Highlighted
Member
Posts: 158
Registered: ‎05-30-2015
Kudos: 51
Solutions: 5

USG IPSEC VPN CLI Setup

I manage a few doctors offices and am just diving into the Unifi products by Ubiquiti. In the past we've built our own SOC designs and ran PFSense on top of them as edge routers. However, after tinkering with the control panel and matching the product to the need to some of our clients, we have found it to be extremely useful as a standard replacement across small business clients with little more demand than internet access, some local resoures and large area Wifi. We really love the manageability of it. That said, I beleive it to be an evolving product in early stages as some standards normally seen do not seem to be built yet for the GUI. While not a stranger to CLI's, I am unfamilure with Edgerouter syntax's and design (inferring that USG is simply Edgerouter Lite, relating to material referenced around the forum). 

 

So, we have a prevelant software provider that sets up a standard ipsec VPN tunnel to several of our client's networks to allow for remote printing to internal IP's. As a whole, it's a fairly simple IPsec/IKE setup. However, I'm unfamilure with the process in the USG's CLI on configuring it. 

 

I had to impliment a DHCP DNS-SERVER edit a couple weeks back that included upping a JSON file to the controller to make it persist. I'm assuming I will need to do the same for this VPN config? This kind soul upped his config page he's using and what I'm wondering is: If I change the specifics to match my own credentials/schematics and append it to the existing JSON file, is this all that will be needed? Or should I be running something direct in the CLI over SSH on the USG itself?

 

vpn {
    ipsec {
        esp-group ESP-EC {
            compression disable
            lifetime 86400
            mode tunnel
            pfs dh-group2
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group IKE-EC {
            dead-peer-detection {
                action restart
                interval 60
                timeout 120
            }
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        peer redactedpeer1 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret *****
                }
                connection-type initiate
                description Duluth
                ike-group IKE-EC
                local-ip redactedlocalip
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-EC
                    local {
                        subnet 10.10.10.0/24
                    }
                    remote {
                        subnet 10.0.0.0/24
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-EC
                    local {
                        subnet 10.10.10.0/24
                    }
                    remote {
                        subnet 10.6.0.0/24
                    }
                }
                tunnel 3 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-EC
                    local {
                        subnet 10.10.10.0/24
                    }
                    remote {
                        subnet 10.7.0.0/24
                    }
                }
                tunnel 4 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-EC
                    local {
                        subnet 10.10.10.0/24
                    }
                    remote {
                        subnet 10.0.20.0/24
                    }
                }
            }

 

Given the prevelance of VPN, it's a little surprising that Ubiquiti didnt think it important to have a standard option set in it's control panel to configure for industry VPN protocols. 

 

Am I just missing a simple popularized walkthrough somewhere? Or maybe a wiki guide page on configuring standard VPN's on this product?

 

Thanks for your insight. We look forward to continuing our use of Ubiquiti Unifi products. Settign aside the CP limitations, it a product targeting a much needed niche. 

 

-Colter

Colter \'kohl-ter '\ vb : to be Ubiquiti noob.
Colter \'kohl-ter '\ n : The notorious "hold my beer, I got this" guy.