Connecting Ubiquiti Unifi USG to Azure via VPN

Connecting Ubiquiti Unifi USG to Azure via VPN

As a self confessed Ubiquiti fanboy that wants to learn the Microsoft Azure platform (just well, because), it made sense to attempt to create a Site-to-Site (AKA Site-to-Cloud) VPN connection between my Ubiquiti UniFi USG and my Azure Cloud.  The following tutorial shows the steps that worked for me.

First off, versions and assumptions, at the time of writing I was using:

Ubiquiti UniFi USG Firmware Version: 4.4.18.5052168

Ubiquiti UniFi Controller Version: 5.6.29

Stage 1: Azure Preparation

Create Virtual Network Gateway

In order to connect our USG to our Azure space, we need a destination within Azure in the form of a Virtual Network.  Assuming this is already done, we now need to create a Virtual Network Gateway for our VPN connectionr, to create one, perform the following steps:

Click on the burger menu in the top left

click 

In the search box of the New pane that appears, type Virtual Network Gateway, then press enter

At the top of the list should be an option for Virtual Network Gateway, click it and in the new pane that appears, click Create (bottom of the screen):

On the Create Virtual Network Gateway form, all of the options should stay as default but except for the following:

Name

SKU: you need to select the VPN type, you can find information about the different options here (for UK) or here (for USA), I opted for Basic.

Virtual Network: select the one you want to connect to.

Public IP Address: you may need to create a new one, this is a defined service from Azure to provide a public IP address for your Cloud estate.

Subscription: how you want to pay for the services.

Location: Physical hosting location for your services around the VPN connection.

Create Local Network Gateway

In the Azure Portal, click 

In the search box of the New pane that appears, type Local Network Gateway, then press enter

Click Create in the page that appears

The IP Address is the public IP address of your UniFi USG unit

The Address Space is a usable range of IPs on your local network (the network serviced by he UniFi USG), I use this CIDR calculator to easily define a small range of numbers in the upper range of my local submit, for example: 192.168.12.180/30 gives me four addresses.

Create Connection

In the Azure Portal, click 

In the search box of the New pane that appears, type Connection, then press enter

Click on Connection in the results:

Click Create at the bottom of the Connection pane

In the form that appears, user the following options (choosing your own subscription, resource group and Location):

 

Stage 2: Ubiquiti UniFi Setup

Create Virtual Network Gateway

Login to your UniFi controller and click the settings icon 

Click Networks

Click Create New Network

Give the Network a useful name

For the Purpose property, select Site-to-Site VPN

Select Manual IPsec has the VPN Type

Under Remote Subnets, click Add Subnet and enter the same local subnet you defined earlier in the Create Local Network Gateway section (example: 192.168.12.180/30)

In Peer IP enter the public IP address from Azure

In Local WAN IP enter the IP address on the public interface of your UniFi USG

In Pre-Shared Key enter the key we defined earlier in the Create Connection section

Under the IPsec Profile select Azure dynamic routing

Click to expand Advanced Options

IMPORTANT NOTE: there is a bug at the moment in the UniFi Controller software, whereby PFS & Dynamics Routing are always selected.

Uncheck both PFS and Dynamic Routing

Click Save

Verifying the Connection Status

Viewing the Connection Status on Azure

Once everything is setup, the VPN connection should initiate automatically, to verify, you can view the connection status in the Microsoft Azure portal.  To do this:

Go to your Dashboard

Click the Connection we made earlier

Make sure you are on the Overview tab

Wait a short while and you should see something like the following:

Viewing the Connection Status on Ubiquiti UniFi USG

Incorrect VPN Status on the UniFi Controller

Unfortunately at the time of writing their appears to be a bug with the Ubiquiti Controllers reporting of Site-to-Site VPN connections because despite having the VPN connection to Azure established, the Ubiquiti Controller Dashboard shows no Active Tunnels and zero packets in either direction.

I can confirm the my standard client-to-site connection shows up on the Dashboard so the issue is specific to site-to-site VPNs.

If you do want to verify on the USG that the VPN tunnel is up, you can do so via the command line:

SSH in to the USG device directly (not in to the controller)

Type the following command:

show vpn ipsec sa

You should get a result similar to the following:

peer-72.78.37.14-tunnel-0: #1, ESTABLISHED, IKEv2, 0d1dh838jd29d39:39483jdhudsu3fd
local ‘45.17.23.34’ @ 45.17.23.34
remote ‘72.78.37.14’ @ 72.78.37.14

 

 

Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

9 comments on «Connecting Ubiquiti Unifi USG to Azure via VPN»

  1. Mark Palmer says:

    Many thanks for that Bob, as I’m looking to be doing this in the coming weeks!
    Out of interest, when did you write this?

    1. Bob McKay says:

      Hi Mark,

      Thanks for the comment, I did this January 2018 and wrote it up as I did it – I don’t think too much has changed since then!

  2. Nate Heath says:

    Currently, I am getting this on the connection when I run the troubleshooter in Azure:

    Resource
    toRHCC
    Summary
    The connection cannot establish due to security policy (IPsec/IKE) policy mismatch
    Detail
    If the IPSec/IKE policy is not properly set, the VPN connection cannot establish
    Last run
    7/24/2019, 1:44:47 PM

    More than willing to pay you for your time to get this off my plate. Thanks! Tried filling out your contact form but it would not work.

  3. James Heathcote says:

    Really useful article thank you!

    We would like to make use of an Azure network gateway in the US and have our traffic from our branch office in the UK appear from there. Can we route all traffic from the Uni-fi network via the Azure gateway and appear in the US?

  4. RANDAL WILLIAMS says:

    Would you be up for revisiting this to match the current version of the USG? I ask because there are additional settings that aren’t addressed here on both the Azure side and USG side. For instance, I followed these directions but my connection in Azure is saying:

    “The connection cannot be established because the other VPN device is unreachable. If the on-premises VPN device is unreachable or not responding to the Azure VPN gateway IKE handshake, the VPN connection cannot establish.”

    If the Public IP for USG is what is displayed in the “Router” field on the USG interface, then I should be correct, unless it wants my ISP furnished IP address? Besides this, the only other thing I can think of is under the Azure Connection configuration itself, where there is a field regarding IPSec/IKE Policy, where currently “Default” is selected, but there is a “Custom” option in which I can specify IKE Phase 1 (IPSec Encryption ‘ex. AES-256’, Integrity/PRF ‘ex. SHA-1’, DH Group ‘ex. DHGroup2’) and IKE Phase 2 IPSec (IPSec Encryption ‘ex. AES-256’, IPSec Integrity ‘ex. SHA-1’, and PFS Group ‘Note that this is a mandatory field and that we disable this in the USG’).

    Hopefully you can help me fill in the blanks on this for the products in their current state. Thanks!

    1. Bob McKay says:

      Hey Randal,
      I’m afraid I’m no longer use Azure, having instead decided – personally anyway – that AWS offers a better fit for my needs.

      1. Randal says:

        Thanks for getting back to me. I figured out my issue. I needed to update to my public Ip rather than the “router public ip”, then update my local area gateway subnets.

        1. Bob McKay says:

          Thanks for posting back Randal, that may well help others too! Glad you got it sorted 🙂

    2. Andrew Burke says:

      Did you ever resolve this I am hitting the same issue.

      I have tried to configure the UDM half a dozen times now and it just doesn’t seem to connect having used Azure VPN for a few years I am 100% sure that’s correct and the only other thing I can think of is to manually try and configure the connection.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.