My boss asked me to look into switching our Site to Site VPN’s to Unifi (Using Dream Machine Pro’s).
We currently use Meraki which has served us well with little to no issues. The reason for switching would be cost based, one year of Meraki licenses pays for all the Unifi equipment needed with no license costs afterwards.
Does anyone have experience using Unifi Site to Site VPN’s ?? We currently have over 15 locations so I am hesitant to switch and break anything. It feels like when I touch one thing 10 things break, but maybe it’s just me.
Thank you for any information you may be able to provide.
Three sites with Unifi Security Gateways all linked with the automatic site to site VPN. Works great for us and effortless to set up (once the initial Unifi adoption and site creation stuff is done).
For this to work the gateways all need to be on the same controller. I am not sure if this is possible with the Unifi “Dream Machines”! Because they have a built-in controller; can they instead be pointed to an external one?
It has its limitations. It’s hub-and-spoke only, no mesh, so data has to go through the hub’s connection and if the hub location goes down the branches lose connectivity with each other. It can handle dynamic IPs, but not the USG being itself behind NAT.
Manual VPN setup to connect to other mfrs devices is a pain in the arse, and the remote user VPN is inadequate so you’ll need a different solution for that.
In general Unifi is good for small biz if you have fairly ordinary requirements. But as soon as you want to do something a bit unusual that’s not in the controller GUI, it’s a pain in the arse.
Don’t.
VPN is literally Meraki’s best feature. VPN is literally UBNT’s worst feature.
PS: To add to my other answer. If you have more advanced needs and you’re happy with a more traditional mostly CLI config, you could look at Ubiquiti’s Edge range.
We use UniFi brand equipment for for several of our clients, granted not with Dream Machines, and site-to-sites work pretty well. Even have a client with about 20 locations working just fine.
I’d say be sure you/your team are comfortable with the possibility of having to customize JSON files for custom configs (there are some things you cannot do via the controller
/GUI) and be sure to note if you have any specifics: certain DH groups, encryption, etc and make sure the Dream Machines can handle those.
I would also say I don’t reccomended mixing and matching, though it does sound like you’re planning to go full overhaul. Have run into some issues when trying to setup site-to-site between UniFi equipment and older ASAs, for example.
If you need support you can reach out to that’s on the ball, I’d probably look elsewhere. UniFi is a lot of forum/self discovery by comparison, at least in my experience. In the same vein, their RMA process fairly simple/easy to follow, so there is that.
I’ve got a bunch of dream machines with site to site vpn over ipsec. A few untangle boxes mixed in. Works fine.
Just throwing in my two cents because why not. Meraki to Meraki VPN in the same organization is stupid easy. Likewise Unifi to unifi in the same controller but in different sites is stupid easy. Meraki to other devices is… Occasionally challenging as stated elsewhere as Meraki for some reason doesn’t support IKEv2 without calling support and having them add beta features to the device. Unifi to non Unifi is pretty straight forward until it’s not, and then you are pretty much on your own. If there are issues expect to waste weeks going back and forth with techs over email, usually 1 email per 2-3 days, have the case closed with no resolution every few days, give up and put in Watchguard or Fortigate (mostly because there is no way to troubleshoot VPN issues from the GUI and you need to SSH into both sides of the tunnel and issue poorly documented commands to get basic information). If you are looking at the Edgemax line of Ubiquity for VPN, don’t. You pretty much need to run the whole thing through command line, which isn’t bad per se, but you really need to be comfortable combing through forums looking for commands to build the tunnel manually as again the GUI lacks basic functionality.
I would not recommend Ubiquiti over Meraki unless it is an absolute last resort. That being said I do sell a lot more ubiquiti gear than I do meraki gear, but that has more to do with my clientele than the products themselves.
On my old job, we had a site-to-site VPN from a USG pro to Azure. It ran for almost 2 years without any issues. Updated to UDM pro, still no issues.
I have both Meraki and Unifi products in play, and my advice would be to stay with Meraki just for ease of use. Call your VAR and let them know you are considering not renewing your Meraki licensing. Meraki can be very price competitive when they want to. I like Unifi, but in my experience, they lack enterprise level support.
Stay with Meraki. You won’t get any support from Ubiquiti and I swear the firmware they release is basically beta using the consumers as beta testers.
If you do Unifi, make sure you do IPSec(or wireguard). Can’t do hardware acceleration of OpenVPN, and even the highest end unifi router isn’t very quick at OpenVPN because of that.
As long as you do not want to do anything fancy they are a good firewall… that being said, the VPN setup on these is horrible, missing so much key functionality. No phase 2 settings, no single host setups. If you are simply connecting 2 Unifi Firewalls via VPN they are great, other than that they are terrible for Site to Site.
I love everything about Ubiquiti except their Unifi Firewalls.
I’ve been looking at this myself and couldn’t figure out if I need a controller at each site or if a single controller works. Right now we have two sites with a dedicated MPLS link, and I have several Unifi access points on both sites but with a single controller. Thinking of replacing the dedicated link with USG.
Dream Machine Pro’s controller is a weird hybrid. It can only be managed through Ubiquiti’s web management, so you will have to have an account with them. It’s free, and the Unifi gear as a whole have been super reliable and easy to set up in the three dorms we have them in. That said, we’ve never used the site-to-site feature with them.
No fucking chance, Meraki still can’t IKEv2 to non-Meraki devices without beta code.
Not saying Ubiquiti is better, but Meraki is trash.
Edit: I should ask, is the rest of Meraki’s product such shit that it makes VPN look good?
Yeah for a while they were doing live support chat in the controller UI, that is now gone and being blamed on covid.
I should also mention that the UDM is a single site device, and as far as I can tell can not be linked to a controller, haven’t set up a UDM Pro, but I believe it is a single site device as well, and you definitely can’t have the auto VPN you can with the traditional USG and USG pro. Not to just crap on ubiquiti, I really do like the devices, I just hate their support. Meraki on the other hand have severe bandwidth limitations. You’d have to go up to an MX250 for example to fully utilize a gigabit internet connection so they aren’t perfect either.
You can literally just put a single controller in AWS and point an adopt DNS record to it. Makes it real easy and not reliant on one site being online.
Multiple sites can, and arguably should, use a single controller. The controller needs to be accessible over the internet - just the ports for device-controller traffic not the web UI! Then you do a “L3 adoption”. Ubiquiti describe a few different ways to do that in their docs, I use the SSH method.
So it’s completely dependent on Unifi’s “cloud” service then? So if Unifi decide it won’t be free any more I have to pay up or replace?
Yeah, that’s a hard no from me.