User Manual

ManualsBrandsUbiquiti Networks ManualsNetworkingUS-24-250W

UniFi Controller User Guide

Ubiquiti Networks, Inc.

Chapter 3: Using the UniFi Controller Software

Site-to-Site VPN

The UniFi Security Gateway is required for this option.

• VPN Client (Beta) Select the type of VPN being

configured:

- Auto Auto is the default. This option lets you connect

two sites on the same controller by simply picking

the other site. No further configuration is necessary;

UniFi automatically creates a secure IPsec VPN, and

configures routing between the sites. Also, the created

connection is bidirectional - creating an auto VPN

from site A to site B also provides connectivity from

site B to site A (nothing is configured on site B).

• Remote Site Select the appropriate site from the

drop-down list.

Note: You must have admin privileges for the local

and remote sites to view and select sites.

- IPsec VPN Select this option create a VPN that uses

IPsec (IP security protocol).

• Enabled Select this option to create an IPsec VPN

tunnel over the Internet between two peer routers.

(The UniFi Security Gateway is the local peer router.)

• Remote Subnets Click Add Subnet to add an

address for a remote network.

• Add Subnet If you have another remote subnet,

click this option and enter its network address.

• Peer IP Enter the IP address of the peer router.

• Local WAN IP Enter the Internet IP address of the

UniFi Security Gateway.

• Pre-Shared Key Enter the pre-shared secret key.

Both peer routers must use the same pre-shared

secret key for authentication.

• IPsec Profile Select the appropriate option:

• Customized Select this option to customize your

settings.

• Azure dynamic routing Select this option if you

are using Microsoft Azure with dynamic routing

for a route-based VPN.

• Azure static routing Select this option if you are

using Microsoft Azure with static routing for a

policy-based VPN.

• Advanced Options Click to access the advanced

configuration.

• Key Exchange Version Both peer routers must

use the same Internet Key Exchange (IKE) version.

Select the appropriate version: IKEv1 or IKEv2.

• Encryption Both peer routers must use the

same encryption method. Select the appropriate

encryption method: AES-128, AES-256, or 3DES.

• Hash Both peer routers must use the same hash

algorithm. Select the appropriate hash algorithm:

SHA1 or MD5.

• DH Group The DH (Diffie-Hellman) group

specifies the strength of the DH encryption key

for the key exchange. Both peer routers must use

the same DH group. Select the appropriate DH

group: 2, 5, 14, 15, 16, 19, 20, 21, 25, or 26. The

default is 14.

• PFS Select this option to enable PFS (Perfect

Forward Secrecy), which protects your past

sessions from decryption should your key be

compromised in the future.

• Dynamic Routing Select this option to use VTI-

based IPsec (otherwise tunnel mode will be used).

Note: If you selected Azure dynamic routing or

Azure static routing, then the defaults of the

Advanced Options will also change accordingly.