Setting up site-to-site on TP-Link router
  • 1 Minute to read

Setting up site-to-site on TP-Link router


Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

Verify the settings needed for IPsec tunnel on router

To verify the settings needed for the setup, please log into the router's management portal:

Screenshot 2022-02-17 at 16.01.16.png

Configuring the tunnel

  1. On the management webpage, click on VPN then IKE Proposal. Under IKE Proposal, enter NordLayer as the Proposal Name, select Authentication, Encryption and DH Group, we use SHA2-256, AES-256 and DH14.
  2. Click on Add.
  3. Click on IKE Policy tab, enter Policy Name (whatever you like), select Main as Exchange Mode, in this example we use Main, select IP Address for Local ID Type and Remote ID Type.

Screenshot 2022-02-17 at 16.01.40.png

  1. Under IKE Proposal 1, select the previously created IKE policy. Enter Pre-shared Key, set SA Lifetime 3600, DPD should be enabled and DPD interval set to 30.

Screenshot 2022-02-17 at 16.01.48.png

  1. Click on Add.

Screenshot 2022-02-17 at 16.01.55.png

  1. Click on IPsec on the left menu, then IPsec Proposal. Select Security Protocol, ESP Authentication and ESP Encryption you want to enable on VPN tunnel. Here we use SHA2-256, AES-256 and DH14.
  2. Click on Add.
  3. Click on IPsec Policy, enter Policy Name whatever you like, the Mode should be LAN-to-LAN. Enter your Local Subnet and Remote Subnet (which is 10.6.0.0/20).
  4. Select WAN you use and type in Remote Gateway. Remote Gateway is the public IP address of your NordLayer dedicated server.
  5. Look for Policy Mode and select IKE.
  6. Under IKE Policy, select the previously created IKE policy.
  7. Under IPsec Proposal, select the previously created IKE proposal.
  8. Look for PFS and set it to DH14 (if possible), under SA Lifetime, enter 28800.
  9. Look for Status then select Activate

Screenshot 2022-02-17 at 16.02.26.png

  1. Click on Add.

Screenshot 2022-02-17 at 16.02.34.png

  1. Select Enable then click on Save.

Screenshot 2022-02-17 at 16.02.42.png

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Was this article helpful?