Datto Network Manager: Configuring a site-to-site VPN



This article describes how to configure a site-to-site VPN on a Datto router.


  • Datto Network Manager


A site-to-site VPN can establish a secure connection over the internet between multiple networking appliances, letting your users connect to resources across various remote locations.



For a D200 to D200 setup

You should only configure the VPN server on the primary D200. Configuring the VPN server on both routers will cause an error.
If you set up a client VPN in addition to this site-to-site setup, incoming connections on the client VPN will only connect to the D200 acting as the server.

For a custom site-to-site setup

  • You will need a third-party router supporting IPSec VPN, with all devices configured for IKEv1 or IKEv2 before configuring the D200.
  • All D200 routers must be on firmware version 1.3.0 or higher.
  • The WAN IP address of each router must be reachable from the internet.

Navigating to site-to-site VPN options

1. In Datto Network Manager's Navigation menu, click Routers, then click VPN in the expanded options.

mceclip0.pngFigure 1: Routers and VPN (click to enlarge)

2. In the DEVICE drop-down menu at the top of the screen, select the router you wish to use. 

mceclip0.pngFigure 2: The Routers screen (click to enlarge)

Configuring a D200 site-to-site VPN

1. Click D200 Site to Site.

mceclip4.pngFigure 3: D200 Site-to-Site VPN selection (click to enlarge)

2. Select a D200 using the Incoming Client Router drop-down menu, then click the Add button. 

mceclip5.pngFigure 4: Incoming client router selection (click to enlarge)

3. After adding the incoming client router, a Remove button will appear. Click this button to remove the VPN connection.

Configuring a custom site-to-site VPN

This feature is available only for D200 routers on firmware version 1.3.0 or higher. Network Manager hides this feature for devices not meeting this requirement.

1. Click Custom Site to Site.

mceclip6.pngFigure 5: Custom Site-to-site VPN selection (click to enlarge)

2: Enter information in the following fields:

  • Local Site ID: Enter the local site ID.
  • D200 Mode: Specify whether this router will be the initiator (hub) or receiver (client).
  • IPsec Mode: Select IKEv1 or IKEv2 as your IPsec mode.
  • Pre-shared Key: Enter the VPN tunnel's pre-shared key if applicable.
  • D200 Subnets: Select which subnets the router can access.
  • Remote Site ID: Enter the remote site ID; this value is required and must be unique. Do not use spaces. Datto recommends using either the public DDNS or public IP address for the remote site ID.
  • Remote Endpoint: Enter the IP address of the remote endpoint.
  • Remote Subnets: Enter the remote subnets as comma-separated subnet strings using CIDR notation (i.e.,

When finished, click the Add button.

mceclip7.pngFigure 6: Custom Site-to-site VPN configuration (click to enlarge)

Viewing custom site-to-site VPN information

An entry for your custom site-to-site VPN, with a summary of its connection preferences, will appear in the Clients table.

mceclip8.pngFigure 7: The Custom Site-to-Site VPN Clients table (click to enlarge)

Recommended IPsec peer settings

Parameter Value
Key Mode IKEv2
Phase 1 Encryption AES-256
Phase 1 Integrity Hash SHA1
Phase 1 DH Group Group 14 / 2048-bit Modulus
Phase 1 Lifetime 14400 sec
Phase 2 Encryption AES-256
Phase 2 Integrity Hash SHA1
Phase 2 DH Group None
Phase 2 Lifetime 14400 sec

Was this article helpful?

1 out of 1 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Datto Community Forum or the Datto Community Online.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Still have questions? Get live help.

Datto Homepage