@AJC01 

thank you for the reply.

I have this network situation:

                   Site 1                                                       Site 2

                                            -----------------------------------------

                                            | -------------------------------------  |        

                                            | |                                            | |    

              ISP modem ---------                                              | | 

                      |                     | |                                            | |

------------------ ER605  ------ | |                                            | |  

|                                           | |                                        ISP modem

|                                           | |                                            | |

|                                           | |                                        ER 605 ---------------------------DHCP LAN 

|                                           | |                                           | |        

|                                           | |                                         WIN Server VPN-host (DHCP -VPN)

|                                           | |                                                                    

|                                           | |

|                                           | |      

|                                           | |

workstation 1------VPN-------| |

workstation 2 -----VPN-------- |

etc.

What i'd like

Site 1 - ER605 (VPN)  ------------ISP modem ----------------------Site 2----ISP modem ----ER605 (VPN)-----WIN server.

Just for certain ports / programms

All other internet trafic needs to be routed through the ISP modem directly to the internet

  @AJC01 

you want IPsec site to site, or lan to lan as it is called in stand alone, It's pretty simple, make sure you have a public IP address on both routers, then go to page 153 in the manual.

I don't know if you are using stand alone or controller, the manual is for stand alone

https://static.tp-link.com/upload/manual/2023/202310/20231009/1910013510_ER605(UN)_UG.pdf

  @AJC01 

first you should get the vpn up and running then you can concentrate on ports then. but to block and open ports you use acl which is also described in the manual i would think

  @MR.S 

unfortunatelly, no connection.

had both vpn settings next to each other, followed the steps from the manual, no connection

are there any ports i need to open ?

  @AJC01 

Do you have a public IP on the WAN interface of the router? You must have that on both routers or it won't work.

at the wan-ports, i have the lan adress of the isp modem (=gateway)

  @AJC01 

no no ports should be opened. when it works you should be able to ping gateway ip from lan to lan, if you get a response then vpn is established

AJC01 wrote

at the wan-ports, i have the lan adress of the isp modem (=gateway)

  @AJC01 

it won't work, what ip is it? does it start with 192.168.x.x or 10.x.x.x