Site-to-Site VPN between Unifi and Cisco Meraki routers

Preparing to establish the VPN

On the Cisco Meraki dashboard, obtain:

  • The WAN IP of the Cisco Meraki router/appliance (Security & SD-WAN --> Monitor --> Appliance --> Status --> Uplink --> WAN)
  • A list of IP Ranges in CIDR notation that you want to be able to access from the Unifi side of the tunnel
    • e.g. LAN on the Meraki side is 192.168.20.0/24, then use this
    • if there are multiple LANs you want to be able to access from the Unifi side, include them all

On the Unifi Controller, obtain:

  • The WAN IP of the Unifi router (Settings --> Networks/Internet --> WAN (or whatever the name is for the default WAN, could be anything) --> IP Address)
  • A list of IP Ranges in CIDR notation that you want to be able to access from the Meraki side of the tunnel

Obtain encryption/phases supported on Unifi side

Between Unifi and Meraki, Unifi is going to be the limiting factor in what encryption modes are available, so build the VPN tunnel with this in mind. On the Unifi Controller, start creating a dummy IPsec site-to-site VPN and expand the "Advanced options" at the bottom to see what is available to you. Unless there is a significant change in the Unifi Controller from the time of writing this, you should have at least the following available:

  • Key Exchange Version: IKEv2
  • Encryption: AES-256
  • Hash: SHA1
  • DH Group: 14
  • Perfect Forward Secrecy (PFS): enabled
  • Dynamic Routing: disabled

Static vs Dynamic WAN

Determine if the WAN IP Address on either side is dynamic instead of static. If both are static, you can skip this section.

For each dynamic IP address, you should create a Dynamic DNS hostname using our afraid.org account and use the Dynamic DNS hostname (i.e. example.mynet.care) instead of the dynamic IP address during setup of the VPN. If you don't do this, eventually the dynamic WAN IP will change on the side(s) of the VPN tunnel that are dynamic and cause the VPN tunnel to stop working.

Create VPN on Meraki

  1. Login to the Cisco Meraki dashboard
  2. Go to Security & SD-WAN --> Configure --> Site-to-site VPN
  3. In the "Non-Meraki VPN Peers" section, click "+ Add a peer"
  4. Fill out the form that appears:
    1. Name: Display name that will appear in the Cisco Meraki Dashboard - name it something relevant but short
    2. IKE Version: Choose a matching option available on both Unifi and Meraki (generally, IKEv2 should be preferred if available on both sides)
    3. Public IP or hostname: The IP or hostname for the Unifi router
    4. Local ID: leave blank
    5. Remote ID: leave blank
    6. Shared Secret: Randomly generated secret, minimum 16 characters - save it in PCRT
    7. Routing: Static
    8. Private Subnets: the list of private subnets in CIDR notation from the Unifi site that you notated in the Preparation step
    9. Availability: All networks
    10. Health Check: ignore
    11. Failover: ignore
  5. In the IPsec policy section, leave preset blank and set the values you obtained in the "Obtain encryption/phases supported on Unifi side" section above, with the following additions:
    1. Phase 1, Pseudo-random function: "Defaults to Authentication"
    2. Phase 1, Lifetime: 28800 seconds
    3. Phase 2, Encryption: AES-256, AES-192, AES-128, 3DES
    4. Phase 2, Authentication: SHA1, MD5
    5. Phase 2, PFS Group: off
    6. Phase 2, Lifetime: 28800 seconds
  6. Save

Create VPN on Unifi

  1. Login to the Unifi Controller and navigate to the site in question:
    1. all instructions are written assuming you are using the Legacy Interface
  2. Go to Settings --> Networks --> Create new network
  3. Set the following:
    1. Name: Display name that will appear in the Unifi Controller - name it something relevant but short
    2. Purpose: Site-to-Site VPN
    3. VPN Type: Manual IPsec
    4. Enabled: checked
    5. Remote Subnets: the list of private subnets in CIDR notation from the Meraki site that you notated in the Preparation step
    6. Route Distance: Default (30)
    7. Peer IP: The WAN IP or hostname of the Meraki router
    8. Local WAN IP: The WAN IP of the Unifi router
    9. Pre-Shared Key: the same PSK you used on the Meraki side that you notated in PCRT
    10. IPsec Profile: Customized
    11. Under Advanced Options, set the values you notated in the "Obtain encryption/phases supported on Unifi side" above that match the settings you put into the Meraki VPN setup
    12. Create
    13. Save (on the main VPN page - if you don't click save here then it won't save your changes)

Confirm the VPN is working

On the Meraki Dashboard:

  1. Go to Security & SD-WAN --> Monitoring --> VPN Status
  2. Scroll down to the list of site-to-site peers
  3. Click on "# Non-Meraki peers" button to switch to the Non-Meraki Site-to-Site VPN section
  4. Observe the status symbol next to your newly-created VPN - it should be green

On the Unifi Controller:

  1. SSH into the router
  2. Run the command show vpn ipsec sa
  3. Look for an entry that specifies local as the Unifi's WAN IP and remote as the Meraki's WAN IP

In either direction:

  1. Attempt to ping something across the VPN

Troubleshooting

During the initial setup while creating this document, two mistakes were observed:

  1. The encryption method didn't match (Unifi side was SHA1, Meraki was set to AES-256)
  2. PFS was enabled on the Unifi side

After changing these settings and waiting for the Unifi router to provision and establish the VPN tunnel, I observed that the connection was established and working.

Discard
Save
Draft
Was this article helpful?
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on