Hello everyone,
I finally convinced the EMR software to let us switch to a UniFi firewall and move away from Fortinet.
They use an IPsec VPN to connect the site to their server.
Now, here are a few of their requirements, and I’m not sure whether UniFi routers can fully support them or not.
Standard IPsec requirements like IKEv2, MTU size, etc. are fine—we can configure all of that. What they specifically want is NAT over the IPsec tunnel. For example, if my local LAN network is 172.16.16.0/26, all traffic going through the IPsec VPN should be NATed to something like 192.xx.xx.12/32.
In addition to that, they want a static route so that all traffic destined for 10.xx.xx.xx is forwarded via the IPsec VPN tunnel.
Doing all of this in a regular scenario with a single public IP is fine. I tried configuring everything by following their documentation—setting up the VPN, NAT rules, and routing—and I believe I’ve done it correctly. However, I can’t really comment on the results yet because nothing has been tested with the site’s main public IP.
Now comes the complex part.
The site frequently experiences internet outages, so I plan to add a failover connection using mobile internet. As we all know, mobile internet doesn’t come with a static public IP. To work around this, I purchased a VPS, assigned it a static public IP, installed a WireGuard server on it, and connected the UCG-Fiber to it. This works fine for routing general internet traffic when using the failover link.
What I’m now trying to achieve is routing the IPsec VPN traffic via the WireGuard public IP when the primary internet (WAN1) fails.
In Fortinet, IPsec configuration is handled using Phase 1 and Phase 2, but UniFi doesn’t expose these concepts in the same way. Has anyone done something similar before on UniFi?
I’ll try to post screenshots of whatever I can, while making sure I don’t disclose any public IPs belonging to the EMR software.