How to Set up Site-to-Site Manual IPsec VPN Tunnels on Omada Gateway in Controller Mode

ER7206 , ER8411 , ER707-M2 , ER7406 , ER605 , ER706W
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device, and check either the Datasheet or the firmware section for the latest improvements added to your product. Please note that product availability varies by region, and certain models may not be available in your region.
Note: For Omada SDN Controller v 4.3 and above
When networks in different geographical locations want to establish a network connection, it is recommended to create the site-to-site IPsec VPN tunnels on the Omada gateway on the Omada SDN Controller. Omada managed gateway supports two types of site-to-site VPNs: Auto IPsec and Manual IPsec.
This article will show you how to configure Manual IPsec on Omada gateway in controller mode, for configuring Auto IPsec VPN, please refer to How to Set up Site-to-Site Auto IPsec VPN Tunnels on Omada Gateway in Controller Mode?
Application Scenario
A company wants to provide its branch office with the access to the network in headquarter. The headquarter uses an Omada managed gateway, while the gateway in its branch office is not managed by an Omada controller (we will take ER7206 as an example). Also, the gateways are not behind any NAT device, in other words, the gateways are receiving public IP addresses on the WAN interface. In this scenario, you can create an IPsec VPN tunnel over internet manually. Take the following topology as an example.
Note: If the Omada Gateway is behind a NAT device, in order to establish an IPsec VPN tunnel successfully, make sure that UDP port 500 and UDP port 4500 are open on the NAT device in front of the gateway, and set up the Local ID Type / Remote ID Type as Name in Phase-1 Settings.
Configuration
Step 1. Obtain the settings parameters needed for Manual IPsec VPN
1) For the gateway A managed by Omada Controller, go to Devices and click the gateway, and a property window will appear on the right. Go to Details > WAN to obtain the WAN IP address of the Gateway A.
Go to Settings > Wired Networks > LAN > Networks and obtain the local subnet in headquarter (here is LAN 1, please select the corresponding LAN according to your network topology).
2) For gateway B (here we take ER7206 as an example), go to Status > System Status and obtain the WAN IP address of the Gateway B in the branch office.
Go to Network > LAN > LAN and obtain the local subnet in the branch office (LAN 2).
Step 2. Create a new VPN policy on the Gateway A managed by Omada Controller in headquarter
Go to Settings > VPN and click + Create New VPN Policy.
Step 3. Configure the parameters for the new VPN policy for gateway A
Enter a name to identify the VPN policy, select the purpose for the new entry as Site-to-Site VPN, and the VPN Type as Manual IPsec. Then configure the corresponding parameters, and click Create.
Status |
Check the box to enable the VPN tunnel. |
Remote Gateway |
Enter the WAN IP address of Gateway B in the branch office (100.100.100.100). |
Remote Subnets |
Enter the IP address range of the LAN in the branch office (192.168.10.1/24). |
Local Networks |
Select the networks in headquarter (LAN 1), and the VPN policy will be applied to the selected networks. |
Pre-Shared Key |
Enter the Pre-Shared Key (PSK) that serves as authentication key. The gateway in headquarter and the branch office must use the same PSK for authentication. |
WAN |
Select the WAN port on which the VPN tunnel will be established. |
Note: When gateway B (ER7206) is in standalone mode, click Advanced Settings and select IKEv1 as Key Exchange Version in Phase-1 Settings
If the Omada Gateway is behind a NAT device, make sure that UDP port 500 and UDP port 4500 are open on the NAT device, and set up the Local ID Type / Remote ID Type as Name in Phase-1 Settings.
Step 4. Create a new VPN policy on the gateway B in the branch office
Here we will take ER7206 as an example. Go to VPN > IPsec > IPsec Policy and click + Add.
Step 5. Configure the parameters for the new VPN policy for gateway B
Enter a policy name to identify the VPN policy, and select the mode for the new entry as LAN-to-LAN. Then configure the corresponding parameters, and click OK.
Remote Gateway |
Enter the WAN IP address of Gateway A in headquarter (100.100.100.100). |
WAN |
Select the WAN port on which the VPN tunnel will be established. |
Local Subnet |
Enter the IP address of the network in the branch office (192.168.10.1/24), and the VPN policy will be applied to the network. |
Remote Subnet |
Enter the IP address range of the LAN in headquarter (192.168.0.1/24). |
Pre-Shared Key |
Enter the Pre-Shared Key (PSK) that serves as authentication key. The gateway in headquarter and the branch office must use the same PSK for authentication. |
Status |
Check the box to enable the VPN tunnel. |
Note: If the router is behind a NAT device, make sure that UDP port 500 and UDP port 4500 are open on the NAT device, and set up the Local ID Type / Remote ID Type as Name in Phase-1 Settings.
Verification of the Manual IPsec VPN Tunnel
For the Omada managed gateway in headquarter, go to Insight > VPN Status > IPsec SA and check the IPsec SA entries.
For ER7206, go to VPN > IPsec > IPsec SA and check the IPsec SA entries. When corresponding entries are displayed in the tables, the VPN tunnel is successfully established.
Looking for More
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.

TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.
As explained further in our website Privacy Policy, we allow certain advertising partners to collect information from our website through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing"/disclosure of personal data for "targeted advertising" as defined by certain U.S. state laws. To opt out of these activities, press "Opt Out" below. If the toggle below for "Targeted Advertising and 'Sale' Cookies" is to the left, you are already opted out and you can close these preferences.
Please note that your choice will apply only to your current device/browser. You must indicate your choice on each device and browser you use to access our website. If you clear your cookies or your browser is set to do so, you must opt out again.
Your Privacy Choices
As explained further in our website Privacy Policy, we allow certain advertising partners to collect information from our website through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing"/disclosure of personal data for "targeted advertising" as defined by certain U.S. state laws. To opt out of these activities, press "Opt Out" below. If the toggle below for "Targeted Advertising and 'Sale' Cookies" is to the left, you are already opted out and you can close these preferences.
Please note that your choice will apply only to your current device/browser. You must indicate your choice on each device and browser you use to access our website. If you clear your cookies or your browser is set to do so, you must opt out again.
Necessary Cookies
These cookies are necessary for the website to function and cannot be switched off.
TP-Link
SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_banner, tp_privacy_base, tp_privacy_marketing, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Zendesk
OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance
Targeted Advertising and "Sale" Cookies
These cookies allow targeted ads or the "sale" of personal data (toggle to the left to opt out).
Analytics cookies enable us to analyze your activities on our and other websites in order to improve and adapt the functionality of our website and our ad campaigns.
Advertising cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au
Meta Pixel
_fbp
lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or
_rdt_uuid
Welcome to Our Website! If you stay on our site, we and our third-party partners use cookies, pixels, and other tracking technologies to better understand how you use our site, provide and improve our services, and personalize your experience and ads based on your interests. Learn more in your privacy choices.