Site-to-Site VPN

Site-to-Site VPN service allows local networks in different physical locations to securely communicate with each other over the Internet. This page guides you through the setup of Site-to-Site VPN and the settings at the General and Encryption tabs.

Set up a Site-to-Site VPN connection

Follow the steps below to establish a Site-to-Site VPN connection between a pair of Synology Router:

Set up a pair of Synology Router and activate the Site-to-Site VPN feature on their SRM (refer to this web page for more information on our licensing plan).
On either of your Synology Router, go to VPN Plus Server > Site-to-Site VPN.
Click Add > Manually.
Configure the settings at the General and Encryption tabs, and then save the settings.
Click Export Profile to export the VPN configurations to your computer.
Go to VPN Plus Server > Site-to-Site VPN on the other Synology Router.
Click Add > Import Profile.
Select the profile you have just exported from the previous Synology Router, and save the setting.
You have now set up a Site-to-Site VPN connection between the two devices.

Note:

Profile export/import is not available if another IPSec supported device to which you set up a Site-to-Site VPN tunnel is not a Synology Router.

General

Profile name: Name this profile.
Pre-shared key: Specify the pre-shared key on both sites to enhance security. Connections will be successful only when the identical pre-shared key is specified on both sites.
Enable this connection: Tick this checkbox to start the connection right after setup. This function takes effect only when enabled on both sites.
Enable DNSSEC validation: Tick this checkbox to secure DNS resolutions via DNSSEC (Domain Name System Security Extensions) validation during Site-to-Site VPN connections.
Local Site:
- Outbound IP: Specify one of the network interfaces on your Synology Router to set up the Site-to-Site VPN service.
- Local ID: Specify a local ID, which can be either a public IP address or FQDN (Fully Qualified Domain Name).
- Private subnet: Specify the local network under the private subnet.
  Note: The options in this drop-down menu are defined in Object. Address pool objects of the IP range type are not supported by Site-to-Site VPN. You will only see objects of the Subnet type in the drop-down menu.
Remote Site:
- IP address/FQDN: Fill in your remote site's public IP address or FQDN to allow external access.
- Remote ID: Specify the Remote ID, which can be either a public IP address or FQDN.
- Private subnet: Specify the local network under the private subnet of the remote site.
Dead Peer Detection:
- Enable: Tick the checkbox to enable Dead Peer Detection (DPD).
  - DPD Delay: Specify the time interval between DPD packets.
  - DPD Timeout: Specify a time threshold. This option allows detecting the loss of connection from the remote site when the Synology Router on your local site has not received any DPD packets for a period longer than the time threshold.

Note:

The private subnets of local and remote sites cannot overlap.
You may read the RFC 3706 document for more technical information on Dead Peer Detection.
The Synology Router serving for the Site-to-Site VPN connection on the local site cannot access the private subnet of the remote site.
When the Site-to-Site VPN settings are manually configured between a pair of Synology Router (e.g., site A and site B), the information under the Local Site section on one device (e.g., site A) must be entered under the Remote Site section on the other (e.g., site B), and vice versa.
Frequently asked questions regarding Site-to-Site VPN:
- Why can't I set up a Site-to-Site VPN connection successfully?
- Why can't I access remote devices over Site-to-Site VPN even if the VPN connection status is "Connected"?

Encryption

IKE version: Select IKEv1 or IKEv2. Both sites must have the same IKE version.
Mode: Select Main Mode or Aggressive Mode. Both sites must have the same mode.
Encryption: Select one or more types of AES encryption from AES256, AES192, AES128, and 3DES. You must select at least one encryption type that is also adopted by the remote site.
Authentication: Select one or more types of authentication from SHA-512, SHA-384, SHA-256, SHA1, MD5. You must select at least one authentication type that is also adopted by the remote site.
DH group: Specify the same Diffie-Hellman (DH) group for both sites.
Key lifetime: Specify how long the validity of your key is. Once the key expires, both sites will exchange a new key.
Enable Perfect Forward Secrecy (PFS): Enabling this option may subtly affect the performance but will enhance the security.

Note:

The inconsistency of configurations between two sites may result in connection failures. We recommend exporting the configuration (i.e., the profile) on one site and importing it to the other site. In so doing, you can facilitate the setup and avoid connection failures.

Var denna artikel hjälpfull?

Ja ／ Nej