I am a non-expert that provides most of the IT services to my 30 person company. We keep everything very simple and use mostly Apple hardware and cloud services. We have never had a VPN and never had any need for it because we do everything in the cloud. We use a cloud provider for shared storage, cloud hosted email and calendaring, cloud hosted password management, etc.
My office network uses Ubiquiti Unifi APs and switches. Historically we had a router running RouterOS that I know is very adaptable but when that router broke and when my preferred IT contractor that set it up wasn't available to help, I ended up purchasing the Ubiquiti Unifi Security Gateway as a replacement. Setting it up was super simple and its nice to have some of the router analytics coming through the Unifi dashboard, so overall I am a big fan.
Fast forward to today, and one of our clients is asking us to set up a site-to-site VPN so that they can share some of their databases with us. Additionally, my company's employees that need access to those databases often work remotely, so I need to be able to "daisy chain VPN connections": I need to set up remote user VPN's for my colleagues here to VPN into my office network so that they can access the client database through the site-to-site VPN with the client's office. Right now I am trying to figure out how best to achieve this VPN/network configuration.
In the short term I have asked the client to provide my colleagues with VPN credentials for their network, but in the medium term I would like to move to the site-to-site solution because its better for my company to be able to grant and revoke VPN credentials without having to notify the client. For example, every time we hire a new employee, or every time an employee leaves, I don't want to have to make urgent requests to my client to grant/revoke VPN credentials.
Reviewing the Unifi Security Gateway documentation and online information, it appears that this router does support both site-to-site and remote-user. Only remote-user is documented in the User Manual but Ubiquiti has additional info about site-to-site on their website. I am wondering if even though the Unifi technically supports these features, whether it would be best to use a different device. I could either swap out this Unifi Security Gateway for a different router or I could add an additional piece of hardware just to enable the VPN configuration if that is a good option.
This is what the site-to-site VPN configuration page on the Unifi dashboard looks like
For the task of setting up the site-to-site VPN, my client sent over a "questionnaire" where they ask for the parameters of our VPN. Comparing to the Ubiquiti site-to-site VPN setup page, most of the line items that the client sent seem to relate directly to Ubiquiti settings, but there are some things that are missing and some things that I have other questions on. I definitely don't want to make this client a guinea pig to test the (possibly) limited VPN capabilities of Ubiquiti so if achieving this setup with my current router is sketchy then I want to take a different route. The client's VPN document is separated into 3 relevant sections: (1) VPN Tunnel Configuration Requirements, (2) IPSec Parameters (IKE Phase 1 Proposal):ISAKMP MAIN MODE NEGOTIATION, and (3) IPSec Parameters (IKE Phase 2) IPSEC QUICK MODE NEGOTIATION. The first section seems to be related to overall settings, whereas sections (2) and (3) seem to be different types of VPN connections. I am not sure if I need to set up for both types or if I only need to set up for one type. The Unifi has a section called "Key Exchange Version" that allows you to select "IKEv1" or "IKEv2", possibly those relate. I have separated the different sections below.
In any case, I have already written up an extensive comparison between the options that the Unifi router provides and the options that my client's questionnaire provides, but before I triple the size of this post, I was wondering whether anyone has experience with Ubiquiti routers and knows whether it is advisable to go with that route.
If anyone wants to read a writeup of all the options available in the Ubiquiti compared to the options that my client's IT department provides, I can post it immediately!
No comments:
Post a Comment