This article is in draft/beta; if you have any questions, please email us at help@firewalla.com
This is a brief introduction to a Site-to-Site IPsec VPN connection between Firewalla Gold Box and UniFi Dream Machine (UDM) Pro using Firewalla MSP.
To follow this guide, ensure that you have:
- UniFi Network version 8.6.9 or later
- Firewalla MSP version 2.8.0 or later
- Firewalla Gold series box on your Firewalla MSP instance
In this guide, we use Firewalla Gold and UDM Pro as the 2 sites of the IPsec VPN connection. We use a Firewalla Gold as one site, and a UDM Pro as the peer site. Both sites have public (WAN) IP addresses. Subnets on both sites can access each other, and devices on the Firewalla Gold can access the internet via the server site.
The following settings are assumed by this example:
| Firewalla Gold | UDM Pro | |
|---|---|---|
| WAN IP | 203.0.113.1 | 192.0.2.1 |
| LAN Subnet | 192.168.213.0/24 | 192.168.80.0/24 |
STEP 1: UDM Server Configuration
STEP 1-1: IPsec Configuration
Open unifi.com and go to the UDM manager page, then click Settings (gear icon in bottom left hand corner) > VPN > Site-to-Site VPN. If you don't have any Site-to-Site VPNs yet, it will create a new one. Otherwise, click Create New.
Some fields may need to be modified:
- VPN Type: Select IPsec.
- Name: Enter a name, "Test."
- Remote IP/Host: Enter Firewalla Gold's WAN IP (203.0.113.1).
- Remote Network(s): Add Firewalla Gold's LAN Subnet (192.168.213.0/24).
Note the Pre-Shared Key. This value is autogenerated by the UDM when a new VPN connection is created. You will need this value later when setting up the Firewalla MSP.
In the Advanced section, select Manual. Then, for the Key Exchange Version, select IKEv2.
STEP 1-2: SNAT Configuration
For your Firewalla Gold box to access the internet after your VPN connection is enabled, SNAT can be configured in the UDM settings.
On your UDM Manager page, go to Settings. Then, navigate to Routing > NAT > Click Create Entry.
Enter these settings:
- Type: Masquerade
- Name: Enter a name, "IPSec NAT."
- Protocol: All
- Interface: Primary (WAN1)
- Source: Enter Firewalla Gold's LAN Subnet (192.168.213.0/24). This allows that subnet on Firewalla Gold to access the Internet when the VPN connection is established.
STEP 2: MSP VPN Client Configuration
In Firewalla MSP, go to your Firewalla Gold’s box view, then create a new VPN Client.
Go to VPN Client (left navigation panel) > Create VPN Connection > select IPsec > Next. The MSP UI will look like this:
Enter a name for the VPN Connection. For the Configuration file, follow the template below. The sections in red should be modified for your VPN setup.
conn tunnTemplate
keyexchange=ikev2
auto=start
type=tunnel
leftid=<WAN IP of Firewalla>
leftsubnet=<LAN Subnet CIDR of Firewalla>(separate with commas)
right=<WAN IP of UDM Server>
rightsubnet=<LAN Subnet CIDR of UDM>(separate with commas)
authby=psk
ike=aes128-sha1-modp2048
esp=aes128-sha1-modp2048
ikelifetime=28800s
lifetime=3600s
leftid=203.0.113.1
leftsubnet=192.168.213.0/24
right=192.0.2.1
rightsubnet=0.0.0.0/0
Note that the Configuration file should reflect the same encryption methods set in the UDM IPsec VPN. If you used different encryption methods, use this reference to use the correct keywords.
For Secrets, follow the template below. Copy and paste the Pre-Shared Key from the UDM IPsec VPN.
: PSK "<Pre-Shared Key value>"
After entering your Configuration and Secrets files (no Additional files needed), click Save in the top right corner to finish creating your 3rd-party VPN Connection.
On your new VPN connection, click Apply To to select the devices you'd like to apply the VPN and toggle on the VPN switch to establish the new connection. Once established, devices under your Firewalla Gold box can access devices behind the UDM Pro and access the Internet.
STEP 3: Verify Connection
After establishing the connection, verify that the VPN is working as expected. On your Firewalla MSP VPN connection, the Server IP should match the WAN IP of the UDM Pro.
You can also verify the connection status on Firewalla MSP.
On the UDM Network Manager, it should show the uptime and status as "Online."
When it is successfully connected and applied to a specific device, you can test if the device can access the subnet of the UDM.
Additionally, try accessing the internet using the VPN-connected devices. Then on Firewalla MSP, go to Flows and locate the flows generated. The flows should go through VPN and the outbound interface should be your UDM IPsec VPN.
Comments
0 comments
Please sign in to leave a comment.