Skip to content

ufozone/unifi-reconfigure-vpn

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
config/post-config.d
config/post-config.d
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.gateway.sheduler.json
config.gateway.sheduler.json
 
 

Repository files navigation

UniFi: Reconfigure Auto IPsec VTI VPN with dynamic IP on one or both sites

ATTENTION: The script only works for a bidirectional site-to-site VPN. Furthermore, no other (automatic or manual) IPsec site-to-site VPN can be configured.

Development & Pull Request

Feel free to enhance the script. Pull requests against the master branch will be reviewed and merged.

Installation

Settings in Controller

If it doesn't exist yet, create an Auto IPsec VTI Site-to-Site VPN: Go to Settings > Network > "Create new network"-button

Variable Value
Name Name of your S2S
Purpose Site-to-Site VPN
VPN Type Auto IPsec VTI
Remote Site Site-B

Wait for provisioning. After all, your site-to-site VPN connection between your local and the remote site is established.

One day your IP changes and then the script is there to fix it. ;-)

Set-up script on USGs

SSH connection to both USG for the following commands:

admin@USG-Pro-4:~$ sudo touch /config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh
admin@USG-Pro-4:~$ sudo chmod +x /config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh
admin@USG-Pro-4:~$ sudo vi /config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh

Input the content of the vpn-site-to-site-reconfigure.sh.

Change the variables:

Variable Description Values Line
THIS_SITE Letter of current site. Each site must be different from the other A or B 11
SITE_A_HOST Hostname of site A FQDN with final point 14
SITE_B_HOST Hostname of site B FQDN with final point 15
PRE_SHARED_SECRET Pre shared key Secret with 24 or more bytes 18

Make sure to convert the file to LF.

Execute the script:

admin@USG-Pro-4:~$ /config/scripts/post-config.d/vpn-site-to-site-reconfigure.sh

Check the logs. Normally you should get an output like the following:

admin@USG-Pro-4:~$ show log | grep 'vpn-site-to-site-reconfigure'
Jan 29 21:06:07 USG-Pro-4 vpn-site-to-site-reconfigure: Remote address does not change.
Jan 29 21:06:07 USG-Pro-4 vpn-site-to-site-reconfigure: Local address does not change.
Jan 29 21:06:07 USG-Pro-4 vpn-site-to-site-reconfigure: Nothing to commit.

Edit config.gateway.json

Your config.gateway.json needs an addition: Merge the contents of the config.gateway.sheduler.json in your config.gateway.json for both sites.

You have no idea how to find or create the config.gateway.json? Check this: UniFi - USG Advanced Configuration Using config.gateway.json

Troubleshooting

The script catches some error conditions. Below the errors and their solution explained:

ESP group ESP0 not found in configuration. Abort.

You need to set up an Auto IPsec VTI site-to-site VPN connection in the controller. Did you make? Not good.

Let's debug it. Execute the following command. The output should look something like this:

admin@USG-Pro-4:~$ /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show vpn ipsec esp-group
esp-group ESP0 {
    compression disable
    lifetime 3600
    mode tunnel
    pfs enable
    proposal 1 {
        encryption aes256
        hash sha1
    }
}

If you get Configuration under specified path is empty, try the following:

admin@USG-Pro-4:~$ /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper show vpn ipsec
auto-firewall-nat-exclude enable
esp-group ESP0 {
    compression disable
    lifetime 3600
    mode tunnel
    pfs enable
    proposal 1 {
        encryption aes256
        hash sha1
    }
}
ike-group IKE0 {
    dead-peer-detection {
        action restart
        interval 20
        timeout 120
    }
    key-exchange ikev1
    lifetime 28800
    proposal 1 {
        dh-group 14
        encryption aes256
        hash sha1
    }
}
ipsec-interfaces {
    interface pppoe0
}
nat-networks {
    allowed-network 0.0.0.0/0 {
    }
}
nat-traversal enable
...

The group has a different identifier? Please report it to me with log or screenshot.

The output is still empty? Then you don't have a valid IPsec VTI site-to-site VPN configuration. Is your USG provisioned since the VPN configuration?

IKE group IKE0 not found in configuration. Abort.

Same issue as ESP group ESP0 not found in configuration. Abort. See above.

No local address found. Abort.

The hostnames for site A and site B must be valid and up-to-date dyndns hosts. The specified domains must have an A record. You're sure about that? Your USG may not resolve domains. Try the following:

admin@USG-Pro-4:~$ host -st A one.one.one.one
one.one.one.one has address 1.0.0.1
one.one.one.one has address 1.1.1.1

If the domain can't be resolved, your USG has a problem with the DNS it uses.

No remote address found. Abort.

Same issue as No local address found. Abort. See above.

Compatibility

Tested and productive in use:

  • Ubiquiti UniFi Security Gateway, USG with FW 4.4.57.5578372
  • Ubiquiti UniFi Security Gateway, USG-PRO-4 with FW 4.4.57.5578372

License

MIT

About

UniFi: Reconfigure Auto IPsec VTI VPN with dynamic IP

Topics

unifi ubiquiti unifi-controller

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases 8

v3.0 Latest
Feb 20, 2024
+ 7 releases

Contributors 2

  •  
  •  

Languages