Create a site-to-site IPsec VPN tunnel with Swisscom Router

Used Products:

I am planning to open a new branch of my existing office on the other side of my country. And I would like to share confidential work files between the two offices. My first idea is to build up a site-to-site VPN tunnel between the two offices. This story is about setting up a site-to-site VPN tunnel between the two offices with an Omada SDN Router ER8411 and a Swisscom Router.

Configuration on Swisscom Router:

VPN spec of Swisscom Router:

 

Config on TP-Link Router:

As you can see, the only option is to input the peer IP address and a password. Nothing else.

While in TP-Link router, there are many many configurations. 

With so many options, and 3-5 choices for each options, it’s impossible to test one by one.

With some further research, I found that all the specs are fixed in the Swisscom Router, so the only method to link them up is to configure TP-Link same as Swisscom Router. I compared the picture with TP-Link options carefully, good news is that there are some options look same/similar, such as IKEv2, AES256, SHA2, SA Lifetime, etc.

Bad news is that I have no idea what is MODP, Curve, HMAC, means, and there is no such thing in TP-Link router either. Hence I go to google, try to learn something about them, then I found out the following chart:

It combines MODP(Swisscom)thing with DH Group(TP-Link). On Swisscom, it says MODP2048 and modp8192, I was thing it supports all the DH Groups between this range, first set TP-Link as DH Group 16, thinking that I could get a more secure VPN tunnel, J.

However, it failed. L

Then I try DH14, other parameters configured same as Swisscom router.

Another parameter is sha2-256(Swisscom), while on TP-Link router, no exactly same as Swisscom Router:

Then I searched more, and found some information telling sha256 equals sha2-256:

 

With above information, I successfully establish VPN tunnel with the two routers.

Below are my Phase-1 and Phase-2 settings in TP-Link:

Two links to learn VPN parameters:

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html

7

Comment

wow good to know! 

upload
    upload
      Subscriptions