Setting up site-to-site on UniFi USG
  • 1 Minute to read

    Setting up site-to-site on UniFi USG

      Article summary

      Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

      If you're operating on UniFi Controller 5.13.29 and above please switch to Classic Mode first.

      Configuring the tunnel at the UniFi - USG Management Interface

      1. Open the UniFi - USG management interface

      2. In the left panel, select Networks, then select Create New Network:

      01 Setting up site-to-site on UniFi USG.png

      1. Select Site to Site VPN > Manual IPsec and fill in with the following information:
      • Enable this Site-to-Site VPN
      • Remote Subnets: Enter the NordLayer dedicated server subnet (by default it is
      • Peer IP: Enter the public IP of your NordLayer dedicated server
      • Local WAN IP: Enter the public IP of the UniFi SCG
      • Pre-shared key: Enter the Shared Key you have generated (we will also need this value)


      1. In the Advanced Options fill in the following information:
      • Key Exchange Version: IKEv2
      • Encryption: AES-256
      • Hash: SHA256
      • DH Group: 14
      • PFS: Enable
      • Dynamic Routing: Disable


      Configuring a firewall and static routing

      It is necessary to add static routes from the NordLayer subnet ( to the local network and from the local network to the NordLayer subnet ( to the local network through the VPN tunnel gateway. Also, it is necessary to create firewall rules to allow this traffic.

      1. Go to Routing & Firewall > Static Routes > Create New Route
      • Choose a name.
      • Enable the route.
      • Enter the NordLayer subnet (by default it is in Destination Network.


      • Make sure to choose the interface you created in the previous section
      1. Create a firewall rule that allows traffic from the NordLayer subnet to the LAN Network

      05 Setting up site-to-site on UniFi USG.png

      Ending note:

      In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

      • Pre-shared key - you can generate it or we can provide it
      • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
      • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
      • Remote subnet and mask (the subnet is used in your local network)

      Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

      Was this article helpful?