Setting up site-to-site on TP-Link router
- 1 Minute to read
Setting up site-to-site on TP-Link router
- 1 Minute to read
Article summary
Did you find this summary helpful?
Thank you for your feedback
Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.
Verify the settings needed for IPsec tunnel on router
To verify the settings needed for the setup, please log into the router's management portal:
Configuring the tunnel
- On the management webpage, click on VPN then IKE Proposal. Under IKE Proposal, enter NordLayer as the Proposal Name, select Authentication, Encryption and DH Group, we use SHA2-256, AES-256 and DH14.
- Click on Add.
- Click on IKE Policy tab, enter Policy Name (whatever you like), select Main as Exchange Mode, in this example we use Main, select IP Address for Local ID Type and Remote ID Type.
- Under IKE Proposal 1, select the previously created IKE policy. Enter Pre-shared Key, set SA Lifetime 28800, DPD should be enabled and DPD interval set to 30.
- Click on Add.
- Click on IPsec on the left menu, then IPsec Proposal. Select Security Protocol, ESP Authentication and ESP Encryption you want to enable on VPN tunnel. Here we use SHA2-256, AES-256 and DH14.
- Click on Add.
- Click on IPsec Policy, enter Policy Name whatever you like, the Mode should be LAN-to-LAN. Enter your Local Subnet and Remote Subnet (which is 10.6.0.0/20).
- Select WAN you use and type in Remote Gateway. Remote Gateway is the public IP address of your NordLayer dedicated server.
- Look for Policy Mode and select IKE.
- Under IKE Policy, select the previously created IKE policy.
- Under IPsec Proposal, select the previously created IKE proposal.
- Look for PFS and set it to DH14 (if possible), under SA Lifetime, enter 3600.
- Look for Status then select Activate
- Click on Add.
- Select Enable then click on Save.
Ending note:
In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:
- Pre-shared key - you can generate it or we can provide it
- Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
- Remote gateway/router public IP (must be reachable while connected to the dedicated server)
- Remote subnet and mask (the subnet is used in your local network)
Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.
Was this article helpful?