How-To Configure a Route-Based IPsec VPN Between Unifi and Sonicwall

This guide walks through configuring a **route-based IPsec VPN** between: - **Local side**: UniFi **UDM Pro Max** - UniFi OS **4.4.6** - Network Application **10.0.162** - Zone-Based Firewall enabled - **Remote side**: **SonicWall TZ 600** - SonicOS **6.5.1.5-6n** The goal is a **route-based (VTI-style)** VPN using static routes (not policy-based selectors), suitable for multi-subnet routing and future scalability. --- ## 1. Network Assumptions (Example) Adjust these to match your environment. ### UniFi Side |Item|Value| |---|---| |WAN Interface|WAN1 (public IP or NAT)| |Local LAN Subnet|`10.10.0.0/16`| |VPN Tunnel IP|`169.254.100.1/30`| |Firewall Zone|`VPN`| ### SonicWall Side | | | |---|---| |Item|Value| |WAN Interface|X1| |Remote LAN Subnet|`10.20.0.0/16`| |VPN Tunnel IP|`169.254.100.2/30`| ### IPsec Parameters | | | | -------------- | ---------------------------------- | | Setting | Value | | IKE Version | IKEv1 | | Authentication | Pre-Shared Key | | Encryption | AES-128 | | Integrity | SHA1 | | DH Group | 2 | | Lifetime | 28800s (Phase 1) / 3600s (Phase 2) | --- ## 2. UniFi UDM Pro Max Configuration ### 2.1 VPN Zone (Automatic) > ℹ️ **No configuration required** > UniFi Network **automatically creates and manages the** `**VPN**` **zone** when a site-to-site VPN is defined. > - You do **not** need to create or modify a VPN zone > - The VPN (e.g. `Sonicwall_VPN`) will automatically appear under the **VPN** zone > - This zone is referenced later when creating firewall policies --- ### 2.2 Create Route-Based VPN Tunnel Navigate to **Settings → VPN → Site-to-Site VPN** and configure the VPN exactly as shown below. #### General - **VPN Type**: `IPsec` - **Name**: `VPN-SonicWall` - **Pre-Shared Key**: `<StrongSharedSecret>` - **Local IP**: Auto-selected WAN interface (e.g. `WAN1`) - **Remote IP / Hostname**: `<SonicWall Public IP or FQDN>` #### Network Configuration - **VPN Method**: ✅ **Route Based** - **Tunnel IP**: ❌ **Disabled** - **Remote Networks**: ✅ **Static** - Add remote LAN subnet(s), for example: - `10.20.0.0/16` > ℹ️ Even though this is a _route-based_ VPN, UniFi still requires at least one **Remote Network** entry to install routes and bring the tunnel up. #### Advanced - **Advanced**: Switch to **Manual** **IKE (Phase 1)** - Key Exchange Version: **IKEv1** - Encryption: **AES-128** - Hash: **SHA1** - DH Group: **2** - Lifetime: **28800** **ESP (Phase 2)** - Encryption: **AES-128** - Hash: **SHA1** - DH Group: **2** - Lifetime: **3600** - **Perfect Forward Secrecy (PFS)**: ❌ Disabled **Other Settings** - Local Authentication ID: Auto - Remote Authentication ID: Auto - MTU: Auto (1419) - Route Distance: Default (`30`) Click **Add** to save the VPN. --- ### 2.3 Routing Behavior (UniFi – No Static Routes Section) > ℹ️ **Important UniFi Behavior (Network 10.0.162)** > UniFi **does not expose a standalone static routing section** for site-to-site VPNs. > For **IPsec route-based VPNs**, routing is handled automatically. #### How Routing Works on UniFi - Routes are **automatically created** based on: - The VPN being **Route Based** - The **Remote Networks** defined in the VPN configuration - No manual next-hop or interface selection is required - Routes are installed dynamically when the tunnel is up #### What You Must Do When configuring the VPN: - Set **VPN Method** to **Route Based** - Set **Remote Networks** to **Static** - Add all remote subnets (for example): - `10.20.0.0/16` UniFi will automatically: - Bind the routes to the VPN tunnel interface - Place traffic into the built-in **VPN firewall zone** > [!warning] If a remote subnet is missing here, **traffic will never be routed into the tunnel**, even