I’ve had two Unifi USGs connected via IPSec VPN with no issue. I decided to replace the USG on one side with an EdgeRouter ER-X. I’ve spent many hours over a period of several days trying to get the VPN working. The VPN gets established but will not pass packets to the remote LAN. I had a long chat session with a Ubiquiti support rep followed by multiple emails. He finally escalated the case to an internal team.
Today I decided to slowly step through the relevant instructions one more time: EdgeRouter – Site-to-Site IPsec VPN to USG. On the very last line of the USG section, when defining the IPSec network, it says:
Dynamic Routing: Disabled (uncheck)
Aha! That is not the default. Once I unchecked Enable dynamic routing on the USG, the VPN started working immediately.
Not sure what dynamic routing is (one relevant article), but disabling it solved the problem for me.
Configuration Differences
For reference, here is part of the USG’s show vpn with Dynamic Routing enabled:
And here is the same section with Dynamic Routing disabled. Note that the vti section has been replaced with an explicit tunnel for each VLAN:
That corresponds nicely to the site-to-site section of the ER-X’s show vpn:
Maybe it would be possible to set up a Dynamic Routing (vti) on the ER-X using the CLI, but that is not how the UI configures the VPN.