Unifi USG behind Edgerouter (VPN ipsec issues)
I really dislike the json way to handle multiple public IPs on USG. The edgerouter has much more friendlier use with multiple IPs but the USG has more security features I'm into for my clients. What is the best way to set up a ipsec site to site from outside to reach any of the USGPRO LAN# spaces when it sits behind another router (ER6P)
Site1 ---> ER6P (Internet) eth0 192.0.0.1/24 --- eth1 10.1.1.1/24 ----> USGPRO WAN 10.1.1.2/24 --- LAN1 10.10.1.1/24
Site2 ---> ER6P (Internet) eth0 192.2.2.1/24 --- eth1 10.2.2.1/24 ----> USGPRO WAN 10.2.2.2/24 --- LAN1 10.20.2.1/24
Currently right now I'm seeing the USGPRO WAN (10.1.1.2 or 10.2.2.2) when sourcing on either end of the tunnel instead of the real IP from their LAN#. That not's good when needing to restrict IP's with multiple ipsec tunnels.
Site1 ---> ER6P (Internet) eth0 192.0.0.1/24 --- eth1 10.1.1.1/24 ----> USGPRO WAN 10.1.1.2/24 --- LAN1 10.10.1.1/24
Site2 ---> ER6P (Internet) eth0 192.2.2.1/24 --- eth1 10.2.2.1/24 ----> USGPRO WAN 10.2.2.2/24 --- LAN1 10.20.2.1/24
Currently right now I'm seeing the USGPRO WAN (10.1.1.2 or 10.2.2.2) when sourcing on either end of the tunnel instead of the real IP from their LAN#. That not's good when needing to restrict IP's with multiple ipsec tunnels.
James Bunch
Well, the grit of the IPsec tunnel information needs to match exactly. There are two phases and those encryption methods, timing, handshake method etc. need to compare to each other. Can you list these stats for us so we can maybe poke a hole in the config?
ASKER
Thanks. I’ll share Friday. I’m going to try something I think I’m missing in this. My main concern was the ip segment behind the 2nd router working when the tunnel was listed on the edge router. I’ll report out then. Appreciate the help.
Absolutely, look forward to taking part in figuring it out with ya!
ASKER
I'm seeing 10 sec drops from one of the routers I'm testing with when I make a simple change, the same change doesn't happen to the other router so i'm going to wipe and reload first tomorrow when I can.
What is also strange is that I tried listing on UPD 500 eth0 on both routers and and only my manually queries came up, nothing from either end with ipsec filled out.... either case, ill reload the one tomorrow that i'm seeing strange behaviors from and then post the configs for both.
What is also strange is that I tried listing on UPD 500 eth0 on both routers and and only my manually queries came up, nothing from either end with ipsec filled out.... either case, ill reload the one tomorrow that i'm seeing strange behaviors from and then post the configs for both.
Make sure their firmware is updated completely if you haven't already, check for any notes on manufacturer site of known bugs, etc. When you wipe, you going to build from scratch or deploy a backup of sorts?
ASKER
I wiped and reloaded, all ok now on the strange behavior (freezing, taking too long to commit a change). Now on to the crux of this post.
Now, I got the setup working;
#overview
Site1 ---> ER6P (Internet) eth0 192.0.0.1/24 --- eth1 10.1.1.1/24 ----> USGPRO WAN 10.1.1.2/24 --- LAN1 10.10.1.1/24
Site2 ---> ER6P (Internet) eth0 192.2.2.1/24 --- eth1 10.2.2.1/24 ----> USGPRO WAN 10.2.2.2/24 --- LAN1 10.20.2.1/24
#VPNipsec
Site1 ipsec to Site2 ok. Tunnel traffic from Site1 USGPRO LAN1 to Site2 USGPRO LAN1 is working when I did a route based (vti) configuration instead of a policy based.
#PATproblem
I can't find a good way to remove the PAT from site1 or site2 USGPRO when it goes over the tunnel. When I source from Site1 USGPRO LAN1 the other site (Site2) USGPRO LAN1 sees the Site1 USGPRO WAN 10.1.1.2, not the LAN 10.10.1.1/24 where I'm sourcing from.
Can the USGPro remove the PAT (i think that is the term for it) for this particular type of traffic?
Now, I got the setup working;
#overview
Site1 ---> ER6P (Internet) eth0 192.0.0.1/24 --- eth1 10.1.1.1/24 ----> USGPRO WAN 10.1.1.2/24 --- LAN1 10.10.1.1/24
Site2 ---> ER6P (Internet) eth0 192.2.2.1/24 --- eth1 10.2.2.1/24 ----> USGPRO WAN 10.2.2.2/24 --- LAN1 10.20.2.1/24
#VPNipsec
Site1 ipsec to Site2 ok. Tunnel traffic from Site1 USGPRO LAN1 to Site2 USGPRO LAN1 is working when I did a route based (vti) configuration instead of a policy based.
#PATproblem
I can't find a good way to remove the PAT from site1 or site2 USGPRO when it goes over the tunnel. When I source from Site1 USGPRO LAN1 the other site (Site2) USGPRO LAN1 sees the Site1 USGPRO WAN 10.1.1.2, not the LAN 10.10.1.1/24 where I'm sourcing from.
Can the USGPro remove the PAT (i think that is the term for it) for this particular type of traffic?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
here is the working json file just to remove the corp networks on a USG from a NAT in my setup. You have to create a static route on the edge device for traffic to flow back.
I only removed the corp network from the nat, I left the other two built in service NATs in place (remote and guest).
{
"service": {
"nat": {
"rule": {
"6001": {
"description": "MASQ corporate_network to WAN",
"disable": "''",
"log": "disable",
"outbound-interface": "eth2",
"protocol": "all",
"source": {
"group": {
"network-group": "corporate_network"
}
}
}
}
}
}
}
I only removed the corp network from the nat, I left the other two built in service NATs in place (remote and guest).
{
"service": {
"nat": {
"rule": {
"6001": {
"description": "MASQ corporate_network to WAN",
"disable": "''",
"log": "disable",
"outbound-interface": "eth2",
"protocol": "all",
"source": {
"group": {
"network-group": "corporate_network"
}
}
}
}
}
}
}