# UniFi USG

## Step 1 - Creating a new branch connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration (Default preset):**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your UniFi
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096
* **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096
  {% endhint %}

## Step 2 - Creating a new site-to-site connection

Log in to the [UniFi management interface](https://unifi.ui.com), and go to **Settings** > **VPN** > **Site-to-Site VPN**.

Give the VPN a name and set the configuration as follows:

* **VPN Type** - IPsec
* **Pre-Shared Key** - Shared Secret [(Step 1)](#step-1-creating-a-new-branch-connection)
* **Remote IP / Host** - IP of your GoodAccess Gateway

### Network Configuration

* **VPN Type** - Route Based
* **Remote Network(s)** - Static + Subnet of your GoodAccess Gateway

### Advanced

{% hint style="info" %}
Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection).
{% endhint %}

Switch to **Manual**, and set the configuration as follows:

* **Key Exchange Version** - IKEv2
* **IKE (Phase 1)**
  * **Encryption** - AES-256
  * **Hash** - SHA256
  * **DH Group** - 16
  * **Lifetime** - 28800
* **ESP (Phase 2)**
  * **Encryption** - AES-256
  * **Hash** - SHA256
  * **DH Group** - 16
  * **Lifetime** - 3600
* **Perfect Forward Secrecy (PFS)** - Enabled

Click **Add.**

You have now successfully connected your device to GoodAccess.

{% hint style="info" %}
UniFi automatically creates the necessary firewall rules and static routes.
{% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **UniFi:** Go to **Settings > VPN > Site-to-Site VPN**.
  {% endhint %}