Reply
New Member
Posts: 26
Registered: ‎01-06-2016
Kudos: 1

Deploy Site to Site VPN on new USGs - help!

I'm taking over a project and need a little push in the right direction on this.

 

We have 3 USG Pros that we want to set up as a Site-to-Site VPN network. Two of the units are deployed and semi-operational, one is still in the box. Here are my questions:

  1. My understanding is that I need to adopt the "Remote" units first, does this mean that I have to first get all 3 in the same location, adopt everything on the "Base" controler and then deploy them?
  2. Can I use Cloud Key to avoid bringing everything back to the Base location first?
  3. Do I have to have Cloud Key to operate this kind of network?

I have plenty of UniFi and USG experience but we haven't set up this kind of network so any step-by-step help will be appreciated.

Emerging Member
Posts: 73
Registered: ‎12-20-2016
Kudos: 9
Solutions: 3

Re: Deploy Site to Site VPN on new USGs - help!

You can adopt them from remote sites.

 

You need the Cloud Key on a static IP.

You need to port forward 8080 and 3478 on the network that hosts the Cloud Key.

UniFi-Cloud-Key-Troubleshooting-Guide covers most.

 

You also want wither a static WAN ip or a dns service to use a FQDN to enable the remote equipment to find the cloud key network.

 

You can then set inform on the remote equipment direct to the cloud key using teh FQDN/stattic ip  (NNN.NNN.NNN.NNN:8080)

 

This is what I have, I initially had a cloud key both locations but moved the remote equipment to teh main cloudkey, then used an AUTO VPN.

 

Regular Member
Posts: 535
Registered: ‎07-20-2013
Kudos: 272
Solutions: 23

Re: Deploy Site to Site VPN on new USGs - help!

Is there a controller at each location now? For auto site-to-site, there is just one controller at one of the locations. Within the controller you define different sites (locations/networks where each usg is). Then within the controller you can simply pick the sites to establish the vpn. If you have a controller at each location then you can set up a manual site-to-site instead. A controller can be a cloudkey or installed on dedicated hardware, on-site or cloud hosted. 

 

Can direct better after you reply. 

Regular Member
Posts: 498
Registered: ‎01-28-2016
Kudos: 99
Solutions: 17

Re: Deploy Site to Site VPN on new USGs - help!

[ Edited ]

@shamrin,

 

Good points by others so far. Just wanted to point out this support article:

 

https://help.ubnt.com/hc/en-us/articles/360002426234-UniFi-USG-VPN-How-to-Configure-Site-to-Site-VPN

 

If I were you, I'd run a controller in the cloud and secure it to only accept communications from your sites. I currently use this script to limit access to the controller. The advantage to me of running it in the cloud is that the controller will still be accessible if you have a problem with one of the sites. You just want to secure the controller so it's not wide open out there. You can use this to setup your controller.

 

--

Klint

 

 

Primary Innovator at Sprocket Technology
UEWA | Contributor to Easy UBNTUFW Lockdown, Companion API | Host on Vultr
New Member
Posts: 26
Registered: ‎01-06-2016
Kudos: 1

Re: Deploy Site to Site VPN on new USGs - help!

It looks like there is a controller on one of the sites and it's operational as that site as a bunch of APs running there as well. I found out that the customer has 2 Cloud Keys already. I do not know if they are operational or not. It looks like only the single site with the APs is "up".


@mikesg wrote:

Is there a controller at each location now? For auto site-to-site, there is just one controller at one of the locations. Within the controller you define different sites (locations/networks where each usg is). Then within the controller you can simply pick the sites to establish the vpn. If you have a controller at each location then you can set up a manual site-to-site instead. A controller can be a cloudkey or installed on dedicated hardware, on-site or cloud hosted. 

 

Can direct better after you reply. 


 

Highlighted
Regular Member
Posts: 535
Registered: ‎07-20-2013
Kudos: 272
Solutions: 23

Re: Deploy Site to Site VPN on new USGs - help!

Your response isn't clear. From what I can tell so far, you have two sites operational. The sites are at least a USG and a quantity of AP's. It also sounds as if there are Cloud Keys at both sites. Is this correct?

 

Are the USG's using static IP's from the ISP? Does each site have a different LAN address range? For example:

 

Site 1: 192.168.10.0/24

Site 2: 192.168.11.0/24

Site 3: 192.168.12.0/24

 

You don't have to use my addresses, but each network should be unique.

Reply