Datto Networking: Routers: Site-to-Site VPN



This article describes how to configure a site-to-site VPN on a Datto router.


  • Datto Routers


A site-to-site VPN can establish a secure connection over the Internet between multiple networking appliances, allowing your users to better connect to resources across multiple remote locations.


For a D200 to D200 setup

  • The primary D200 must be configured as the initiator hosting the VPN server. To configure a D200 VPN server, read this article.
  • Configured D200 subnets cannot overlap.
  • The WAN IP address of each D200 must be reachable from the internet.
The VPN server should only be configured on the primary D200. Configuring the VPN server on both routers will cause an error.

For a custom site-to-site setup

  • A third-party router supporting IPSec VPN, with all devices configured for IKEv1 or IKEv2 before D200 configuration.
  • All D200 routers must be on firmware version 1.3.0 or higher.
  • The WAN IP address of each router must be reachable from the internet.



1. Navigate to a device web session for your router.

2. Click the Manage dropdown, then click Routers.

Figure 1: Routers and VPN (click to enlarge)

3. Click VPN.


Datto routers have two site-to-site VPN options: connecting to another D200 or using a custom site that supports IPsec.

Figure 2: VPN options (click to enlarge)

Configuring a D200 Site-to-Site VPN

figure3.jpgFigure 3: D200 Site-to-Site VPN (click to enlarge)

1. Click D200 Site to Site.

2. Select a D200 using the Incoming Client Router dropdown.

3. Click Add to add the D200 VPN configuration. Click Remove to remove the VPN.

Configuring a Custom Site-to-Site VPN

This feature is available only for D200 routers on firmware version 1.3.0 or higher and is hidden for devices not meeting this requirement.

Figure 4: Adding a Custom Site-to Site VPN (click to enlarge)

1. Click Custom Site to Site.

2. Enter a Local Site ID.

3. Select whether the D200 will act as the Initiator or Receiver. Initiator configures the D200 as the hub; Receiver configures the D200 as the client.

4. Select IKEv1 or IKEv2 as your IPsec Mode.

5. Enter the VPN tunnel's Pre-shared Key if applicable.

6. Select what D200 Subnets the VPN tunnel can access.

7. Enter the following remote site information:

  • Remote Site ID: This is required and must be unique.
  • Remote Endpoint: This is required and must be an IP address.
  • Remote Subnets: These are required, and must be one or more comma-separated subnet strings (i.e.

8. Click Add. Repeat all steps as necessary for multiple VPN site configurations.

When you create a Custom Site-to-Site VPN, you'll see an entry for it appear in the Clients table, with a summary of its connection preferences, as shown in Figure 5.

Click the gear icon in the Actions column to Delete the configuration.

Figure 5: Custom Site-to-Site VPN Clients (click to enlarge)

Recommended IPsec peer settings

Parameter Value
Key Mode IKEv2
Phase 1 Encryption AES-256
Phase 1 Integrity Hash SHA1
Phase 1 DH Group Group 14 / 2048-bit Modulus
Phase 1 Lifetime 14400 sec
Phase 2 Encryption AES-256
Phase 2 Integrity Hash SHA1
Phase 2 DH Group None
Phase 2 Lifetime 14400 sec

Was this article helpful?

1 out of 1 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Community Forum or get live help.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Datto Homepage