Over the weekend I swapped out 3 watchguard firewalls at our own office sites for 3 UniFi devices.
The process went smoothly for the most part except for the inability to port-forward L2TP ports through the UDM-PRO-MAX with a site-to-site IPSEC tunnel present. (Which the fireboxes could handle ok) - SSTP and L2TP were/are being handled by a MS RRAS server with Radius Auth
(and yes I was planning to replace both the L2TP and the working SSTP VPN connections with something more modern but wanted to keep things the same during the device switch)
I’ve set up the wireguard VPN server on the UDM-PRO-MAX at the primary site (I’m aware that L2TP and OpenVPN definitely won’t be able to route to the AWS resources) and configured a test client which is able to connect and can access the Site A LAN as well as the internal networks at sites B & C via the UniFi Site magic connections. However all traffic directed to the remote AWS subnet terminates on the wireguard subnet gateway.
Can anyone advise if it’s possible to configure the routing to allow Wireguard clients to access the AWS VPC over the IPSEC tunnel (route based)? The IPSEC settings only allow for additional remote networks to be added as I believe the UDM handles the local netowrk side of things?
Simplified diagram:
I guess if it can’t be resolved I’ll just need to configure a wireguard server within the LAN but I’d prefer for the UDM to handle it if possible.
Any advice would be gratefully received!
Thanks Tim.
]