Setting up IPsec between UniFi and OPNsense

As safe as possible… ‘Sigh’

So yes, I do understand you want to configure an IPsec tunnel between an UniFi router and OPNsense device. Right under here is what you’re looking for! Now I do expect you already know how IPsec works and what local and remote networks mean. This page is solely meant to help you out to get the tunnel up and running.

The UniFi controller settings

Here are the settings you need on the UniFi side:

Standard options:

  • Name: Name it whatever you want!
  • Enabled: Yes
  • Remote subnets: Put any remote subnet in here that you want the USG to be able to reach to.
  • Route Distance: Default is fine, unless needed otherwise.
  • Peer IP: The remote IP of the OPNsense you want to terminate your IPsec tunnel to.
  • Local WAN IP: The IP of the interface you want to terminate the tunnel on.
  • Pre-Shared Key: Make this something vague and long and don’t share it. Read below for best practices.

Advanced options:

  • Key Exchange Version: IKEv2, it’s just better. If a device supports it. It supports better encryption, lower bandwidth use, resists network changes (MOBIKE), more reliability and it’s more resistant to DoS attacks.
  • Encryption: AES-256, AES-NI is almost default by now… If you don’t have this forget it. AES-128 is fine enough though, 256 gives you around 40-50% more overhead. But it’s harder to crack.
  • Hash: SHA1. Yes, I wish SHA256 was an option within the controller. Because it is in the CLI…
  • DH Group: 21 at least in combination with AES-256. 20 is fine with AES-128.
  • PFS: Gives the assurance that future session keys will not be compromised in case older long-term ones are.
  • Dynamic Routing: Disable this, it’ll otherwise just not work.

Save it!

Unifi_Settings
UniFi settings in the GUI, click for full size

OPNsense settings

Here are minimal settings you need on the OPNsense side:

Phase 1:

  • Connection method: Use whatever, I use start on traffic for my case.
  • Key Exchange Version: V2. Like it says above, it’s just better. If a device supports it. It supports better encryption, lower bandwidth use, resists network changes (MOBIKE), more reliability and it’s more resistant to DoS attacks.
  • Internet Protocol: IPv4
  • Interface: Pick what the IPsec tunnel should terminate on.
  • Remote gateway: The IP of the UniFi gateway you want the tunnel to terminate onto.
  • Authentication method: Mutual PSK
  • My identifier: Use IP address. The same IP used in ‘Peer IP’ in the UniFi GUI.
  • Peer identifier: Use IP address. Use the same IP that is used on ‘Local Wan IP’ in the UniFi GUI.
  • Encryption algorithm: AES-256
  • Hash algorithmb: SHA1
  • DH key group: 21
  • Lifetime: 28800, this time is used underwater in UniFi.
  • Install policy: Enabled
  • Tunnel Isolation: Enabled or disabled, try what works for you. It worked better for me.
  • Disable MOBIKE: Your specific usecase.

Save it!

 

Phase 2:

  • Mode: Tunnel IPv4
  • Local network: Use any type and setting you require.
  • Remote network: Use any type and setting you require.
  • Protocol: ESP. Always use ESP.
  • Encryption algorithms: AES-256
  • Hash algorithm: SHA1
  • PFS key group: 21
  • Lifetime: 3600. This is the default time UniFi uses.

Save it!

OPNsense_Phase1
Phase 1 settings in the GUI, click for full size
OPNsense_Phase2
Phase 2 settings in the GUI, click for full size

Your tunnel should now work. If not, be sure to contact me!