UniFi USG Firewall

To configure the tunnel in the UniFi USG Management Portal:

  1. Log in to the UniFi USG Management Portal with the Administrator account.

  2. Click Networks and then click Create New Network.

  3. Click Site to Site VPN > Manual IPSec.

  4. Enter these:

    Field

    Enter
    Name Name for the network.
    Purpose Site-to-Site VPN
    VPN Type Manual IPSec
    Enabled Select the Enable this Site-toSite VPN checkbox.

    Remote Subnets

    Harmony SASE subnet. The default is 10.255.0.0/16.

    Peer IP

    Public IP address of the location server.

    Local WAN IP

    Public IP address of the UniFi USG firewall.

    Pre-shared key

    Secret key specified in Configuring the Tunnel in the Harmony SASE Administrator Portal.

  5. In the Advanced Options section:

    Field

    Enter

    IPsec Profile

    Customized

    Route Distance

    30
    Key Exchange version IKEv2
    Encryption AES-256
    Hash SHA1
    IKE DH Group 21

    PFS

    Enable

    Dynamic Routing

    Disable1

    1 To create a Route-Based IPSEC Site-to-Site connection between Harmony SASE and your Ubiquiti network:

    1. Set Dynamic Routing to Enable .

    2. Add any other subnet specified in Remote Subnets and make sure that a reverse traffic route is created under Static Routes in the UniFi USG firewall for each connected subnet to route through the Harmony SASE Interface.

    3. In the Harmony SASE Administrator Portal, change Harmony SASE Gateway Proposal Subnets and Remote Gateway Proposal Subnets to Any (0.0.0.0/0).

    4. Create separate static routing in Harmony SASE. For more information, see <TBD_Cross-ref to site-connection overview>.

  6. Add static routes from Harmony SASE subnet (10.255.0.0/16) to the local network and vice versa through the VPN gateway:

    1. Go to Routing & Firewall > Static Routes > Create New Route.

    2. Enter these:

      Field

      Enter

      Name

      Name for the static route.

      Enabled

      Select the Enable this route checkbox.
      Type Static
      Destination Network Harmony SASE subnet. The default is 10.255.0.0/16.
      Static Route Type Interface
      Interface Select the interface created in the previous procedure.

    3. Click Save.

  7. Create a firewall rule to allow traffic from Harmony SASE subnet to the LAN network.

  8. If you have enabled IPS/IDS on the UniFi USG firewall, then to establish a tunnel between the Harmony SASE network and UniFi USG firewall version 7 and later, create an exception in your Threat detection system:

    1. Click the Firewall & Security tab.

    2. Click Create New Allow List.

    3. Select the site-to-site network that you created for this setup.

    4. Save your changes.