UniFi Dream Machine to UniFi Dream Machine Pro IPSec VPN – How-to

today what we're going to talk about is creating a site-to-site vpn between two udms whether it's a udm pro or a standard udm or a mix of the two or even more that's what we're going to cover it's pretty easy pretty straightforward and we'll talk about some of the prereqs and things like that or things that make it easy especially since it's the unifi gear but let's hop on over to the computer and take a look all right so let's talk a little bit about our setup before we get into this so what i've got here is i've got a udm pro and then a standard udm they each have a switch plugged in and then there are poe devices some of them are cameras some of them are access points i just use an icon here to represent devices plugged into a switch plugged into each of my unifi dream machine devices now my wan ip since i'm emulating the internet internally i do have rfc addresses on the wands now in the real world ipsec works best if you have non rfc or routable ip addresses on your wan with unify it's going to be a huge crap shoot if you have to do port forwarding through another router if you're double netted this is really not for you we've got another setup that really works for double nat and i'm going to do a video on that here shortly but for now the two things that make this the easiest are static ips and not being double netted so let me put that up here in the text all right so please note that this works best with static ips and no double nat you will likely not be able to get it to work if you're double knotted if you don't have static ips if you have dynamic ips you'll probably be able to get this to work however you cannot use fqdns with unify for ipsec vpn and you'll see that here in a second so let's take a look at the udm pro right now the wan ips 192 168 66.206 on the udm the standard udm the wan is we've got the internet here and the lan side of the udm pro is 24.

Standard udm is so let’s hop over here and you’re going to see this is a newer dashboard people have been asking about this dashboard so these are both in my lab so the standard udm has 19 clients in the lab and the udm pro right now has four clients in the lab and what we want to do is we want to create a site-to-site vpn between these devices so that we can access the lans and the devices without having to do port forwarding on the internet so what we’ve got to do is we’ve got to go over here we’re going to go into settings and we’re going to do one each side at a time so we’ll do the udm pro first and then we’ll hop over here and do the udm base now this does work whether you’ve got a udm pro on each side standard udm on each side or a mix of devices this will also work if you have usgs so let’s hop over to settings we’re going to go to networks and we are going to create a new network here and we are going to call this our site to site v p n is going to be a site to site vpn you can see the auto vpn does not work with udm so we’re going to do manual ipsec remote subnet is going to be the lan side of the standard so that’s 192 168 2.0 so 1 92.168.

You need the subnet mask there peer i p now this is where it gets interesting so you cannot use an fqdn here you have to use an ip so if you’ve got static ips this works best it will work if you have a routable ip a non rfc ip that’s dynamic however if it changes your vpn is going to break and now you’re going to have to go back and fix this peer i p so we are going to put in our static i p of the lan 172 116 1.25 and for local wan ip here we could put in our static ip or if we’ve got a dynamic ip and we don’t want to keep changing that we could put in because that tells it you know whatever is on that wan ip to use that here we’ll go ahead and put in the 192 168 66.206

Pre-shared key needs to be the same on each side so we're just going to make this vpn 2019 2020 and i'm actually going to copy that then we'll expand advanced options you can change the entire setup of everything here the one thing that i've seen sometimes cause issue is the dynamic routing so we're going to leave it checked to see if the vpn comes up if it doesn't we'll come in here and uncheck that but for now yes i know some of the hashes the ciphers all that stuff needs to be adjusted that's a whole other video that we need to talk about for now i'm just going to leave it default and go ahead and click save here so now you can see it's created our site to site vpn on the udm pro so now we need to hop over to the base and we need to do the same thing except we need to put in the other information for the pro so let's get this set up once again that's manual ipsec we're going to put in our remote subnet trying to do this one-handed so forgive me for the clumsily the clumbling bit of that for being clumsy then we're gonna put in our wan ip of the udm and we'll put in our wan ip here make sure i got that right 25 yep we're gonna paste in that pre-shared key leave everything else default and we're gonna save it so now in theory this vpn is up and now i am plugged into one of these networks so let's pull up a command prompt and see where i am plugged into so i am on the udm pro side so let's take a look at the clients that are on the 192.168.2 side and let's just pick one 2.6 which is an elgato light and there it's working so we are now pinging across the vpn so let's do a traceroute and see what happens here by the way in traceroute the hyphen d makes it so it doesn't do dns lookups on this but you can see we hit our gateway and then we hit the other side of the connection and then we hit 2.6 so that's it it was really that easy like i said as long as all the pieces fall into place this will work perfectly if not there's other things that have to be done or other types of vpns so we'll go over that in another video

