--- title: "Setting up site-to-site on SmartRG router" slug: "setting-up-site-to-site-on-smartrg-router" updated: 2026-05-07T09:00:36Z published: 2026-05-07T09:00:36Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.nordlayer.com/llms.txt > Use this file to discover all available pages before exploring further. # Setting up site-to-site on SmartRG router This guide walks you through setting up a site-to-site IPsec tunnel on SmartRG routers, specifically using the SmartRG SR516AC as a reference. However, this setup process applies broadly across all SmartRG SR series routers, thanks to their similar interfaces and IPsec tunneling features. ## Accessing the router First things first, log into your router's management console. You'll want to dive into the **Advanced Setup** section. Here, look for the IPsec option and hit **Add**. ## Configuring IPsec Now, you'll enter the details of your IPsec connection: - **IPsec Connection Name**: NordLayer - **IP Version**: IPv4 - **Tunnel Mode**: ESP - **WAN Interface**: Choose the WAN interface you're using - **Remote Security Gateway**: Type in the public IP address of your NordLayer server with a dedicated IP ## Setting LAN-side VPN Under LAN-side VPN, select **Subnet** and input your local network's subnet in IPv4 format, along with the subnet mask in octets. Leave the Local ID Type as **Default**. ## Defining remote-side VPN For the remote-side VPN: - **IP Address**: Use the NordLayer subnet, which is 10.6.0.0 - **Mask or Prefix Length**: 255.255.240.0 - **Remote ID Type**: Default ## Key Exchange and Authentication Choose **Auto (IKE)** for the **Key Exchange Method** and **Pre-Shared Key** for the **Authentication Method**, entering your generated pre-shared key. Don't forget to enable **Perfect Forward Secrecy**. ## Adjusting Advanced Settings Expand the section titled **Hide Advanced Settings** for detailed phase settings: ### Phase 1: - **Mode**: Main - **Encryption Algorithm**: AES - 128 - **Integrity Algorithm**: SHA1 - **Select Diffie-Hellman Group for Key Exchange**: 1024bit - **Key Lifetime**: 28800 seconds ### Phase 2: **Same settings as Phase 1**, with a Key Lifetime of 3600 seconds ![Screenshot-for-HC (1) (1).png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot-for-HC%20%281%29%20%281%29.png) ## Configuring Firewall and WAN For the tunnel to work smoothly, you must allow ports **500** and **4500** through your firewall. Head back to **Advanced Setup**, navigate to **Security → IP Filtering → Incoming** and click **Add**. You'll need to set up two rules, one for each port: - **Filter Name**: Choose a name for your rule - **Interfaces**: Select the WAN interface used for the tunnel - **IP Version**: 4 - **Protocol**: TCP or UDP - **SrcIP/PrefixLength**: anywhere - **SrcPort**: all - **DstIP/PrefixLength**: anywhere - **DstPort**: Specify 500 for one rule and 4500 for the other - **Action**: Allow ![Firewall.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Firewall%282%29.png) ## Ending note: In order to finalize the site-to-site tunnel, please create a setup in [Sites tab of the NordLayer Control Panel](/v1/docs/site-to-site). - Pre-shared key - you can generate it or we can provide it - Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2) - Remote gateway/router public IP (must be reachable while connected to the server with a dedicated IP) - Remote subnet and mask (the subnet is used in your local network) **Note**: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our [24/7 customer support team](/docs/how-do-i-contact-nordlayer-customer-support).