Search

How do I set up site-to-site VPN between a QuWAN and UniFi® device?

Data da última modificação: 2025-02-18

Applicable Products

  • QuWAN Orchestrator
  • QuRouter 2.4.0 and later versions
  • UniFi® device

Details

This guide details the steps to establish a site-to-site VPN connection between a QuWAN device and a UniFi® Dream Machine (UDM) Pro. While the UniFi® ecosystem offers various devices with site-to-site VPN functionality, this tutorial will specifically focus on the UDM Pro for demonstration purposes.

Important
  • QuWAN site-to-site VPN only supports IKEv2.
  • Both devices (QuWAN and UniFi® devices) must use the same configuration settings for the VPN to function correctly.
  • Your QNAP device must be added to QuWAN Orchestrator before configuring the site-to-site VPN. Refer to the QuWAN and QuWAN Orchestrator Help for adding your device: Configuration | QuWAN and QuWAN Orchestrator Help (qnap.com)
Warning

Implementing a site-to-site VPN introduces additional complexity to your network. Ensure you understand the security implications before enabling it.

Procedure

Site-to-site VPN configuration on the UniFi® device

  1. Log in to the UDM Pro web interface.
  2. Go to Settings > VPN > Site-to-Site VPN.
  3. Configure the VPN connection settings.
    SettingUser Action
    VPN TypeSelect IPsec.
    NameAssign a descriptive name to easily identify this VPN connection (e.g., QuWAN Site-to-Site VPN).
    Pre-Shared KeyEstablish a strong, unique pre-shared key.
    Local IPEnter the local IP address of your UDM Pro device.
    Remote IP/HostSpecify the public IP address or hostname of the remote gateway device you want to connect to.
    VPN TypeSelect Route Based to establish a VPN connection for specific network subnets.
    Remote Network(s)Define the subnet(s) of the remote network you want to access, using CIDR notation (e.g., 192.168.150.0/24).
  4. Next to Advanced Configuration, select Manual.
  5. Select IPsec as the key exchange version.
  6. Configure the IKEv2 settings based on the example provided below.
    Important
    The remote device must adopt the same settings.
    SettingUser ActionExample Value
    EncryptionSelect an IKE algorithm.AES-128
    HashChoose a secure IKE hash function.SHA256
    DH GroupSelect a Diffie-Hellman (DH) group.14
    IKE LifetimeSet IKE SA lifetime.28800
  7. Configure the ESP settings based on the example provided below.
    SettingUser ActionExample Value
    EncryptionSelect an ESP algorithm.AES-128
    HashChoose a secure ESP hash function.SHA256
    DH GroupSelect a Diffie-Hellman (DH) group.14
    ESP LifetimeSet ESP SA lifetime.3600
  8. Click Add.
    UDM Pro applies the configuration.

Site-to-site VPN configuration in QuWAN Orchestrator

  1. Log in to QuWAN Orchestrator using your QNAP ID credentials.
  2. Select your organization.
  3. Go to QuWAN Topology > Route-Based VPN.
  4. Click Create New Connection.
    The Create New Connection window appears.
  5. Configure the route-based VPN connection settings.
    SettingDescription
    Connection nameAssign a descriptive name (e.g., UniFi Site-to-Site VPN).
    IPsec modeSelect Tunnel Mode.
    HubDesignate the appropriate hub for the connection.
    WAN interfaceEnter the desired WAN interface.
    Remote IP or hostnameSpecify the public IP address or hostname of the remote gateway device.
    Test Connection (Optional)Click the button to ping the IP/hostname to confirm the connection.
    Pre-shared keyEstablish a strong pre-shared key, ensuring identical configuration on the remote gateway.
  6. Configure the advanced route-based VPN connection settings.
    SettingUser ActionExample Value
    Internet Key Exchange (IKE)
    VersionSelect IKEv2.-
    Authentication algorithmSelect a robust authentication algorithm.AES-128
    EncryptionSelect a strong encryption method.AES-128
    DH groupSelect a secure DH group.14
    Security Association (SA) lifetimeDefine the IKE Security Association (SA) duration to reduce cryptographic risks associated with key exposure.480
    Local ID (Optional)In the event that a Dynamic DNS (DDNS) service is to be employed for the route-based VPN connection, the local ID must be provided.-
    Encapsulating Security Payload (ESP)
    Authentication algorithmSelect an authentication algorithm.SHA-256
    EncryptionSelect an encryption method.AES-128
    Enable Perfect Forward Secrecy (PFS)Check the box to generate a new DH key.-
    DH GroupSpecify a secure DH group.14
    Security Association (SA) lifetimeDefine the SA lifetime duration.60 minutes
    Enable Dead Peer Detection (DPD)Check the box to identity and respond to peer device outages.-
    DPD timeoutSpecify the DPD timeout value.10 seconds
  7. Select the checkbox next to Enable NAT mode to ensure that the VPN connection functions properly even when NAT devices are present in the network.
  8. Specify the local tunnel IP address to facilitate NAT-traversal.
  9. Under Site Subnets, click Add Subnet and define the internal subnet of the remote network you want to access.
  10. Click Save.

If the route-based VPN connection is successful, the Status field displays the Connected status.

Further Reading

UniFi® Gateway - Site-to-Site IPsec VPN with Third-Party Gateways (Advanced)

Este artigo foi útil?

Sim. Não.
100% das pessoas acham que foi útil.
Obrigado por seu retorno.

Conte-nos como podemos melhorar este artigo:

Se quiser enviar outros comentários, escreva-os abaixo.

Escolher especificação

      Mostrar mais Menos

      Este site noutros países/regiões:

      open menu
      back to top