Datto Network Manager: Configuring a site-to-site VPN

Follow

Topic

This article describes how to configure a site-to-site VPN on a Datto router.

Environment

  • Datto Network Manager

Description

A site-to-site VPN can establish a secure connection over the Internet between multiple networking appliances, letting your users connect to resources across multiple remote locations.

Index

Prerequisites

For a D200 to D200 setup

You should only configure the VPN server on the primary D200. Configuring the VPN server on both routers will cause an error.

For a custom site-to-site setup

  • You will need a third-party router supporting IPSec VPN, with all devices configured for IKEv1 or IKEv2 before configuring the D200.
  • All D200 routers must be on firmware version 1.3.0 or higher.
  • The WAN IP address of each router must be reachable from the internet.

Navigating to site-to-site VPN options

1. In Datto Network Manager's Navigation menu, click Routers.

mceclip1.pngFigure 1: Routers and VPN (click to enlarge)

2. Click the router name. New options will appear in the Navigation menu.

mceclip2.png

Figure 2: The Routers screen (click to enlarge)

 3. Click VPN in the expanded menu.

mceclip3.pngFigure 3: The expanded Navigation menu (click to enlarge

Configuring a D200 site-to-site VPN

1. Click D200 Site to Site.

mceclip4.pngFigure 4: D200 Site-to-Site VPN selection (click to enlarge)

2. Select a D200 using the Incoming Client Router dropdown, then click the Add button. 

mceclip5.pngFigure 5: Incoming client router selection (click to enlarge)

3. After adding the incoming client router, a Remove button will appear. Click this button to remove the VPN connection.

Configuring a custom site-to-site VPN

This feature is available only for D200 routers on firmware version 1.3.0 or higher and is hidden for devices not meeting this requirement.

1. Click Custom Site to Site.

mceclip6.pngFigure 6: Custom Site-to-site VPN selection (click to enlarge)

2: Enter information in the following fields:

  • Local Site ID: Enter the local site ID.
  • D200 Mode: Specify whether this router will be the initiator (hub) or receiver (client).
  • IPsec Mode: Select IKEv1 or IKEv2 as your IPsec mode.
  • Pre-shared Key: Enter the VPN tunnel's pre-shared key if applicable.
  • D200 Subnets: Select which subnets the router can access.
  • Remote Site ID: Enter the remote site ID; this is required and must be unique.
  • Remote Endpoint: Enter the IP address of the remote endpoint.
  • Remote Subnets: Enter the remote subnets as comma-separated subnet strings using CIDR notation (i.e., 192.168.2.0/24).

When finished, click the Add button.

mceclip7.pngFigure 7: Custom Site-to-site VPN configuration (click to enlarge)

Viewing custom site-to-site VPN information

An entry for your custom site-to-site VPN, with a summary of its connection preferences, will appear in the Clients table.

mceclip8.pngFigure 8: The Custom Site-to-Site VPN Clients table (click to enlarge)

Recommended IPsec peer settings

Parameter Value
Key Mode IKEv2
Phase 1 Encryption AES-256
Phase 1 Integrity Hash SHA1
Phase 1 DH Group Group 14 / 2048-bit Modulus
Phase 1 Lifetime 14400 sec
Phase 2 Encryption AES-256
Phase 2 Integrity Hash SHA1
Phase 2 DH Group None
Phase 2 Lifetime 14400 sec

Was this article helpful?

1 out of 1 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Community Forum or get live help.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Datto Homepage