This guide explains how to configure a Site-to-Site (S2S) IPsec VPN tunnel using IKEv2 with Route10. This allows two separate networks to securely communicate over the internet.
1. Basic Configuration
For most setups, only a few fields are required:
-
Enabled
Turn the VPN tunnel on. Default: on. -
Name
A label for your reference. Not technically required, but it’s best practice to give it a descriptive name. -
Hostname
The IP address or hostname of the remote peer. -
Pre-Shared Key (PSK)
A shared secret used for authentication. You can auto-generate a secure PSK by hovering over the question mark and clicking where it says “Click.” This PSK must be the same on both sides of the link. -
Remote Subnet(s)
The network(s) on the remote peer’s side that should be routed through the tunnel.
Use CIDR format, comma-separated, no spaces.
Example:192.168.2.0/24,10.0.0.0/16 -
Local ID
The identity this device presents to the remote peer. By default, input the Alta DDNS hostname of the current site. -
Remote ID
The identity you expect the remote peer to present. By default, input the Alta DDNS hostname of the remote site.
How to look up the Alta DDNS hostname (if needed):
- Go to the Network section.
- Hover the mouse cursor over the IP address for Route10.
- Move the cursor over the hover modal that appears.
- Triple-click the DDNS hostname line to fully select it, or click and drag to highlight it manually.
- Press Ctrl + C (or ⌘ + C on Mac) to copy the line, or right-click and choose Copy.
2. Example Configurations
🔁 Note: These examples show the configuration for
one side of the VPN tunnel only.
Each side must be configured using the other side’s details — such as its IP/hostname, Remote ID, and subnets — while sharing the same PSK.
A matching (mirrored) setup on the remote peer is required for the tunnel to successfully establish.
Each side must be configured using the other side’s details — such as its IP/hostname, Remote ID, and subnets — while sharing the same PSK.
A matching (mirrored) setup on the remote peer is required for the tunnel to successfully establish.
Example 1: Static IP on both ends
- Hostname: 203.0.113.1
- PSK: [your shared secret]
- Remote Subnet(s): 192.168.2.0/24
- Local ID: x8r91qtwvz.ddns.manage.alta.inc
- Remote ID: v0z72d1xmn.ddns.manage.alta.inc
Example 2: Default Alta DDNS hostname on both ends
- Hostname: v0z72d1xmn.ddns.manage.alta.inc
- PSK: [your shared secret]
- Remote Subnet(s): 10.10.0.0/16,192.168.10.0/24
- Local ID: x8r91qtwvz.ddns.manage.alta.inc
- Remote ID: v0z72d1xmn.ddns.manage.alta.inc
Tip: Remote subnets must be entered in comma-separated CIDR format, with no spaces.
3. What Happens After Saving?
- The system attempts to initiate the IKEv2 handshake using the configured parameters.
- If successful, traffic to the remote subnet(s) will be routed over the tunnel.
4. Advanced Settings (Optional)
⚠️
Advanced settings are rarely needed — except when connecting to third-party (non-Route10) devices or using custom configuration.
The default values are optimized for performance, security, and compatibility between Route10 systems.
🧠 Tip: If you're not sure what a setting does — it's best to leave it as-is.
The default values are optimized for performance, security, and compatibility between Route10 systems.
🧠 Tip: If you're not sure what a setting does — it's best to leave it as-is.
These settings are pre-filled with secure, high-performance defaults. You generally do not need to modify them unless your VPN peer has specific requirements (e.g., older hardware, strict security policies, or non-standard proposals).
IKE (Phase 1)
| Setting | Description |
|---|---|
| IKE Cipher | Encryption algorithm for Phase 1 (default: aes128gcm16). |
| IKE Hash | PRF used during key generation (default: prfsha256). |
| DH Group | Diffie-Hellman group for key exchange (default: ecp256 (19)). |
| IKE Lifetime | How long the IKE SA lasts before rekeying (default: 43200 seconds = 12 hours). |
| Local ID | Identity this device presents. |
| Remote ID | Expected identity of the remote peer. |
ESP (Phase 2)
| Setting | Description |
|---|---|
| ESP Cipher | Encryption for tunnel data (default: aes128gcm16). |
| ESP Hash | Required for non-AEAD ciphers (default: prfsha256). |
| ESP DH Group | DH group for Perfect Forward Secrecy (default: ecp256 (19)). |
| ESP Lifetime | Duration of the IPsec SA (default: 3600 seconds = 1 hour). |
| Local TS | (Optional) Local subnet override. Usually auto-detected. |
| Remote TS | (Optional) Remote subnet override. Defaults to Remote Subnet(s). |
DPD (Dead Peer Detection)
| Setting | Description |
|---|---|
| DPD Delay | How often to send keepalives (e.g., 30s). |
| DPD Timeout | Time before considering peer unreachable (e.g., 150s). |
Masquerade
If enabled, outbound traffic will appear to originate from the tunnel endpoint (useful for NAT scenarios or overlapping IP ranges).
Related Video
📺 Prefer a walkthrough? Our CTO, Jeff Hansen, demonstrates how to configure a Route10 Site-to-Site VPN in this video (starting at ~12:05): Watch on YouTube ›
Comments
0 comments
Article is closed for comments.