This article guides you through the setup of Site-to-Site VPN (license required) between Synology Router and UniFi® Security Gateway.

Make sure that your environment is suitable for setting up a Site-to-Site VPN by referring to the requirements below.

• Make sure that your Synology Router is set up and running SRM 1.1.5 or above.
• Install VPN Plus Server 1.2.0 or above in SRM.

This tutorial is based on the following settings:

• Synology Router site
  • Internal subnet: 192.168.10.0/24
  • Gateway: 10.11.70.250
• UniFi® Security Gateway site (firmware: UniFi Controller 5.6.22)
  • Internal subnet: 192.168.1.0/24
  • Gateway: 10.11.2.154
• Pre-shared key: 123456789
• Encryption configuration:
  • Phase 1:
    • Encryption: AES128
    • Authentication: SHA1
    • Key life: 14400
    • DH Group: 14 (modp 2048)
    • DPD (Dead Peer Detection): disable
  • Phase 2:
    • Encryption: AES128
    • Authentication: SHA1
    • Key life: 14400
    • DH Group: 14 (modp 2048)

Site-to-Site VPN configuration on UniFi® Security Gateway

Sign in to your UniFi® Security Gateway's configuration interface, and follow the steps below:

1. Go to Networks > Add New Network.
   
2. Complete the setup based on the example provided:
   
• Name: Enter the name you want to use.  
• VPN Type: Select Site-to-Site.
• VPN Protocol: Select Manual IPSec.
• Enabled: Switch on to enable this Site-to-Site VPN.
• Remote Subnets: Specify the internal subnet of the remote site. This example uses 192.168.10.0/24.
• Route Distance: This example uses 30.
• Peer IP: Enter the gateway IP address of your Synology Router. This example uses 10.11.70.250.
• Pre-Shared Key: Specify the pre-shared key, and use the same setting on the other device (i.e. Synology Router). This example uses 123456789.
• Local WAN IP: Enter the gateway IP address of your UniFi® Security Gateway. This example uses 10.11.2.154
• IPSec Profile:This example uses the default setting.
3. In Advanced Settings, complete the setup based on the example provided below. The second device must adopt the same settings.
   
• Key Exchange Version: Select IKEv1 or IKEv2. This example uses IKEv1.
• Encryption: Select at least one encryption method. This example uses AES128.
• Hash: Select at least one hash function. This example uses SHA1.
• DH Group: Specify the Diffie-Hellman (DH) group. This example uses 14.
• PFS: This example uses the default setting.
• Dynamic Routing: This example uses the default setting.
4. Go to Advanced Features > Advanced Gateway Settings > Static Routes and click Create New Static Route.
5. Complete the setup based on the example provided:
   
• Enable: Switch on to enable this route. This example uses the default setting.
• Name: Enter the name you want to use. This example uses "SynologyRoute".
• Network Subnet Address: Specify the internal subnets of the remote site. This example uses 192.168.10.0/24.
• Static Route Type: This example uses Interface.
• Interface: Select the interface that you just created. This example uses Synology.

Site-to-Site VPN configuration on Synology Router

Sign in to SRM on your Synology Router, and follow the steps below.

1. Go to VPN Plus Server > Site-to-Site VPN.
2. Click Add > Manually.
   
3. Under the General tab, configure the following settings:
   
• Profile name: Enter a customized name for the profile. This example uses "UniFi".
• Pre-shared key: Enter the same pre-shared key that you used on the UniFi® Security Gateway.
• Under the Local Site section, configure the following settings:
  • Outbound IP: Select your network’s outbound interface.
  • Local ID: Fill in the IP address or FQDN. This example uses IP address 10.11.70.250.
  • Private subnet: Specify the local network under the private subnet of Synology Router. This example uses Local Network (192.168.10.0/24).
• Under the Remote Site section, configure the following settings:
  • IP address/FQDN: Enter the UniFi® Security Gateway's IP address. This example uses 10.11.2.154.
  • Remote ID: Enter a public IP address or FQDN. This example uses IP address 10.11.2.154.
  • Private subnet: Specify the local network under the private subnet of UniFi® Security Gateway. This example uses 192.168.1.0/24.
• Under the Dead Peer Detection section, make sure that the Enable checkbox remains unticked.
4. Under the Encryption tab, configure the following settings:
   
• Under the Phase 1 section:
  • IKE version: Select IKEv1.
  • Mode: Select Main mode (ID protection).
  • Encryption: Select AES128.
  • Authentication: Select SHA1.
  • DH group: Select 14 (modp 2048).
  • Key lifetime: Select 14400 seconds.
• Under the Phase 2 section:
  • Encryption: Select AES128.
  • Authentication: Select SHA1.
  • DH group: Select 14 (modp 2048).
  • Key lifetime: Select 14400 seconds.
  • Tick the Enable Perfect Forward Secrecy (PFS) checkbox.
5. Once the setup is complete, you will be able to see the status of the Site-to-Site VPN tunnel at VPN Plus Server > Site-to-Site VPN in SRM, and on the Networks page in UniFi.