if the VPN shows as _Online_. | --- | --- | | -------------- | -------------------- | | `10.20.0.0/16` | VPN Tunnel Interface | --- ### 2.4 Firewall Rules (Zone-Based – Updated UI) > ℹ️ **Important**: In UniFi Network **10.0.162**, user LAN networks are grouped under the **Internal** zone (not a zone named `LAN`). You must use **Internal ↔ VPN** when creating firewall rules. --- #### Allow Internal → VPN Create a firewall policy: - **Name**: `Allow Internal to VPN` - **Source Zone**: `Internal` - **Source**: `Any` (or restrict to specific networks as needed) - **Destination Zone**: `VPN` - **Destination**: `Site-to-Site` - **Protocol**: `All` - **Port**: `Any` - **IP Version**: `Both` - **Connection State**: `All` - **Action**: `Allow` --- #### Allow VPN → Internal (Return Traffic) Create a second firewall policy: - **Name**: `Allow VPN to Internal` - **Source Zone**: `VPN` - **Source**: `Site-to-Site` - **Destination Zone**: `Internal` - **Destination**: `Any` - **Protocol**: `All` - **Port**: `Any` - **IP Version**: `Both` - **Connection State**: `Return Traffic` - **Action**: `Allow` > [!note] If bidirectional initiation is required, change **Connection State** to `All`. --- #### Zone Matrix Validation In **Policy Engine → Zone Matrix**: - Verify **Internal → VPN** shows **Allow All** (green) - Verify **VPN → Internal** allows **Return** or **Allow** traffic These rules must be **above any Block rules** affecting VPN traffic. --- ## 3. SonicWall TZ 600 Configuration ### 3.1 Create Address Objects Navigate to **Network → Address Objects** - `UniFi_LAN` - Type: Network - Subnet: `10.10.0.0/16` --- ### 3.2 Create Route-Based VPN Policy 1. Go to **VPN → Settings** 2. Click **Add** 3. Choose **Site-to-Site VPN** 4. Select **IKEv1** **General Tab** - Authentication Method: IKE using Preshared Secret - Name: `VPN-UniFi` - IPsec Primary Gateway: `<UDM Public IP>` - Shared Secret: `<StrongSharedSecret>` **Network Tab** - Policy Type: **Tunnel Interface (Route-Based)** - Local Tunnel IP: `169.254.100.2` - Remote Tunnel IP: `169.254.100.1` - Tunnel Interface: Enable **Proposals Tab** - Phase 1: - Encryption: AES-128 - Authentication: SHA1 - DH Group: 2 - Lifetime: 28800 - Phase 2: - Encryption: AES-128 - Authentication: SHA1 - PFS: Group 2 - Lifetime: 3600 Enable the policy. --- ### 3.3 Static Routes 1. Navigate to **Network → Routing** 2. Add a static route: 3. Navigate to **Network → Routing** 4. Add a static route: | Destination | Gateway | | -------------- | -------------------- | | `10.10.0.0/16` | VPN Tunnel Interface | --- ### 3.4 Firewall Access Rules 📸 **Screenshot**: SonicWall Firewall Access Rules (LAN ↔ VPN) Navigate to **Firewall → Access Rules** Navigate to **Firewall → Access Rules** #### LAN → VPN - From Zone: LAN - To Zone: VPN - Source: `10.20.0.0/16` - Destination: `10.10.0.0/16` - Service: Any - Action: Allow #### VPN → LAN - From Zone: VPN - To Zone: LAN - Source: `10.10.0.0/16` - Destination: `10.20.0.0/16` - Service: Any - Action: Allow --- ## 4. Verification & Troubleshooting ### UniFi - **Insights → VPN**: Verify tunnel is `UP` - **Traffic Logs**: Confirm flows hit VPN zone - SSH: ```bash ip route show ipsec status ``` ### SonicWall - **VPN → Settings**: Status should be `Green` - **Log → View**: Filter on VPN events - CLI: ``` show vpn tunnels ``` --- ## 5. Common Issues - ❌ Mismatched Phase 1/2 proposals - ❌ Missing static routes - ❌ Firewall rules not permitting VPN zone traffic - ❌ NAT policies applied to VPN traffic (disable NAT for VPN) --- ## 6. Notes & Best Practices - Prefer **route-based VPNs** for multi-subnet or dynamic routing - Use **AES-128 / SHA1 / DH2+** minimum - Keep lifetimes consistent on both sides - Document tunnel IPs and routing clearly