Configuring a site-to-site VPN tunnel with Coro Network and USG¶
As part of a virtual office, Coro includes the ability for customers to configure VPNs together with site-to-site tunnels.
This guide describes how to configure Coro to integrate with a UniFi Security Gateway (USG) firewall, and how to configure UniFi USG to allow traffic for your VPN from both inside and outside the network.
Prerequisites¶
Before you start, make sure you have the following:
- Access as an admin user with sufficient permissions to the Coro console for your workspace.
- An active subscription (or trial) for the Coro Network module.
- Access to the USG configuration interface.
USG configuration¶
Configure your USG firewall to allow traffic from inside and outside the network:
-
Sign into your USG configuration interface.
-
Go to Networks > Add New Network:
-
Configure your VPN Settings:
-
Name: Enter a suitable name for your site-to-site tunnel.
-
VPN Type: Select "Site-to-Site".
-
VPN Protocol: Select "Manual IPsec"".
-
Enable Enable this Site-to-Site VPN.
-
Peer IP: Enter the Coro public IP address. The Coro public IP address is retrieved from the Network module in the Coro console.
To retrieve the Coro public IP address:
-
Select Control Panel:
-
Select Network:
The Coro public IP address displays on the Virtual Office page:
- Local WAN IP: Enter the public IP address of your USG.
- Pre-Shared Key: Enter the pre-shared key you created in the Management Portal.
-
Note
Leave all other VPN Settings at their default value.
-
Configure the following Advanced Settings:
-
Key Exchange Version: Select "IKEv2" if supported by your firewall version, or else select "IKEv1".
-
Encryption: Select "AES-256".
-
Hash: Select "SHA1".
-
DH Group: Select "21".
-
Enable PFS.
-
Disable Dynamic Routing.
-
Configuring Coro Network¶
Configure Coro with details of your site-to-site tunnel and firewall:
-
Select Control Panel:
-
Select Network:
Configure your Site details:
Field Value Site name Enter a suitable name for your site-to-site tunnel.
Special characters and spaces are not supported.Site description Enter a suitable short description for the tunnel.
Special characters and spaces are not supported.Remote gateway IP Enter USG's public IP address obtained here. Remote network IP Enter USG's internal network IP address. Preshared key Enter the preshared key used here. Lifetime key Enter "28800". -
In the same dialog, configure the Firewall settings:
Field Value Remote Network Mask Enter USG's subnet obtained here. IKE Version Select "IKEv2". Phase 1 Encryption Select "AES256-SHA256-D14". Phase 2 Encryption Select "AES256-SHA256-D14". Aggressive Mode Select "No". -
To save your configuration, select SAVE.