(Sort of off-topic) Connecting pfsense <-> Unifi USG
I am trying to get an IpSec tunnel up between a pfsense (production, fixed ip and hostname) and a at-home Unifi USG. I have deployed tons of OpenVPN which works like a charm, but the USG does feature a high throughput on ipsec, so I want to give that a try. However I am not able to get a connection up and running (which also may be related to my admitetly lack of ipsec knowledge):
My pfsense config:
- Phase 2: pfsense_tunnel(1+2)
Maybe important bit of information: The USG is behind a DSL modem which holds the public ip. All queries to the IP are 1:1 NAT'ed to the USG. The USG does not have the public IP on any devices, but does get all queries to/from public ip.
Any help/pointers are very welcomed!
I would start out by looking in the USG log since the pfsense gets a NO_PROPORSAL back from the USG. First step is to ensure both ends has the same SA proposals. Its wierd that you dont have phase1 and a phase2 configuations options on the USG.
I am in the same boat as you here:
pfsense >> Telstra Router >> Internet
USG >> Netcomm Router >> Internet
Obviously allow ports 500 and 4500 in from both routers.
I have the same configuration as you and same error. I will be working on this over the next week or so. Please let me know if you have success and I'll do the same.
I raised a ticket with Ubiquiti and they have told me that OpenVPN and IPSEC will not work on double Nat, which seems ridiculous. Assuming there is a way around this by editing the JSON file on the actual devices.
However when doing this you risk bricking them if the controller conflicts with one of your lines of config.
Have you had any luck?
I eventually (this friday) gave up. I even tried running openVPN on the USG directly (command line) which worked but the transfer speed was abyssmal slow. I installed a tiny Intel NUC (12 Watt) that does OpenVPN just fine with the pfsense. Even with double-Nat :)