Setting up site-to-site on TP-Link router

Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.


Verify the settings needed for IPsec tunnel on router

To verify the settings needed for the setup, please log into the router's management portal:

Configuring the tunnel

  • Step 1: On the management webpage, click on VPN then IKE Proposal. Under IKE Proposal, enter NordLayer as the Proposal Name, select Authentication, Encryption and DH Group, we use SHA2-256, AES-256 and DH14.
  • Step 2: Click on Add.
  • Step 3: Click on IKE Policy tab, enter Policy Name (whatever you like), select Main as Exchange Mode, in this example we use Main, select IP Address for Local ID Type and Remote ID Type.
  • Step 4: Under IKE Proposal 1, select the previously created IKE policy. Enter Pre-shared Key, set SA Lifetime 28800, DPD should be enabled and DPD interval set to 30.
  • Step 5: Click on Add.
  • Step 6: Click on IPsec on the left menu, then IPsec Proposal. Select Security Protocol, ESP Authentication and ESP Encryption you want to enable on VPN tunnel. Here we use SHA2-256, AES-256 and DH14.
  • Step 7: Click on Add.
  • Step 8: Click on IPsec Policy, enter Policy Name whatever you like, the Mode should be LAN-to-LAN. Enter your Local Subnet and Remote Subnet (which is
  • Step 9: Select WAN you use and type in Remote Gateway. Remote Gateway is the public IP address of your NordLayer dedicated server.
  • Step 10: Look for Policy Mode and select IKE.
  • Step 11: Under IKE Policy, select the previously created IKE policy.
  • Step 12: Under IPsec Proposal, select the previously created IKE proposal.
  • Step 13: Look for PFS and set it to DH14 (if possible), under SA Lifetime, enter 28800.
  • Step 14: Look for Status then select Activate
  • Step 15: Click on Add.
  • Step 16: Select Enable then click on Save.

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

Return to top