Search icon Choose location
 
Search icon

How to set up Site-to-Site Manual IPsec VPN Tunnels on Omada Gateway via Omada Controller

Configuration Guide
Updated 04-18-2025 19:30:06 PM Number of views for this article16799
Acest ghid este valabil pentru: 

Contents

Objective

Requirements

Introduction

Configuration

Verification

Conclusion

Objective

This article describes how to configure the Manual IPsec function on Omada Gateway via the Omada Controller.

Requirements

  • Omada Gateways
  • Omada Software Controller/Hardware Controller/Cloud Based Controller

Introduction

IPsec Site-to-Site VPN can connect geographically isolated networks. It is mainly used in large enterprises to establish VPN channels between branches and the headquarter. IPsec VPN connection is established between branch routers through the public network to transmit private network data.

Omada gateways support two types of Site-to-Site IPsec VPN, Auto IPsec and Manual IPsec. The article introduces how to configure Manual IPsec via Omada controller. For the configuration of Auto IPsec, refer to How to set up site-to-site Auto IPsec VPN Tunnels on Omada Gateway in Controller Mode.

Configuration

For example, two gateways (gateway A and gateway B) are deployed at two sites respectively. Follow the steps below to configure Manual IPsec to establish a private tunnel between the two gateways.

Step 1. Get the IPsec configuration settings. Log in to the Omada controller, go to Devices List, and click a gateway to display its properties window. Go to Details > WAN to get Site1_Gateway A’s WAN IP.

The position to get WAN IP information on the Omada Controller webpage.

Go to Settings > Wired Networks > LAN>Networks to get Site1_Gateway A’s Local Subnet (e.g., LAN1). Repeat the above steps to get Site2_Gateway B’s WAN IP and LAN Network ((for example, 192.168.100.1/24).

The position to get Local Subnet information on the Omada Controller webpage.

Step 2. Go to Settings > VPN > VPN to configure IPsec on gateway A.

The configurations of VPN Policy, including Name/Status/Purpose and so on.

Refer to the explanation table below to configure the parameters.

Status

Check the box to enable the VPN tunnel.

Remote Gateway

Enter the WAN IP address of Gateway B in the branch office (sut.com).

Remote Subnets

Enter the IP address range of the LAN in the branch office (192.168.100.0/24).

Local Networks

Select the networks in the headquarter (LAN 1), and the VPN policy will be applied to the selected networks.

Pre-Shared Key

Enter the Pre-Shared Key (PSK) that serves as the authentication key. The gateway in headquarter and the branch 1 office must use the same PSK for authentication.

WAN

Select the WAN port on which the VPN tunnel will be established.

Note:

  • If both gateways use public IP, set Negotiation Mode to Initiator Mode and enter the peer IP or domain name in Remote Gateway.

The configuration of both Gateways when both Gateways have public IP addresses.

  • If only gateway A uses a public IP, set gateway A’s Negotiation Mode to Responder Mode and enter 0.0.0.0 in Remote Gateway, indicating that IPsec negotiations initiated by all IPs are accepted. Set Local ID Type and Remote ID Type to Name according to your network requirement. Set gateway B’s Negotiation Mode to Initiator Mode and enter gateway A’s IP or domain name in Remote Gateway.

The configuration of Gateway A when only Gateway A has public IP addresses.

The configuration of Gateway B when only Gateway A has public IP addresses.

Step 3. Go to Settings > VPN > VPN to configure IPsec on gateway B.

The configurations of VPN Policy, including Name/Status/Purpose and so on.

Refer to the explanation table below to configure the parameters.

Status

Check the box to enable the VPN tunnel.

Remote Gateway

Enter the WAN IP address of Gateway A in the headquarter office.

Remote Subnets

Enter the IP address range of the LAN in the headquarter office (192.168.0.0/24).

Local Networks

Select the networks in the branch (LAN 1), and the VPN policy will be applied to the selected networks.

Pre-Shared Key

Enter the Pre-Shared Key (PSK) that serves as the authentication key. The gateway in headquarter and the branch 1 office must use the same PSK for authentication.

WAN

Select the WAN port on which the VPN tunnel will be established.

Note:

  • It is recommended to use IKEv2 mode for higher security and better performance unless the peer device only supports IKEv1 negotiation mode.
  • IPsec IKEv1 does not support multiple remote subnets in a single tunnel. For configurations requiring multiple remote subnets, consider using IKEv2 or alternative solutions.
  • The gateways at both ends must use the same negotiation mode, pre-shared key, and encryption algorithm to ensure the tunnel is successfully established.
  • Avoid conflicts between the Remote Subnet and the Local Subnet.

Verification

Go to Insight > VPN Status > IPsec VPN to check the tunnel status.

The position to check the VPN Status on the Omada Controller webpage.

Conclusion

You have now successfully connected two sites via IPsec VPN.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Întrebări similare:

A fost util acest FAQ?

Părerea ta ne ajută să îmbunătățim acest site.

Recommend Products

From United States?

Get products, events and services for your region.

Apasă Other Option

Acest site web folosește cookie-uri pentru a îmbunătăți experiența navigării web, a analiza activitățile online și a oferi utilizatorilor cea mai bună experiență pe site-ul nostru. Te poți opune utilizării cookie-urilor în orice moment. Poți afla mai multe informații în politica de confidențialitate .

Acest site web folosește cookie-uri pentru a îmbunătăți experiența navigării web, a analiza activitățile online și a oferi utilizatorilor cea mai bună experiență pe site-ul nostru. Te poți opune utilizării cookie-urilor în orice moment. Poți afla mai multe informații în politica de confidențialitate .

Aceste cookie-uri sunt necesare pentru funcționarea site-ului web și nu pot fi dezactivate în sistemele tale

TP-Link

accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Chat live

__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Cookie-uri de analiză și marketing

Cookie-urile de analiză ne permit să analizăm activitățile tale de pe site-ul nostru web a îmbunătăți și ajusta funcționalitatea site-ului.

Cookie-urile de marketing pot fi setate prin intermediul site-ului nostru web de către partenerii noștri publicitari pentru a crea un profilul intereselor tale și a-ți afișeze reclame relevante pe alte site-uri web.

Google Analytics, Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads și DoubleClick

test_cookie, _gcl_au

Meta Pixel

_fbp

Crazy Egg

cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs

Linkedin

lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or

TikTok

_ttp