How to Set up Site-to-Site Manual IPsec VPN Tunnels on Omada Gateway in Controller Mode
128020 Note: For Omada SDN Controller v 4.3 and above
When networks in different geographical locations want to establish a network connection, it is recommended to create the site-to-site IPsec VPN tunnels on the Omada gateway on the Omada SDN Controller. Omada managed gateway supports two types of site-to-site VPNs: Auto IPsec and Manual IPsec.
This article will show you how to configure Manual IPsec on Omada gateway in controller mode, for configuring Auto IPsec VPN, please refer to How to Set up Site-to-Site Auto IPsec VPN Tunnels on Omada Gateway in Controller Mode?
Application Scenario
A company wants to provide its branch office with the access to the network in headquarter. The headquarter uses an Omada managed gateway, while the gateway in its branch office is not managed by an Omada controller (we will take ER7206 as an example). Also, the gateways are not behind any NAT device, in other words, the gateways are receiving public IP addresses on the WAN interface. In this scenario, you can create an IPsec VPN tunnel over internet manually. Take the following topology as an example.
Note: If the Omada Gateway is behind a NAT device, in order to establish an IPsec VPN tunnel successfully, make sure that UDP port 500 and UDP port 4500 are open on the NAT device in front of the gateway, and set up the Local ID Type / Remote ID Type as Name in Phase-1 Settings.
Configuration
1) For the gateway A managed by Omada Controller, go to Devices and click the gateway, and a property window will appear on the right. Go to Details > WAN to obtain the WAN IP address of the Gateway A.
Go to Settings > Wired Networks > LAN > Networks and obtain the local subnet in headquarter (here is LAN 1, please select the corresponding LAN according to your network topology).
2) For gateway B (here we take ER7206 as an example), go to Status > System Status and obtain the WAN IP address of the Gateway B in the branch office.
Go to Network > LAN > LAN and obtain the local subnet in the branch office (LAN 2).
Go to Settings > VPN and click + Create New VPN Policy.
Enter a name to identify the VPN policy, select the purpose for the new entry as Site-to-Site VPN, and the VPN Type as Manual IPsec. Then configure the corresponding parameters, and click Create.
|
Status |
Check the box to enable the VPN tunnel. |
|
Remote Gateway |
Enter the WAN IP address of Gateway B in the branch office (100.100.100.100). |
|
Remote Subnets |
Enter the IP address range of the LAN in the branch office (192.168.10.1/24). |
|
Local Networks |
Select the networks in headquarter (LAN 1), and the VPN policy will be applied to the selected networks. |
|
Pre-Shared Key |
Enter the Pre-Shared Key (PSK) that serves as authentication key. The gateway in headquarter and the branch office must use the same PSK for authentication. |
|
WAN |
Select the WAN port on which the VPN tunnel will be established. |
Note: When gateway B (ER7206) is in standalone mode, click Advanced Settings and select IKEv1 as Key Exchange Version in Phase-1 Settings
If the Omada Gateway is behind a NAT device, make sure that UDP port 500 and UDP port 4500 are open on the NAT device, and set up the Local ID Type / Remote ID Type as Name in Phase-1 Settings.
Here we will take ER7206 as an example. Go to VPN > IPsec > IPsec Policy and click + Add.
Enter a policy name to identify the VPN policy, and select the mode for the new entry as LAN-to-LAN. Then configure the corresponding parameters, and click OK.
|
Remote Gateway |
Enter the WAN IP address of Gateway A in headquarter (100.100.100.100). |
|
WAN |
Select the WAN port on which the VPN tunnel will be established. |
|
Local Subnet |
Enter the IP address of the network in the branch office (192.168.10.1/24), and the VPN policy will be applied to the network. |
|
Remote Subnet |
Enter the IP address range of the LAN in headquarter (192.168.0.1/24). |
|
Pre-Shared Key |
Enter the Pre-Shared Key (PSK) that serves as authentication key. The gateway in headquarter and the branch office must use the same PSK for authentication. |
|
Status |
Check the box to enable the VPN tunnel. |
Note: If the router is behind a NAT device, make sure that UDP port 500 and UDP port 4500 are open on the NAT device, and set up the Local ID Type / Remote ID Type as Name in Phase-1 Settings.
Verification of the Manual IPsec VPN Tunnel
For the Omada managed gateway in headquarter, go to Insight > VPN Status > IPsec SA and check the IPsec SA entries.
For ER7206, go to VPN > IPsec > IPsec SA and check the IPsec SA entries. When corresponding entries are displayed in the tables, the VPN tunnel is successfully established.
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.