Unifi IPSEC Double NAT Tweak

unifi_ipsec_nat_tweak.md

Unifi IPSEC Double NAT Tweak

Steps

1. Setup Site-to-Site IPSEC VPN tunnel on both sides (just choose the internal IP for NAT'd device)
2. Setup port forwarding on all routers involved to expose UDP ports 500 and 4500 from the Internet to the Unifi Gateway/Dream Machine/Dream Router (hereinafter referred to as gateway)
3. ssh to the gateway (enable SSH first if necessary)
4. Edit appropriate config file in /run/strongswan/ipsec.d/tunnels on the gateway that needs to traverse multiple NAT devices
5. Add leftid parameter to config (example below)
6. run ipsec reload

The config will be overwritten if any settings are changed via the GUI, and sometimes on firmware updates.. It appears you cannot persist these modifications at this time.

Example

• left is a private IP since it is behind NAT
• leftid is the public facing IP
• right is the remote gateway
• conn will be uniquely generated for every config

# Generated automatically by ubios-udapi-server
# For ipsec tunnel (site-to-site) 9b49_ffec_1b59_7f57
#
conn 9b49_ffec_1b59_7f57

  ## basics ##
  auto=start
  authby=secret
  type=tunnel

  ## timeouts ##
  dpdaction=restart
  dpddelay=30s
  dpdtimeout=120s

  ## connection data ##
  left=192.168.1.155
  leftid=142.250.72.46
  right=98.137.11.163
  mark_in=0x02000000/0xfe000000
  mark_out=0x02000000/0xfe000000

  ## routing ##
  leftsubnet=0.0.0.0/0
  rightsubnet=0.0.0.0/0
  fragmentation=yes
  compress=no

  ## phase 1 (IKE) ##
  keyexchange=ikev2
  aggressive=no
  ike=aes128-sha1-modp2048!
  reauth=yes
  ikelifetime=28800s

  ## phase 2 (ESP) ##
  esp=aes128-sha1-modp2048!
  rekey=yes
  keylife=3600s
  keyingtries=%forever
  forceencaps=no

  ## notifications ##
  leftupdown=/run/strongswan/ipsec.d/tunnels/9b49_ffec_1b59_7f57.ipsec.s2s.updown