DNA: Site-to-Site VPN

Follow

Topic

This article details how to use a Datto Networking Appliance (DNA) to configure Site-to-Site VPN between multiple network devices. 

Environment

  • Datto Networking Appliance (DNA)

Overview

Site-to-Site VPN allows you to establish a secure connection over the Internet between multiple networking appliances so that your users can better connect to resources across multiple remote offices.

Prerequisites

  • When connecting multiple DNAs to the same network, each DNA must have at least one LAN configured.
  • Subnets cannot overlap.
  • Site-to-Site VPN allows networking with any device that supports IKEv1 or IKEv2. 
You will need to configure client devices to accept IKEv1 or IKEv2 connections before they will be able to communicate with the Datto Networking Appliance. Contact your device's manufacturer for assistance with this process. Datto is unable to provide configuration assistance for third-party network appliances. 

Procedure

To access the Site-to-Site VPN card, log into the DNA web interface, and click Networks, as shown in Figure 1.

Figure 1: Networks

Once on the Networks page, click the Site-to-Site VPN link. You will see the Site-to-Site VPN card shown in Figure 2.

Figure 2: Site-to-Site VPN

From the Add Remote Sites dropdown, select one of the following:

Connecting a DNA

Figure 3: Connecting a DNA

  1. Check the Enable box.
  2. In the Group, box, enter the network group that you want to add the device to. This feature allows you to create network segregations on a single VPN tunnel by assigning devices to designated groups.
  3. In the IP or Hostname box, select the DNA that you wish to add to the network.
  4. In the Direction column, select the connection type.
    If this DNA is currently on failover, you must select the Outbound connection.
    • Inbound: Treats the DNA you are configuring as the hub, with the device you are adding to the Site-to-Site VPN card as a client or initiator.
    • Outbound: Treats the DNA you are configuring as the client, with the device you are adding to the Site-to-Site VPN card as the server or responder
  5. Click Save Changes.

Connecting a Non-DNA Device

Figure 4: Connecting a non-DNA device

1. Check the Enable box.

2. In the Group, box, enter the network group that you want to add the device to. This feature allows you to create network segregations on a single VPN tunnel by assigning devices to designated groups.

3. In the IP or Hostname box, enter the IP address or hostname of the device that you wish to add to the network.

4. In the Direction column, select the connection type:

  • Inbound: Treats the DNA you are configuring as the hub, with the device you are adding to the Site-to-Site VPN card as a client or initiator.
  • Outbound: Treats the DNA you are configuring as the client/initiator, with the device you are adding to the Site-to-Site VPN card as the server/responder.

5. In the Pre-shared Key field, create a pre-shared key that the DNA will use to communicate securely with the client. Any client that you connect to the DNA will also need to communicate with the DNA by using this key.

6. In the Local Ipsec ID field, enter the Ipsec ID that you will use on the client to identify the DNA.

7. In the Remote Ipsec ID, enter the Ipsec ID that you will use on the DNA to identify the client.

8. In the Subnets field, enter the segment of the client's network that you want to make available to the VPN.

When configuring larger networks, ensure that there are no subnet conflicts before saving changes.

9. Select the IKE Mode that the client will connect using (IKEv1 or IKEv2).

10. Select the Vendor Type that matches the IPsec endpoint (router or firewall) you are connecting to. The following policy and encryption optimizations will be applied to the connection unless you select Other:

Meraki
Strict policy match based on Meraki defaults. MX devices do not support dynamic IP for Site VPN peers.

parameter value
key mode IKEv1
phase1 encryption 3des
phase1 integrity hash sha1
phase1 dh group group 2 / 1024 bit modulus
phase1 lifetime 28800 sec
phase2 encryption aes128
phase2 integrity hash sha1
phase2 lifetime 28800 sec

 

Cisco ASA
Strict policy match, based on best settings available on ASA platform.

