DNA: Site-to-Site VPN

Follow

Scope

This article details how to use a Datto Networking Appliance (DNA) to configure Site-to-Site VPN between multiple network devices. Site-to-site VPN allows you to establish a secure connection over the Internet between multiple networking appliances so that your users can better connect to resources across multiple remote offices. 

Prerequisites

  • When connecting multiple DNAs to the same network, each DNA must have at least one LAN configured.
  • Subnets cannot overlap.
  • Site-to-Site VPN allows networking with any device that supports IKEv1 or IKEv2. 
You will need to configure client devices to accept IKEv1 or IKEv2 connections before they will be able to communicate with the Datto Networking Appliance. Contact your device's manufacturer for assistance with this process. Datto is unable to provide configuration assistance for third-party network appliances. 

Overview

To access the Site-to-Site VPN card, log into the DNA web interface, and click Security, as shown in Figure 1.

Figure 1: Security

Process

Once on the Security page, click the Site-to-Site VPN link. You will see the Site-to-Site VPN card shown in Figure 2.

Figure 2: Site-to-Site VPN

From the Add Remote Sites dropdown, select one of the following:

Connecting a DNA

Figure 3: Connecting a DNA

  1. Check the Enable box.
  2. In the Group, box, enter the network group that you want to add the device to. This feature allows you to create network segregations on a single VPN tunnel by assigning devices to designated groups.
  3. In the IP or Hostname box, select the DNA that you wish to add to the network.
  4. In the Direction column, select the connection type.
    If this DNA is currently on failover, you must select the Outbound connection.
    • Inbound: Treats the DNA you are configuring as the hub, with the device you are adding to the Site-to-Site VPN card as a client.
    • Outbound: Treats the DNA you are configuring as the client, with the device you are adding to the Site-to-Site VPN card as the hub
    • If the DNA you are adding to the network is not shown in the IP or Hostname dropdown, log in to the second DNA and perform steps 1 through 4 with one difference: the Connection Mode for the second DNA should be different from the first. For example, if you set the first DNA to Outbound, then you must set the second DNA to Inbound.

  5. Click Save Changes.

Connecting a Non-DNA Device

Figure 4: Connecting a non-DNA device

  1. Check the Enable box.
  2. In the Group, box, enter the network group that you want to add the device to. This feature allows you to create network segregations on a single VPN tunnel by assigning devices to designated groups.
  3. In the IP or Hostname box, enter the IP address or hostname of the device that you wish to add to the network.
  4. In the Direction column, select the connection type:

    • Inbound: Treats the DNA you are configuring as the hub, with the device you are adding to the Site-to-Site VPN card as a client.
    • Outbound: Treats the DNA you are configuring as the client, with the device you are adding to the Site-to-Site VPN card as the hub.

  5. In the Pre-shared Key field, create a pre-shared key that the DNA will use to communicate securely with the client. Any client that you connect to the DNA will also need to communicate with the DNA by using this key.
  6. In the Local Ipsec ID field, enter the Ipsec ID that you will use on the client to identify the DNA.
  7. In the Remote Ipsec ID, enter the Ipsec ID that you will use on the DNA to identify the client.
  8. In the Subnets field, enter the segment of the client's network that you want to make available to the VPN.
    • When configuring larger networks, ensure that there are no subnet conflicts before saving changes.
  9. Select the IKE Mode that the client will connect using (IKEv1 or IKEv2).
  10. Click Save Changes to save the configuration.

Figure 5: Example of configured DNA and non-DNA clients

Once you save the configuration, your new VPN connections will appear on the Site-to-Site VPN card as shown in Figure 6. The Direction and Role fields indicate the connection type and client role.

Figure 6: Site-to-Site VPN card, overview mode, with configured DNA and non-DNA clients

If a DNA is configured as a spoke, it cannot make any changes to the Site-to-Site VPN configuration. To make changes to a spoke, you will need to manage its VPN settings from the device configured as the hub.

Figure 7: Configuration error

Additional Resources


Was this article helpful?

1 out of 1 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!