AWS recommends setting an interval of 10 seconds with three retires. However, it is possible to configure the two tunnels differently, so I decided to create a configuration for each tunnel.įinally note the dead peer detection (DPD) configuration. You could create one and share it with both tunnels. Also, notice that the two configurations are identical. Technically you can use any name, I am following the naming convention of a configuration generated by the UI which is IKE_PEER-IP. These are the Outside IP Addresses Virtual Private Gateway. The only thing you need to change here is the IPs in the name of each group. There are three parts to this: Internet Key Exchange (IKE), Encapsulating Security Payload (ESP), and Site to Site Peers.īelow is the default IKE config. AWS recomends setting an Maximum Transmission Unit (MTU) of 1436 and so I have. The Firewall rules here are the default rules that are created for a tunnel when using the UI. They are labled Inside IP Addresses Customer Gateway and will be different for each VPN you create. These are specified in the generic configuration you downloaded from AWS. If you create a tunnel in the UI it will start numbering with vti64, so I assume starting at 1 is safe.Įach tunnel get’s an IP address from the link local range. I am using vti0 and vti1, but you can use any number here as long they are not already in use. This fist thing we need to do is create the Virtual Tunnel Interface (vti) for each of the two redundent VPN tunnels. By putting the configuration in the, the controller will merge that with the UI configuration before applying the changes to the USG. If we make changes at the command line, they will be lost. When you make changes in the UI, the USG’s configuration is overwritten. Next, we must create a as described in USG Advanced Configuration. Pre-Shared Key : BlARnmsPSxaWficPzqmRMWk93rUFTcn.Pre-Shared Key : AuuAi5BdMDFAVeMI1jWYn8nM2A8UadpF.The important information from my configuration is listed below. You can ignore most of them assuming you left the default settings. You will get a text document with a ton of settings.
PEAKHOUR 4 UBNT USG DOWNLOAD
Once you create the VPN, click the Download Configuration button, and choose the Generic vendor. It takes a second or two to restabligh it when you need it again. If you use static routing, the tunnel will shut down if it is not being used. Second, as BGP chats back and forth, it keeps the tunnel active. BGP will automate the exchange of addresses. First, I do not have to configure routing. In this case I do not need to specify the CIDR block as BGP will automate this for me. I leave all the other options with default values.Īlternativly, I could choose to create a dynamic VPN. I also specify the CIDR block of my home network (192.168.0.0/16) that I want to advertise to AWS. I specify the public IP address of my home router (203.0.113.106).
Let us begin by creating a static VPN on the AWS Console. In this post I am going to walk through configuring the following scenario. If you want to skip the details, you can download a template for a static or dynamic VPN configuration from GitHub. I am using the USG Advanced Configuration method to create a file. This post focuses on the UniFi Security Gateway (USG) which is not documented. So, with the holiday weekend upon us, I finally had time to dive in.īy the way, if you need set up a VPN on the EdgeRoute, there are instructions in the Ubiquiti Documentation. With everyone quarantined – working and learning from home – I have been struggling to find time to hack the router.
While you can configure a VPN tunnel to AWS from the UI, it does not allow you to configure redundancy or Border Gateway Protocol (BGP). Similar to the EdgeRouter, the USG supports most common configuration tasks from the web UI, but advanced configuration is only available from the command line. I recently upgraded my home network from the Ubiquiti EdgeRouter to the UniFi Security Gateway (USG).
0 kommentar(er)