parameter value
key mode IKEv2 recommended
phase1 encryption aes256
phase1 integrity hash sha1
phase1 dh group group 5 / 1536 bit modulus
phase1 lifetime 86400 sec
phase2 encryption aes256
phase2 integrity hash sha1
phase2 lifetime 28800 sec

 

Sonicwall
Based on most compatible Phase 1 policy paired with a secure Phase 2 policy on SonicOS platform.

parameter value
key mode IKEv2 recommended
phase1 encryption 3des
phase1 integrity hash sha1
phase1 dh group group 2 / 1024 bit modulus
phase1 lifetime 86400 sec
phase2 encryption aes256
phase2 integrity hash sha256
phase2 dh group group 14 / 2048 bit modulus
(enable perfect forward secrecy)
phase2 lifetime 28800 sec

Other

parameter value
key mode IKEv2 default
phase1 encryption AES 128 bit
phase1 integrity hash SHA1 integrity hash
phase1 dh group group 14 / 2048 bit modulus
phase1 lifetime 86400 sec
phase2 encryption aes128
phase2 integrity hash sha1
phase2 dh group group 14 / 2048 bit modulus
phase2 lifetime 28800 sec
All IPSec traffic has an overall maximum throughput of ~150-200 Mbits/sec.

If Other is selected, you will have the option to configure IPsec policies and parameters for both Phase 1 and Phase 2. The following options are available:

Figure 5: Phase 1 & 2 IPsec policies

Encryption Algorithm: Allows you to specify what encryption algorithm is used. The triple Data Encryption Standard (3DES), and AES-128 AES-192, and AES-256 are available.

Hash Algorithm: Allows you to specify what hash algorithm is used. MD5, SHA1, SHA256, SHA384, and SHA512 are available. AES-XCBC is available exclusively for phase 2.

DH Group: Allows you to specify what Diffie-Hellman exchange (DH group) is used. The following groups and moduli are available:

Regular Groups
Group 1: 768 bit
Group 2: 1024 bit
Group 5: 1536 bit
Group 14: 2048 bit
Group 15: 3072 bit
Group 16: 4096 bit
Group 17: 6144 bit
Group 18: 8192 bit
Prime Order with Prime Subgroups
Group 22: 160 bit
Group 23: 224 bit
Group 24: 256 bit
NIST Elliptic Curve Groups
Group 25: 192 bit
Group 26: 224 bit
Group 19: 256 bit
Group 20: 384 bit
Group 21: 521 bit
Brainpool Elliptic Curve Groups
Group 27: 224 bit
Group 28: 256 bit
Group 29: 384 bit
Group 30: 512 bit

Lifetime (seconds): Allows you to specify, in seconds, how often the IPsec tunnel is renegotiated. The default is 86,400 seconds.

Dead Peer Detection: Enabling this will configure the DNA to detect the existence and validity of the non-DNA peer. You can input, in seconds, the timeout for the dead peer, after which the DNA will terminate the connection to the dead peer.

11. Click Save Changes to save the configuration.

Figure 6: Example of configured DNA and non-DNA clients

Once you save the configuration, your new VPN connections will appear on the Site-to-Site VPN card as shown in Figure 6. The Direction and Role fields indicate the connection type and client role.

Figure 7: Site-to-Site VPN card, overview mode, with configured DNA and non-DNA clients

If a DNA is configured as a spoke, it cannot make any changes to the Site-to-Site VPN configuration. To make changes to a spoke, you will need to manage its VPN settings from the device configured as the hub.

Figure 8: Configuration error

Enabling LAN Site-to-Site VPN access

After configuring your Site-to-Site VPN, you specify that it can access any LAN configured on the DNA. Read the DNA: LAN Settings for more information.

Additional Resources


Was this article helpful?

1 out of 1 found this helpful

You must sign in before voting on this article.

Calling all Partners! We want to hear your feedback! Please participate in this quick survey and help us build a better, more-relevant Knowledge Base!

Want to talk about it? Head on over to our Community Forum!