Site-to-Site VPN

Site-to-Site VPN service allows local networks in different physical locations to securely communicate with each other over the Internet. This page guides you through the setup of Site-to-Site VPN and the settings at the General and Encryption tabs.

Set up a Site-to-Site VPN connection

Follow the steps below to establish a Site-to-Site VPN connection between a pair of Synology Router:

1. Set up a pair of Synology Router and activate the Site-to-Site VPN feature on their SRM (refer to this web page for more information on our licensing plan).
2. On either of your Synology Router, go to VPN Plus Server > Site-to-Site VPN.
3. Click Add > Manually.
4. Configure the settings at the General and Encryption tabs, and then save the settings.
5. Click Export Profile to export the VPN configurations to your computer.
6. Go to VPN Plus Server > Site-to-Site VPN on the other Synology Router.
7. Click Add > Import Profile.
8. Select the profile you have just exported from the previous Synology Router, and save the setting.
9. You have now set up a Site-to-Site VPN connection between the two devices.

General

• Profile name: Name this profile.
• Pre-shared key: Specify the pre-shared key on both sites to enhance security. Connections will be successful only when the identical pre-shared key is specified on both sites.
• Enable this connection: Tick this checkbox to start the connection right after setup. This function takes effect only when enabled on both sites.
• Enable DNSSEC validation: Tick this checkbox to secure DNS resolutions via DNSSEC (Domain Name System Security Extensions) validation during Site-to-Site VPN connections.
• Local Site:
  • Outbound IP: Specify one of the network interfaces on your Synology Router to set up the Site-to-Site VPN service.
  • Local ID: Specify a local ID, which can be either a public IP address or FQDN (Fully Qualified Domain Name).
  • Private subnet: Specify the local network under the private subnet.
    Note: The options in this drop-down menu are defined in Object. Address pool objects of the IP range type are not supported by Site-to-Site VPN. You will only see objects of the Subnet type in the drop-down menu.
• Remote Site:
  • IP address/FQDN: Fill in your remote site's public IP address or FQDN to allow external access.
  • Remote ID: Specify the Remote ID, which can be either a public IP address or FQDN.
  • Private subnet: Specify the local network under the private subnet of the remote site.
• Dead Peer Detection:
  • Enable: Tick the checkbox to enable Dead Peer Detection (DPD).
    • DPD Delay: Specify the time interval between DPD packets.
    • DPD Timeout: Specify a time threshold. This option allows detecting the loss of connection from the remote site when the Synology Router on your local site has not received any DPD packets for a period longer than the time threshold.

Encryption

• IKE version: Select IKEv1 or IKEv2. Both sites must have the same IKE version.
• Mode: Select Main Mode or Aggressive Mode. Both sites must have the same mode.
• Encryption: Select one or more types of AES encryption from AES256, AES192, AES128, and 3DES. You must select at least one encryption type that is also adopted by the remote site.
• Authentication: Select one or more types of authentication from SHA-512, SHA-384, SHA-256, SHA1, MD5. You must select at least one authentication type that is also adopted by the remote site.
• DH group: Specify the same Diffie-Hellman (DH) group for both sites.
• Key lifetime: Specify how long the validity of your key is. Once the key expires, both sites will exchange a new key.
• Enable Perfect Forward Secrecy (PFS): Enabling this option may subtly affect the performance but will enhance the security.