UniFi USG Firewall

To configure the tunnel in the UniFi USG Management Portal:

  1. Log in to the UniFi USG Management Portal with the Administrator account.

  2. Click VPN, and then click the Site-to-Site VPN tab.

  3. Specify these:

    Field

    Enter

    VPN Type

    IPsec
    Name Name for the network.

    Pre-shared key

    Secret key specified in Configuring the Tunnel in the Harmony SASE Administrator Portal.

    Local IP

    Public IP address of the UniFi USG firewall.

    Remote IP / Hostname

    Harmony SASE gateway IP.
    VPN Method Route Based

    Remote Network(s)

    Static

  4. Click Add.

  5. In the Subnet field, click Edit to enter the Harmony SASE network subnet. The default value is 10.255.0.0/16.

  6. In the Advanced section, select Manual and specify these:

    Field

    Enter
    Key Exchange version IKEv2

    IKE

     
    Encryption AES-256
    Hash SHA1
    DH Group 21

    Lifetime

    28800

    ESP

     
    Encryption AES-256
    Hash SHA1
    DH Group 21

    Lifetime

    3600

    Perfect Forward Secrecy (PFS)

    Enable

    Local Authentication ID

    Select Auto

    Remote Authentication ID

    Select Auto

    Maximum Transmission Unit

    Select Auto

    Route Distance

    Set a distance

  7. Click Add.

    To create a Route-Based IPSEC Site-to-Site connection between Harmony SASE and your Ubiquiti network:

    1. Set Dynamic Routing to Enable .

    2. Add any other subnet specified in Remote Subnets and make sure that a reverse traffic route is created under Static Routes in the UniFi USG firewall for each connected subnet to route through the Harmony SASE Interface.

    3. In the Harmony SASEAdministrator Portal, change Harmony SASE Gateway Proposal Subnets and Remote Gateway Proposal Subnets to Any (0.0.0.0/0).

    4. Create separate static routing in Harmony SASE.

  8. Add static routes from Harmony SASE subnet (10.255.0.0/16) to the local network and vice versa through the VPN gateway:

    1. Go to Routing & Firewall > Static Routes > Create New Route.

    2. Enter these:

      Field

      Enter

      Name

      Name for the static route.

      Enabled

      Select the Enable this route checkbox.
      Type Static
      Destination Network Harmony SASE subnet. The default is 10.255.0.0/16.
      Static Route Type Interface
      Interface Select the interface created in the previous procedure.

    3. Click Save.

  9. Create a firewall rule to allow traffic from Harmony SASE subnet to the LAN network.

  10. If you have enabled IPS/IDS on the UniFi USG firewall, then to establish a tunnel between the Harmony SASE network and UniFi USG firewall version 7 and later, create an exception in your Threat detection system:

    1. Click the Firewall & Security tab.

    2. Click Create New Allow List.

    3. Select the site-to-site network that you created for this setup.

    4. Save your changes.