- 4 Minutes to read
Sites
- 4 Minutes to read
The NordLayer Sites feature creates a secure site-to-site connection to your internal business LAN using a Virtual Private Gateway with a dedicated server setup.
How to create a Site?
1. Log into the NordLayer Control Panel
2. Click the Network accordion on the left side
3. Click Sites and select Create Site
Set up IPsec (Site-to-Site) tunnel:
To proceed with the site-to-site setup, fill in the information in the order form:
- Site name — name your configuration
- Dedicated server IP — from the dropdown list choose which dedicated gateway IP address will be used for site-to-site configuration
- Choose the type of site-to-site setup
On-premise setup
For on-premise setup, you will need to enter the full model name of your router or firewall in the provided field. Guides for routers:
- Setting up site-to-site on SmartRG router
- Setting up site-to-site on UniFi USG
- Setting up site-to-site on TP-Link router
- Setting up site-to-site on Synology router
- Setting up site-to-site on D-Link DIR-130/330
- Setting up site-to-site on Linux server
- Setting up site-to-site on Zyxel USG
- Setting up site-to-site on WatchGuard
- Setting up site-to-site on Untangle NG
- Setting up site-to-site on Sophos XG
- Setting up site-to-site on SonicWall
- Setting up site-to-site on pfSense
- Setting up site-to-site on Palo Alto
- Setting up site-to-site on Netgear BR500 router
- Setting up site-to-site on Linksys router
- Setting up site-to-site on Juniper (JunOS) SRX
- Setting up site-to-site on FortiGate
- Setting up site-to-site on DrayTek Vigor 3900
- Setting up site-to-site on Cisco Meraki
- Setting up site-to-site on Check Point
- Setting up site-to-site on Barracuda
- Setting up site-to-site on Asus BRT-AC828
- Setting up site-to-site on Ubiquiti EdgeRouter / EdgeMax
Cloud setup
For a cloud setup – you can either select your cloud service provider from the dropdown menu or manually enter your cloud service provider's name. Guides for cloud providers:
- Setting up site-to-site on Alibaba Cloud
- Setting up site-to-site on Google Cloud Platform
- Setting up site-to-site on Google Cloud (VPC peering)
- Setting up site-to-site on IBM Cloud
- Setting up site-to-site on AWS Virtual Gateway
- Setting up site-to-site on AWS Transit Gateway
- Setting up site-to-site on Microsoft Azure
- Guide to AWS Configuration
Encryption settings configuration
Base:
- Policy-based is used by default for Sites configured with on-premises tunnel type.
- Route-based is mainly used for Cloud setups but may vary per cloud service provider.
IKE version: For the best results, IKEv2 is the default value (also known in IPSec as IKE). IKEv1 is reserved for some cloud providers and older firewall/router hardware.
Remote IP: Public IP address of your office, home, or any other place where the site-to-site connection will be used.
Subnets: The internal subnet(s) of the local network where your router, firewall device, or server is connected.
- The default subnets used for routers or cloud networks are often configured with IP addresses in the ranges of 192.168.0.0/24, 10.0.0.0/24, or 172.16.0.0/12. You can use an online tool to determine the appropriate subnet mask to define the range of your own subnet, which can be accessed via a site-to-site tunnel.
- Your public IP must be static
- A maximum of 5 subnets per Site can be added.
Pre-shared secret key: A password for authentication. This can be pre-generated by your tool, or you can generate it yourself with any password manager.
Local tunnel IP or (-ln Tunnel1). Can be found in the AWS site-to-site config.
Remote tunnel IP or (-lr). Can be found in the AWS site-to-site config. It is 1 IP address lower than the local tunnel IP.
To obtain local tunnel IP and remote tunnel IP values, refer to the following line in your AWS config file:
#leftupdown=” /etc/ipsec.d/aws-updown.sh -ln Tunnel1 -11 XXX.XXX.XX.XXX/30 -lr XXX.XXX.XX.XXX/30 -m 100 -r <VPC CIDR>”
IKE Encryption type: Phase 1: the actual encryption that will be used. AES type, SHA type, and DH group. Use this resource (IANA corresponds to the DH group that your tool is using) to determine the keyword you should enter in this order form field.
ESP Encryption type: Phase 2: usually mirrors the values entered as IKE encryption type. However, it can be different based on the router, firewall device, or server you are using.
We suggest using IPSec/IKEv2 AES256, SHA256 with DH Group 14 (equivalent to modp2048) at the minimum for the optimal site-to-site experience.
Once you enter all the information and click on Create Site, please allow some time for the feature to be enabled. You will receive an email with confirmation once it’s ready.
What information can you see about a created Site?
Once created, the Site displays the country flag of the server's location, including its IP address and NordLayer subnet. The table shows the configuration type (either on-premises or cloud), the site’s remote IP, and its state:
- Applied — The site-to-site configuration was successfully submitted and applied to your dedicated server.
- Applying — The site-to-site configuration is being submitted and applied to your dedicated server.
- Failed — The site-to-site configuration encountered an error.
- Suspending — The site-to-site configuration is being disabled.
- Suspended — The site-to-site configuration is disabled.
- Removing — The site-to-site configuration is being deleted.
You can access your Site's configuration settings by clicking on a specific Site name.
Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.