How to set up site-to-site Auto IPsec VPN Tunnels on Omada Gateway in Controller Mode

ER7206 , Omada Software Controller( V4 ) , ER605
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device, and check either the Datasheet or the firmware section for the latest improvements added to your product. Please note that product availability varies by region, and certain models may not be available in your region.
Note: For Omada SDN Controller v 4.3 and above
When networks in different geographical locations want to establish a network connection, it is recommended to create the site-to-site IPsec VPN tunnels on the Omada gateway on the Omada SDN Controller. Omada managed gateway supports two types of site-to-site VPNs: Auto IPsec and Manual IPsec.
This article will show you how to configure Auto IPsec on Omada gateway in controller mode, for configuring Manual IPsec VPN, please refer to How to Set up Site-to-Site Manual IPsec VPN Tunnels on Omada Gateway in Controller Mode?
Application Scenario
A company wants to provide its branch office with access to the network in headquarter. The gateways in headquarter and its branch office are managed by the same controller, but they are on different sites. Also, the Omada gateway is not behind any NAT device, in other words, the Omada gateway is receiving a public IP address on the WAN interface
In this scenario, it is recommended to configure Auto IPsec on the site of headquarter. Take the following topology as an example.
Note: If the Omada gateway is behind a NAT device, Auto IPsec is not applicable. It is recommended to configure Manual IPsec in this situation.
Configuration
Step 1. Create a new VPN policy
Go to Settings > VPN and click + Create New VPN Policy.
Step 2. Configure the parameters for the new VPN policy
Enter a name to identify the VPN policy, select the purpose for the new entry as Site-to-Site VPN, and the VPN Type as Auto IPsec. Then choose the site of the branch office, and click Create.
Verification of the Auto IPsec VPN tunnel
Go to Insight > VPN Status > IPsec SA and check the IPsec SA entries. When two IPsec SA entries with the name IPsec_tunnel are displayed in the table, the VPN tunnel is successfully established.
Looking for More
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.

TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .
Your Privacy Choices
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .
Basic Cookies
These cookies are necessary for the website to function and cannot be deactivated in your systems.
TP-Link
SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_banner, tp_privacy_base, tp_privacy_marketing, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Zendesk
OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance
Analysis and Marketing Cookies
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au