go to Routing & Firewall > Static Routes > Create New Route. 

  • Choose the name of your own choosing.
  • Enable the route.
  • Enter the Perimeter 81 subnet (by default it's 10.255.0.0/16) in Destination Network.
  • Make sure to choose the interface you created in the previous section.Screen_Shot_2020-02-23_at_11.37.38.png

2. Create a firewall rule that allows traffic from the Perimeter 81 subnet to the LAN Network.

Screen_Shot_2020-02-23_at_14.11.55.png

1 out of 1 found this helpful

Comments

2 comments
  • In the last step "2. Create a firewall rule that allows traffic from the Perimeter 81 subnet to the LAN Network." i'm not sure under which of the Firewall tabs the rule should be created. I have:
    - WAN IN
    - WAN OUT
    - WAN LOCAL
    - LAN IN
    - LAN OUT
    - LAN LOCAL
    - guest in, out & local

    My guess would be LAN IN. is this correct? Thx

    0
    Comment actions Permalink
  • Dear Peter,

    You should add a rule under the WAN IN and a rule under the WAN OUT tabs since you want to allow traffic from the WAN to your LAN and also from the LAN to the WAN.

    Feel free to contact us if you need any assistance.

    0
    Comment actions Permalink

Please sign in to leave a comment.