- Setup Site-to-Site IPSEC VPN tunnel on both sides (just choose the internal IP for NAT'd device)
- Setup port forwarding on all routers involved to expose
UDP
ports500
and4500
from the Internet to the Unifi Gateway/Dream Machine/Dream Router (hereinafter referred to as gateway) - ssh to the gateway (enable SSH first if necessary)
- Edit appropriate config file in
/run/strongswan/ipsec.d/tunnels
on the gateway that needs to traverse multiple NAT devices - Add
leftid
parameter to config (example below) - run
ipsec reload
The config will be overwritten if any settings are changed via the GUI, and sometimes on firmware updates.. It appears you cannot persist these modifications at this time.