April 12, 2019

UniFi USG + Sophos UTM 9 Site-to-Site VPN

On your UTM

  1. Go to Site-to-site VPN > IPsec > Remote Gateways > New Remote Gateway...
  2. Give it a name
  3. Set the Gateway type to "Initiate connection"
  4. For the Gateway, click the + button
  5. Give it a name
  6. Set the Type to "Host"
  7. Set the IPv4 address to the public WAN address of your USG
  8. Click Save
  9. Set the Authentication type to "Preshared key"
  10. Create a Key and type it again in Repeat. You will need this key again when configuring your USG.
  11. Leave the VPN ID type and VPN ID as they are
  12. Under Remote networks, add any networks on the USG's end that should be included in the VPN tunnel
  13. Click Save
  14. Go to Site-to-site VPN > IPsec > Connections > New IPsec Connection...
  15. Give it a name
  16. Set the Remote gateway to the remote gateway created in steps 1-13
  17. Set the Local interface to your WAN interface
  18. Set the Policy to "AES-256"
  19. Under Local Networks, add any networks on the UTM's end that should be included in the VPN tunnel
  20. Make sure Automatic firewall rules is checked
  21. Click Save

On your USG

  1. Go to Settings > Networks > Create New Network
  2. Give it a name
  3. Set the Purpose to "Site-to-Site VPN"
  4. Set the VPN Type to "Manual IPsec"
  5. Enter the remote subnets you will need to access on your UTM's end of the tunnel (in CIDR format). These should be the same as the local networks set in Step 19 of the UTM configuration above
  6. Set the Peer IP to the public WAN address of your UTM that will be used for the VPN tunnel
  7. Set the Local WAN IP to the public WAN address of your USG
  8. Set the Pre-Shared Key to the same PSK you used in Step 10 of the UTM configuration above
  9. Set the IPsec Profile to "Customized"
  10. Click Advanced Options
  11. Change the Key Exchange Version to "IKEv1"
  12. Change the Encryption to "AES-256"
  13. Change the Hash to "MD5"
  14. Change the DH Group to "5"
  15. Deselect both PFS and Dynamic Routing
  16. Click Save

Finishing up

Once both devices are configured, you may need to toggle the IPsec connection off and on again on the UTM. Click Site-to-site VPN on the UTM to see the conenction status. It may take up to a minute or two for the connection to establish.

Note: I was not able to get this to work with the USG double-NATted or in a DMZ. If your USG does not have a public WAN address from your ISP then YMMV. Good luck.

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket