VPN Plus Server

Site-to-Site VPN

Site-to-Site VPN service allows local networks in different physical locations to securely communicate with each other over the Internet. This page guides you through the setup of Site-to-Site VPN and the settings at the General and Encryption tabs.

Set up a Site-to-Site VPN connection

Follow the steps below to establish a Site-to-Site VPN connection between a pair of Synology Router devices:

Set up a pair of Synology Router devices and activate the Site-to-Site VPN feature on each device.

On either of your Synology Router devices, go to VPN Plus Server > Site-to-Site VPN.

Click Add > Manually.

Configure the settings in both the General and Encryption tabs, and save your settings.

Click Export Profile to save the VPN configuration to your computer.

Click Add > Import Profile.

Select the profile exported from the first Synology Router, and save the settings.

A Site-to-Site VPN connection is now established between both Synology Router devices.

Note:

Profile export and import are only available when connecting between Synology Router devices. You cannot use this feature when setting up a Site-to-Site VPN connection with third-party IPsec-compatible devices.

General

Option Name	Description
Profile name	Name this profile.
Pre-shared key	Specify the pre-shared key on both sites to enhance security. Connections will be successful only when the identical pre-shared key is specified on both sites.
Enable this connection	Enable the connection right after setup. This function takes effect only when enabled on both sites.
Enable DNSSEC validation	Select this checkbox to secure DNS resolutions via DNSSEC (Domain Name System Security Extensions) validation during Site-to-Site VPN connections.
Local Site	Outbound IP: Specify one of the network interfaces on your Synology Router to set up the Site-to-Site VPN service. Local ID: Specify a local ID, which can be either a public IP address or FQDN (Fully Qualified Domain Name). Private subnet: Specify the local network under the private subnet. Only subnet-type objects (defined in Object settings) are shown, as Site-to-Site VPN doesn't support IP range objects.
Remote Site	IP address/FQDN: Specify the remote site's public IP address or FQDN to allow external access. Remote ID: Specify the Remote ID, which can be either a public IP address or FQDN. Private subnet: Specify the local network under the private subnet of the remote site.
Dead Peer Detection	Enable Dead Peer Detection (DPD) and configure related settings: DPD Delay: Specify the time interval between DPD packets. DPD Timeout: Specify a time threshold to detect connection loss. The remote site is considered disconnected if no DPD packets are received during this period.

Option Name

Description

Profile name

Name this profile.

Pre-shared key

Specify the pre-shared key on both sites to enhance security. Connections will be successful only when the identical pre-shared key is specified on both sites.

Enable this connection

Enable the connection right after setup. This function takes effect only when enabled on both sites.

Enable DNSSEC validation

Select this checkbox to secure DNS resolutions via DNSSEC (Domain Name System Security Extensions) validation during Site-to-Site VPN connections.

Local Site

Outbound IP: Specify one of the network interfaces on your Synology Router to set up the Site-to-Site VPN service.
Local ID: Specify a local ID, which can be either a public IP address or FQDN (Fully Qualified Domain Name).
Private subnet: Specify the local network under the private subnet. Only subnet-type objects (defined in Object settings) are shown, as Site-to-Site VPN doesn't support IP range objects.

Remote Site

IP address/FQDN: Specify the remote site's public IP address or FQDN to allow external access.
Remote ID: Specify the Remote ID, which can be either a public IP address or FQDN.
Private subnet: Specify the local network under the private subnet of the remote site.

Dead Peer Detection

Enable Dead Peer Detection (DPD) and configure related settings:

DPD Delay: Specify the time interval between DPD packets.
DPD Timeout: Specify a time threshold to detect connection loss. The remote site is considered disconnected if no DPD packets are received during this period.

Encryption

Option Name	Description
IKE version	Select IKEv1 or IKEv2. Both sites must have the same IKE version.
Mode	Select Main Mode or Aggressive Mode. Both sites must have the same mode.
Encryption	Select one or more types of AES encryption from AES256, AES192, AES128, and 3DES. At least one selection must match the encryption used by the remote site.
Authentication	Select one or more types of authentication from SHA-512, SHA-384, SHA-256, SHA1, and MD5. At least one selection must match the authentication type used by the remote site.
DH group	Specify the same Diffie-Hellman (DH) group for both sites.
Key lifetime	Specify how long the validity of your key is. Once the key expires, both sites will exchange a new key.
Enable Perfect Forward Secrecy (PFS)	Enabling this option may subtly affect the performance but will enhance the security.

Option Name

Description

IKE version

Select IKEv1 or IKEv2. Both sites must have the same IKE version.

Mode

Select Main Mode or Aggressive Mode. Both sites must have the same mode.

Encryption

Select one or more types of AES encryption from AES256, AES192, AES128, and 3DES. At least one selection must match the encryption used by the remote site.

Authentication

Select one or more types of authentication from SHA-512, SHA-384, SHA-256, SHA1, and MD5. At least one selection must match the authentication type used by the remote site.

DH group

Specify the same Diffie-Hellman (DH) group for both sites.

Key lifetime

Specify how long the validity of your key is. Once the key expires, both sites will exchange a new key.

Enable Perfect Forward Secrecy (PFS)

Enabling this option may subtly affect the performance but will enhance the security.

Note:

The private subnets of local and remote sites cannot overlap.
Refer to the RFC 3706 document for more technical information on Dead Peer Detection.
The local Synology Router handling the Site-to-Site VPN connection cannot access the remote site's private subnet.
When manually configuring Site-to-Site VPN between two Synology Router devices (e.g., site A and site B), you must specify site A's Local Site information in site B's Remote Site section, and vice versa.
Connection failures may occur if the configurations between the two sites are inconsistent. To prevent this, ensure both sites use the same SRM version and export the configuration (i.e., the profile) on one site to import at the other.
For more information about Site-to-Site VPN:
- Why can't I set up a Site-to-Site VPN connection successfully?
- Why can't I access remote devices over Site-to-Site VPN even if the VPN connection status is "Connected"?