Create a site-to-site IPsec VPN tunnel with Swisscom Router
I am planning to open a new branch of my existing office on the other side of my country. And I would like to share confidential work files between the two offices. My first idea is to build up a site-to-site VPN tunnel between the two offices. This story is about setting up a site-to-site VPN tunnel between the two offices with an Omada SDN Router ER8411 and a Swisscom Router.
Configuration on Swisscom Router:
VPN spec of Swisscom Router:
Config on TP-Link Router:
As you can see, the only option is to input the peer IP address and a password. Nothing else.
While in TP-Link router, there are many many configurations.
With so many options, and 3-5 choices for each options, it’s impossible to test one by one.
With some further research, I found that all the specs are fixed in the Swisscom Router, so the only method to link them up is to configure TP-Link same as Swisscom Router. I compared the picture with TP-Link options carefully, good news is that there are some options look same/similar, such as IKEv2, AES256, SHA2, SA Lifetime, etc.
Bad news is that I have no idea what is MODP, Curve, HMAC, means, and there is no such thing in TP-Link router either. Hence I go to google, try to learn something about them, then I found out the following chart:
It combines MODP(Swisscom)thing with DH Group(TP-Link). On Swisscom, it says MODP2048 and modp8192, I was thing it supports all the DH Groups between this range, first set TP-Link as DH Group 16, thinking that I could get a more secure VPN tunnel, J.
However, it failed. L
Then I try DH14, other parameters configured same as Swisscom router.
Another parameter is sha2-256(Swisscom), while on TP-Link router, no exactly same as Swisscom Router:
Then I searched more, and found some information telling sha256 equals sha2-256:
With above information, I successfully establish VPN tunnel with the two routers.
Below are my Phase-1 and Phase-2 settings in TP-Link:
Two links to learn VPN parameters:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html