This article describes how to configure a site-to-site VPN on a Datto router.
- Datto Routers
A site-to-site VPN allows you to establish a secure connection over the Internet between multiple networking appliances, allowing your users to better connect to resources across multiple remote offices.
For a D200 to D200 setup
- At least one D200 is configured as the initiator hosting the VPN server. To configure a D200 VPN server, read this article.
- Configured D200 subnets cannot overlap.
- The WAN IP address of each D200 must be reachable from the internet.
For a custom site-to-site setup
- A third-party router supporting IPSec VPN, with all devices configured for IKEv1 or IKEv2 prior to D200 configuration.
- All D200 routers must be on firmware version 1.0.8 or higher.
- The WAN IP address of each router must be reachable from the internet.
1. Navigate to a device web session for your router.
2. Click the Manage dropdown, then click Routers.
3. Click VPN.
Configuring a D200 Site-to-Site VPN
1. Click D200 Site to Site.
2. Select a D200 using the Incoming Client Router dropdown.
3. Click Add to add the D200 VPN configuration. Click Remove to remove the VPN.
Configuring a Custom Site-to-Site VPN
1. Click Custom Site to Site.
2. Enter a Local Site ID.
3. Select whether the D200 will act as the Initiator or Receiver. Initiator configures the D200 as the hub; Receiver configures the D200 as the client.
4. Select IKEv1 or IKEv2 as your IPsec Mode.
5. Enter the VPN tunnel's Pre-shared Key if applicable.
6. Select what D200 Subnets the VPN tunnel can access.
7. Enter the following remote site information:
- Remote Site ID: This is required and must be unique.
- Remote Endpoint: This is required and must be an IP address.
- Remote Subnets: These are required, and must be one or more comma separated subnet strings (i.e. 192.168.2.0/24).
8. Click Add. Repeat all steps as necessary for multiple VPN site configurations.
When you create a Custom Site-to-Site VPN, you'll see an entry for it appear in the Clients table, with a summary of its connection preferences, as shown in Figure 5.
Click the gear icon in the Actions column to Delete the configuration.
Recommended IPsec peer settings
|Phase 1 Encryption||AES-256|
|Phase 1 Integrity Hash||SHA1|
|Phase 1 DH Group||Group 14 / 2048-bit Modulus|
|Phase 1 Lifetime||14400 sec|
|Phase 2 Encryption||AES-256|
|Phase 2 Integrity Hash||SHA1|
|Phase 2 DH Group||None|
|Phase 2 Lifetime||14400 sec|