Legacy Open Mesh: How do I Configure A Custom Site-to-Site VPN using IPSec?

Question

How do I Configure A Custom Site-to-Site VPN using IPSec?

Environment

  • CloudTrax

Answer

Requirements

  • A G200 running 1.0.6+ firmware.
  • A third-party router that supports IPSec VPN, such as Datto DNA.
  • The WAN IP address of each router should be reachable from the Internet.

Setup

  1. Navigate to the G200's VPN settings > Custom Site to Site.
  2. Give the G200 a Site ID.
  3. Decide whether the G200 will be the VPN initiator or receiver.
  4. Choose whether the tunnel is going to use IKEv1 or IKEv2.
  5. Enter the tunnel's pre-shared key
  6. Toggle which subnets on the G200 to be available through the tunnel.
  7. Enter the Remote router's IPSec Information
  8. Click "Add" and "Save Changes"
  9. The G200 will negotiate IKE Phase 1 and Phase 2 with the other router to enable the tunnel.
  10. Once the negotiations have completed, the tunnel will be usable.

Recommended settings

The values below are settings that many of our customers have found to work well. If you have experienced difficulties in setting up IPSec connections or would simply like to start off with a good configuration, give the values below a try.

Cloudtrax - G200 settings:

  1. G200 Mode: "Initiator"
  2. IPsec Mode: "IKEv2"
  3. Remote Site ID and Remote Endpoint set with remote peer IP

If the remote IPsec peer has a configuration option to set it's identity or ID value, then you can match the settings between it and Cloudtrax's "Remote Site ID" field, otherwise routers often default to auto-filling this field with their public IP address which is why we recommend entering the remote routers public IP in the ID field as suggested above.

Remote IPsec Peer settings:

  1. IPsec Mode: "IKEv2"
  2. Phase 1 IKE: "AES-256 & SHA1"
  3. Phase 1 DH Group: "Group 14 (MOD_2048)"
  4. Phase 1 SA Lifetime: "240 Minutes (14,400 seconds)"
  5. Phase 2 ESP: "AES-256 & SHA1"
  6. Phase 2 PFS Group: "None"
  7. Phase 2 SA Lifetime: "240 Minutes (14,400 seconds)"

Be on the lookout for any Remote/Local ID fields on the remote IPsec peer, and be sure to set those fields to match what you configured in Cloudtrax for your G200 router. Naturally these values will be flipped, with the G200 Local ID configured on the peer router as the Remote ID, and Vice versa.