We help IT Professionals succeed at work.

Unifi USG behind Edgerouter (VPN ipsec issues)

Medium Priority
188 Views
Last Modified: 2019-07-08
I really dislike the json way to handle multiple public IPs on USG. The edgerouter has much more friendlier use with multiple IPs but the USG has more security features I'm into for my clients.  What is the best way to set up a ipsec site to site from outside to reach any of the USGPRO LAN# spaces when it sits behind another router (ER6P)

Site1 ---> ER6P (Internet) eth0 192.0.0.1/24 --- eth1 10.1.1.1/24 ----> USGPRO WAN 10.1.1.2/24 --- LAN1 10.10.1.1/24
Site2 ---> ER6P (Internet) eth0 192.2.2.1/24 --- eth1 10.2.2.1/24 ----> USGPRO WAN 10.2.2.2/24 --- LAN1 10.20.2.1/24

Currently right now I'm seeing the USGPRO WAN (10.1.1.2 or 10.2.2.2) when sourcing on either end of the tunnel instead of the real IP from their LAN#.  That not's good when needing to restrict IP's with multiple ipsec tunnels.
Comment
Watch Question

James BunchSystems Engineer
CERTIFIED EXPERT

Commented:
Well, the grit of the IPsec tunnel information needs to match exactly. There are two phases and those encryption methods, timing, handshake method etc. need to compare to each other. Can you list these stats for us so we can maybe poke a hole in the config?
Joe GIT personal

Author

Commented:
Thanks.  I’ll share Friday.  I’m going to try something I think I’m missing in this.  My main concern was the ip segment behind the 2nd router working when the tunnel was listed on the edge router.  I’ll report out then. Appreciate the help.
James BunchSystems Engineer
CERTIFIED EXPERT

Commented:
Absolutely, look forward to taking part in figuring it out with ya!
Joe GIT personal

Author

Commented:
I'm seeing 10 sec drops from one of the routers I'm testing with when I make a simple change, the same change doesn't happen to the other router so i'm going to wipe and reload first tomorrow when I can.  

What is also strange is that I tried listing on UPD 500 eth0 on both routers and and only my manually queries came up, nothing from either end with ipsec filled out....  either case, ill reload the one tomorrow that i'm seeing strange behaviors from and then post the configs for both.
James BunchSystems Engineer
CERTIFIED EXPERT

Commented:
Make sure their firmware is updated completely if you haven't already, check for any notes on manufacturer site of known bugs, etc. When you wipe, you going to build from scratch or deploy a backup of sorts?
Joe GIT personal

Author

Commented:
I wiped and reloaded, all ok now on the strange behavior (freezing, taking too long to commit a change).  Now on to the crux of this post.  

Now, I got the setup working;
#overview
Site1 ---> ER6P (Internet) eth0 192.0.0.1/24 --- eth1 10.1.1.1/24 ----> USGPRO WAN 10.1.1.2/24 --- LAN1 10.10.1.1/24
Site2 ---> ER6P (Internet) eth0 192.2.2.1/24 --- eth1 10.2.2.1/24 ----> USGPRO WAN 10.2.2.2/24 --- LAN1 10.20.2.1/24
#VPNipsec
Site1 ipsec to Site2 ok.  Tunnel traffic from Site1 USGPRO LAN1 to Site2 USGPRO LAN1 is working when I did a route based (vti) configuration instead of a policy based.  
#PATproblem
I can't find a good way to remove the PAT from site1 or site2 USGPRO when it goes over the tunnel.  When I source from Site1 USGPRO LAN1 the other site (Site2) USGPRO LAN1 sees the Site1 USGPRO WAN 10.1.1.2, not the LAN 10.10.1.1/24 where I'm sourcing from.

Can the USGPro remove the PAT (i think that is the term for it) for this particular type of traffic?
IT personal
Commented:
I realized I'm looking to make my USG into a bridge.  I found posts on how to disable the service nat rule for the the corp network (rule 6001).  I just tested it and I saw my real ip come across the other side from behind the usg.  I'm all set for now.  thank you
Joe GIT personal

Author

Commented:
here is the working json file just to remove the corp networks on a USG from a NAT in my setup.  You have to create a static route on the edge device for traffic to flow back.

I only removed the corp network from the nat, I left the other two built in service NATs in place (remote and guest).  

{
        "service": {
                "nat": {
                        "rule": {
                                "6001": {                                      
                                                            "description": "MASQ corporate_network to WAN",
                                        "disable": "''",
                                        "log": "disable",
                                        "outbound-interface": "eth2",
                                        "protocol": "all",
                                        "source": {
                                                "group": {
                                                        "network-group": "corporate_network"
                                                                        }
                                                            }            
                                }
                        }
                }
        }
}