How do I configure my firewall for compatibility with Site-to-Site VPN on the Datto DNA?

Question

How do I configure my firewall for compatibility with the Datto Networking Appliance's Site-to-Site VPN feature?

Environment

Datto Networking Appliance (DNA)
Site-to-Site VPN

Answer

Use the following settings to configure your firewall. The examples shown use a Sonicwall device; certain settings may be named differently or appear in different areas of the UI depending on the brand of device used in your environment.

Environment

Policy Type: Select Site to Site
Authentication Method: Select IKE using Preshared Secret
Name: Use the internal IP address of the DNA
IPsec Primary Gateway Name or Address: Enter the primary gateway name or address used in your environment
Shared Secret: Enter the IKE Authentication Shared Secret key
Local IKE ID & Peer IKE ID: Enter the address scheme and IDs for both values

Figure 1: General settings as shown on a Sonicwall router

Figure 2: Network settings as shown on a Sonicwall router

Proposals

IKE (Phase 1)
- Exchange: Main Mode
- DH Group: Group 14
- Encryption: AES-128
- Authentication: SHA1
- Life Time (seconds): 28800
IPsec (Phase 2)
- Protocol: ESP
- Encryption: AES-128
- Authentication: SHA1 - enable Perfect Forward Secrecy
- DH Group: Group 14
- Lifetime (seconds): 28800

Figure 3: Proposals settings as shown on a Sonicwall router

Advanced

Keep Alive: Enabled
VPN Policy bound to: Select Interface X2.

Figure 4: Advanced settings as shown on a Sonicwall router

Additional Resources

DNA: Site-To-Site VPN

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.