How to setup site-to-site VPN with Azure VPN-Gateway to Unifi Dream Machine
When you want to extend your local network to Azure, you have multiple options to extend it to Azure. In this manual I am going to show you how to setup a site-to-site VPN connection from a Unifi Dream Machine Pro/SE to an Azure Virtual WAN VPN Gateway. This is slightly different from a non Azure WAN VPN Gateway, but most steps are the same.
Assuming you’ve already deployed an Azure VPN Gateway we will continue with the configuration of the gateway. But first things first, go to the Unifi Console using the local adress, or when using a Unifi account you can manage it using https://unifi.ui.com/
From the Unifi Console go to Settings, VPN, Site-to-Site VPN and copy the Local IP from the WAN port that you want to use for the VPN connection
Now go to the Azure Portal (https://portal.azure.com) and to your VPN gateway. From there go to VPN sites and click on Create site
Now fill in all te required fields. For the Private address space you need to fill in the range from the local LAN on your Unifi device.
Now fill in the connection details from on-premise. In this example we are not going to use BGP so the last 2 fields can be left empty. If you have a redundant setup you can add a second link. Use the Public IP address from you on-premise device.
Review the config and click on Create
When completed go back to Azure Virtual WAN and open the HUB.
From the HUB go to VPN (Site to site) and remove the filter from the hub.
Now make sure that your newly created VPN site is selected and click on Connect VPN sites.
From the new page we are going to set a few things. We are going through a few settings one by one.
- Pre-shared key (PSK): Use a custom key, make it at least 20 characters
- Protocol: Select IKEv2
- IPSec: Custom
- SA Lifetime in seconds: Phase 2 life time in seconds. Phase 1 is always 28800 in Azure.
- IKE Phase 1: Make sure to select settings that are available in Azure and on-prem device
- IKE Phase 2: Same as with Phase 1
- Leave all other options default.
Below is an example of supported options on both ends. Click save when ready.
From the VPN gateway page open the configuration page and copy the public IP address from the VPN Gateways.
Next step is to create the configuration on the Unifi device. Make sure to align all settings with Azure. In our case the subnet in Azure is a 172.16.0.0/24.
When added the tunnel should come online within a few seconds in the Unifi device. In Azure there might be a delay of multiple minutes. Below the connection status on the Unifi device:
Below the status from the Azure Portal:
When online you should be able to reach sources on both ends: