search
GoodAccess WebsiteRequest Free TrialDownload App

UniFi USG

This guide will show you how to connect your UniFi device to the GoodAccess Gateway via a site-to-site connection using the IPsec protocol.

hashtag
Step 1 - Creating a new branch connection

Log in to the GoodAccess Control Panel, and go to Network > Clouds & Branches.arrow-up-right

Click + Add new, enter a Name (e.g., Prague Office), select the required Gateway, and define your local Subnets (using CIDR notation).

Choose IPSec Protocol, and click Continue.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps.

Click Submit to finish, or Continue to define optional Branch Segments for finer access control.

circle-info

You may return to the configuration via the Edit button of your Branch at any time.

circle-info

Example of configuration (Default preset):

  • Shared Secret - Create a new strong password

  • Public IP - IP of your UniFi

  • IKE Lifetime (Phase 1) - 8 hours (28800 seconds)

  • Tunnel Lifetime (Phase 2) - 1 hour (3600 seconds)

  • Dead Peer Detection Delay - 30 seconds

  • Encryption (Phase 1) - aes256

  • Encryption (Phase 2) - aes256

  • Integrity (Phase 1) - sha256

  • Integrity (Phase 2) - sha256

  • Diffie-Hellman Groups (Phase 1) - 16 - modp4096

  • Diffie-Hellman Groups (Phase 2) - 16 - modp4096

hashtag
Step 2 - Creating a new site-to-site connection

Log in to the UniFi management interfacearrow-up-right, and go to Settings > VPN > Site-to-Site VPN.

Give the VPN a name and set the configuration as follows:

  • VPN Type - IPsec

  • Pre-Shared Key - Shared Secret (Step 1)

  • Remote IP / Host - IP of your GoodAccess Gateway

hashtag
Network Configuration

  • VPN Type - Route Based

  • Remote Network(s) - Static + Subnet of your GoodAccess Gateway

hashtag
Advanced

circle-info

Must match configuration from GoodAccess (Step 1).

Switch to Manual, and set the configuration as follows:

  • Key Exchange Version - IKEv2

  • IKE (Phase 1)

    • Encryption - AES-256

    • Hash - SHA256

    • DH Group - 16

    • Lifetime - 28800

  • ESP (Phase 2)

    • Encryption - AES-256

    • Hash - SHA256

    • DH Group - 16

    • Lifetime - 3600

  • Perfect Forward Secrecy (PFS) - Enabled

Click Add.

You have now successfully connected your device to GoodAccess.

circle-info

UniFi automatically creates the necessary firewall rules and static routes.

circle-info

You may check the status of the connection in:

  • GoodAccess: Go to Control Panel > Network > Clouds & Branches to view the tunnel status. Use the Test Connection button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).

  • UniFi: Go to Settings > VPN > Site-to-Site VPN.

PreviousSonicWallNextZyxel Nebula Control Center

Last updated

Was this helpful?