Routers: Site-to-Site VPN

Follow

Topic

This article describes how to configure a Site-to-Site VPN using a Datto router.

Environment

  • Datto Routers

Description

A Site-to-Site VPN allows you to establish a secure connection over the Internet between multiple networking appliances, allowing your users to better connect to resources across multiple remote offices.

Prerequisites

For a D200 to D200 setup

  • At least one D200 is configured as the initiator hosting the VPN server. To configure a D200 VPN server, read this article.
  • Configured D200 subnets cannot overlap.
  • The WAN IP address of each D200 must be reachable from the internet.

For a custom site-to-site setup

  • A third-party router supporting IPSec VPN, with all devices configured for IKEv1 or IKEv2 prior to D200 configuration.
  • All D200 routers must be on firmware version 1.0.8 or higher.
  • The WAN IP address of each router must be reachable from the internet.

Procedure

Navigation 

1. Navigate to a device web session for your router.

2. Click the Manage dropdown, then click Routers.

Figure 1: Routers and VPN (click to enlarge)

3. Click VPN.

Configuration

Datto routers have two site-to-site VPN options: connecting to another D200, or using a custom site that supports IPsec.

Figure 2: VPN options (click to enlarge)

Configuring a D200 Site-to-Site VPN

Figure 3: D200 Site-to-Site VPN (click to enlarge)

1. Click D200 Site to Site.

2. Select a D200 using the Incoming Client Router dropdown.

3. Click Add to add the D200 VPN configuration. Click Remove to remove the VPN.

Configuring a Custom Site-to-Site VPN

This feature is available only for D200 routers on firmware version 1.0.8 or higher, and is hidden for devices not meeting this requirement.

Figure 4: Adding a Custom Site-to Site VPN (click to enlarge)

1. Click Custom Site to Site.

2. Enter a Local Site ID.

3. Select whether the D200 will act as the Initiator or Receiver. Initiator configures the D200 as the hub; Receiver configures the D200 as the client.

4. Select IKEv1 or IKEv2 as your IPsec Mode.

5. Enter the VPN tunnel's Pre-shared Key if applicable.

6. Select what D200 Subnets the VPN tunnel can access.

7. Enter the following remote site information:

  • Remote Site ID: This is required and must be unique.
  • Remote Endpoint: This is required and must be an IP address.
  • Remote Subnets: These are required, and must be one or more comma separated subnet strings (i.e. 192.168.2.0/24).

8. Click Add. Repeat all steps as necessary for multiple VPN site configurations.

When you create a Custom Site-to-Site VPN, you'll see an entry for it appear in the Clients table, with a summary of its connection preferences, as shown in Figure 5.

Click the gear icon in the Actions column to Delete the configuration.

Figure 5: Custom Site-to-Site VPN Clients (click to enlarge)

Recommended IPsec peer settings

parameter value
Key Mode IKEv2
Phase 1 Encryption AES-256
Phase 1 Integrity Hash SHA1
Phase 1 DH Group Group 14 / 2048-bit Modulus
Phase 1 Lifetime 14400 sec
Phase 2 Encryption AES-256
Phase 2 Integrity Hash SHA1
Phase 2 DH Group None
Phase 2 Lifetime 14400 sec

Was this article helpful?

1 out of 1 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!