- Setup Site-to-Site IPSEC VPN tunnel on both sides (just choose the internal IP for NAT'd device)
- Setup port forwarding on all routers involved to expose
UDP
ports500
and4500
from the Internet to the Unifi Gateway/Dream Machine/Dream Router (hereinafter referred to as gateway) - ssh to the gateway (enable SSH first if necessary)
- Edit appropriate config file in
/run/strongswan/ipsec.d/tunnels
on the gateway that needs to traverse multiple NAT devices - Add
leftid
parameter to config (example below) - run
ipsec reload
The config will be overwritten if any settings are changed via the GUI, and sometimes on firmware updates.. It appears you cannot persist these modifications at this time.
left
is a private IP since it is behind NATleftid
is the public facing IPright
is the remote gatewayconn
will be uniquely generated for every config
# Generated automatically by ubios-udapi-server
# For ipsec tunnel (site-to-site) 9b49_ffec_1b59_7f57
#
conn 9b49_ffec_1b59_7f57
## basics ##
auto=start
authby=secret
type=tunnel
## timeouts ##
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
## connection data ##
left=192.168.1.155
leftid=142.250.72.46
right=98.137.11.163
mark_in=0x02000000/0xfe000000
mark_out=0x02000000/0xfe000000
## routing ##
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
fragmentation=yes
compress=no
## phase 1 (IKE) ##
keyexchange=ikev2
aggressive=no
ike=aes128-sha1-modp2048!
reauth=yes
ikelifetime=28800s
## phase 2 (ESP) ##
esp=aes128-sha1-modp2048!
rekey=yes
keylife=3600s
keyingtries=%forever
forceencaps=no
## notifications ##
leftupdown=/run/strongswan/ipsec.d/tunnels/9b49_ffec_1b59_7f57.ipsec.s2s.updown