6/30/2023 0 Comments Peakhour 4 ubnt usg![]() Backstory: Bringing up a basic SOHO rack in my homelab prior to moving it to a planned future office for work. (Lesson learned: don't change the default LAN network settings before everything is adopted. I guess the USG doesn't like anything other than 192.168.1.1/24 - even after SSHing into to to change it's default IP to something else. The USG would get stuck in an "Adopting > Disconnecting" loop. Is there a best practice to move the USG and the US-24 to a management VLAN (i.e., not 192.168.1.1)? The only thing that worked was a fresh vanilla controller and a fresh factory reset USG). Right now the controller is on a local laptop. Once it was setup and stable, then I changed the. Only a USG-4P and US-24-poe switch are adopted. It lost connection, which I assumed that the USG just couldnt find the controller. Direct hardline into the switch and the WAN works. ![]() Guest Wireless - VLAN 50 (guest wireless) Trusted Wireless - VLAN 30 (employee phone wifi as a courtesy service) Trusted Hardline - VLAN 20 (employee computers, printers, etc) Management - VLAN 10 (USG, switches, APs etc) I've setup a handful of 10.x.x.x networks with VLANs. So, should I do that first, or move the management VLANs first, or does it not matter? Longer term, I will need to move the controller to a free AWS (I will have multiple sites with VPNs). I pounded on it long enough to figure it out. I started with a virgin controller installed on a laptop and a factory reset USG. Only the controller and the laptop with the controller - plugged into the LAN1 port. Got it adopted and provisioned with the default 192.168.1.1/24 network. Gently remove the USB drive and insert it into your computer. Remove the top plate to access the innards. The comments on the 1.4.0-beta.2 arent encouraging either, with some users saying they are having trouble with that version as well. This will release the top plate with the U logo that lights up. The development of the 1.3.x train had a few issues, with versions 1.3.0 and 1.3.4 being locked, which is Ubiquitis way of saying that release has critical issues and should not be installed. Unscrew the screws beneath the rubber feet. Search for Devices in the Configuration Assistant makes it as easy as possible to find compatible devices on your network. Once adopted, plug in the WAN interface of your USG to any port on your ISP router and wait until it get and IP from the DHCP server of your ISP router. It will have IP 192.168.1.1 here and you can adopt it to your controller. Once it was setup and stable, then I changed the network to 192.168.10.1/24 and let it do it's thing. Unplug the USG and remove the rubber feet from the USG. First plug in a factory default set USG to your switch on the LAN1 interface. StrongSwan will only use one private key for per port.It lost connection, which I assumed that the USG just couldn't find the controller. ![]() ![]() :~$ generate vpn rsa-key | tee localhost.pub Since we may also need to add site-to-site VPN connections in the future, let’s use system built-in generate vpn rsa-key commands to generate the VPN server’s private key. ![]() Your new local RSA key has been generatedĠsAwEAAe7k2zE85tw4T7BGQGjkGEcIB3K7PnktckNx/JskpkhAjcU3TE7Q9xj6MtjWw794XKNFk2cnGmLCD9tkNPK30vITi3quJQxVNfuTJ圓rFT6uJfPxyNsnCr+D483UNYdJThtsac8zenBoqQVMS5O50Db7/6UFdKF6QsoAMd9aRyROFZ+3RBiPe3uDMMwCaFEW28EFKN3Ye47LTCk1r1V/cXIUsMa9uVkgy9b5Axp+FnYwDl84m2mbViE+/sm7WPRGpuR15nFVwZHlk8Fj+USXMmjdteqOzq0Q19I4ma7v15LLdKlhhboxJiwjO/OqRzKsW4zt+5GcvbCagF6PzM942ok= Generating 2048 bit rsa-key to /config/ipsec.d/rsa-keys/localhost.key It is a good practice to always keep the public in configurations for future use. Set vpn rsa-keys rsa-key-name localhost.pub rsa-key 0sAwEAAe7k2zE85tw4T7BGQGjkGEcIB3K7PnktckNx/JskpkhAjcU3TE7Q9xj6MtjWw794XKNFk2cnGmLCD9tkNPK30vITi3quJQxVNfuTJ圓rFT6uJfPxyNsnCr+D483UNYdJThtsac8zenBoqQVMS5O50Db7/6UFdKF6QsoAMd9aRyROFZ+3RBiPe3uDMMwCaFEW28EFKN3Ye47LTCk1r1V/cXIUsMa9uVkgy9b5Axp+FnYwDl84m2mbViE+/sm7WPRGpuR15nFVwZHlk8Fj+USXMmjdteqOzq0Q19I4ma7v15LLdKlhhboxJiwjO/OqRzKsW4zt+5GcvbCagF6PzM942ok= Set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key Replace the pub key section of following commands with the actual key generated from previous step. Sudo cp /config/ipsec.d/rsa-keys/localhost.key ~/ipsec.d/private/server-key.pem Let’s copy the localhost.key to our working directory, and make it readable. ![]()
0 Comments
Leave a Reply. |