Reply
New Member
Posts: 1
Registered: ‎12-17-2018
Kudos: 1

Unifi USG 3P - VPN SIte-to-Site to Palo Alto PA-500 - All traffic through tunnel

[ Edited ]

Hi there,

 

I have the following setup

 

###########################

*** LAN Site 1 *** (HQs)

|

| -> eth1/1 IP:192.168.10.254/24;  Net 192.168.10.0/24
Palo Alto PA-500 (IPSec-Tunnel-Endpoint) 

| -> eth1/2 IP:192.168.1.1/24; Net 192.168.1.0/24

|

| -> eth1: IP: 192.168.1.254/24
GateWay-Router No 1 (fixed IP) (NAT)
|
### Inet ###
|
GateWay-Router No 2 (DynDNS) (NAT)

| -> eth1 IP 192.168.1.254
|

| -> WAN  IP: 192.168.1.122/24; Net 192.168.1.0/24

Unifi USG (IpSec Tunnel-Endpoint)
| -> LAN1 IP: 192.168.20.1/24; Net 192.168.20.0/24

|
*** LAN Site 2 *** (Branch)

###########################

 

In this scenario I've got my IPSec-VPN up and running. Everything is good.

...

Except one tiny little thing: I need to send all traffic from the Branch-Site through the VPN tunnel.

And after all I tried, I can't get it to work.

 

I followed this tutorial:

https://help.ubnt.com/hc/en-us/articles/360005460813-UniFi-USG-Advanced-Policy-Based-Routing-

 

But there are little differences in my setup. 

1.) I can not use "dynamic routing". As soon I try this, my VPN does not work anymore. The VPN is established, but the clients can not use it anymore. So I do not have any VTI-Interface.

 

2.) I have no VLANs configured. Every example I came across during my research, mentioned a VLAN. and so I did not use the "vif  <VLAN ID>" parameter at first. This did not work for me. Later I read somewhere, that the default LAN1 network has the VLAN ID "1". After that I tried it as you can see further below.

 

These are the commands I ended up with so far:

*** I know that they are not persistent, unless I put the resulting configuration in the "config.gateway.json" file. ***

 

#################

configure
set protocols static table 2 route 0.0.0.0/0 next-hop 192.168.10.254
set firewall modify VPN_Gateway rule 2501 description "Everthing through the tunnel"
set firewall modify VPN_Gateway rule 2501 source address 192.168.20.0/24
set firewall modify VPN_Gateway rule 2501 protocol all
set firewall modify VPN_Gateway rule 2501 modify table 2
set firewall modify VPN_Gateway rule 2501 action modify
set interfaces ethernet eth1 vif 1 firewall in modify VPN_Gateway
set firewall source-validation disable
commit;exit
clear connection-tracking

#################

 

What am I missing?

 

Thank you.

Torben

 

Highlighted
New Member
Posts: 2
Registered: ‎12-28-2017

Re: Unifi USG 3P - VPN SIte-to-Site to Palo Alto PA-500 - All traffic through tunnel

Im curious how you were able to get the tunnel established at all. I am currently trying to establish an IPSEC tunnel between a Palo 820 and a USG 4P. I can't seem to get it to even initiate IKE phase 1. Can you share configs?

 

I would really appreciate it.

 

Cheers!

New Member
Posts: 2
Registered: ‎12-28-2017

Re: Unifi USG 3P - VPN SIte-to-Site to Palo Alto PA-500 - All traffic through tunnel

Nevermind I got it.

Reply