Configuring Site to Site VPN

Site-to-site VPNs connect Multiple locations with static public IP addresses and allow traffic to be routed among the networks. This is most commonly used to connect an organization’s branch offices back to its main office, so branch users can access network resources in the main office.

Site-to-site VPN settings are accessible through the Configure > Gateway> Site-to-site VPN page


There are two options for configuring the EnGenius Gateway's role in the Auto VPN topology

  • Hub (Mesh): This EnGenius Security Gateway acts as a VPN Hub(Mesh) node and will establish VPN tunnels to all remote EnGenius VPN peers in the same organization that are also configured in this mode. It will also establish VPN tunnels to Spoke nodes that specify this gateway as their common Hub node.

  • Spoke: This EnGenius Security Gateway acts as a VPN Spoke node and will establish only one tunnel to the specified remote EnGenius Security Gateway which acts as this gateway’s Hub node. All Spoke nodes with a common Hub node can reach each other through Hub-and-Spoke tunnels unless blocked by Site-to-Site VPN firewall rules.

Local Network to use VPN

If you have multiple LAN subnets, you have the option to specify which LAN Interface could participate in the VPN.

NAT Traversal

If the EnGenius Gateway is behind a firewall or other NAT device, there are two options for establishing the VPN tunnel:

  • Automatic: In the vast majority of cases, the EnGenius Gateway can automatically establish site-to-site VPN connectivity to remote EnGenius VPN peers even through a firewall or NAT device using a technique known as "UDP hole punching". This is the recommended (and default) option.

  • Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, EnGenius VPN peers contact this EnGenius Security Gateway using the specified public IP address and UDP port number 500. You still need to configure port forwarding rules on the upstream NAT/firewall device to forward all incoming traffic with the specified destination IP and destination UDP 500 and UDP 4500 to the Primary WAN IP address of the EnGenius Security Gateway.

Add Non-EnGenius Gateway

Auto VPN(Mesh VPN or Hub and Spoke VPN) works on EnGenius Security Gateways in the same organization only. For the following conditions, you must use the Add Non-EnGenius Gateway option.

  • To establish a Site-to-Site VPN connection between an EnGenius Security Gateway and a 3rd party VPN device.

  • To establish a Site-to-Site VPN connection between 2 EnGenius Security Gateways in 2 different organizations.

Click "Add " and enter the following information

  • Gateway Name: A name for the remote gateway

  • Public WAN IP: The Primary WAN public IP address of the remote gateway.

  • Private Subnet: Enter the local network address or subnet behind the remote gateway.

  • IKE Version: What IKE version to use (IKEv1 or IKEv2).

  • Local ID: Enter the identity of the remote gateway during authentication. Only IKEV2 needs this ID.

  • Remote ID: Enter the Remote ID of the remote peer. The remote Gateway’s Primary WAN public IP is recommended. Do not enter the remote peer’s Primary WAN native private IP if it is behind an external NAT device.

  • IPsec Policy: Select a pre-defined policy or have a custom one.

  • Diffie-Hellman group: Select which Diffie-Hellman group you want to use for encryption keys

  • Encryption: Select which key size and encryption to use.

  • Authentication: Select between MD5 and SHA1 authentication. Only phase2 can be multi-selected.

  • PFS key Group: Select the Off option to disable Perfect Forward Secrecy (PFS). Select groups 1, 2, 5, or 14 to enable PFS using that Diffie Hellman group.

  • Lifetime: Type the maximum number of seconds that the IKE security association can last.

  • Pre-shared Key: Enter the pre-shared secret key to use.

VPN Firewall Rules

You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from all EnGenius Gateway in the Organization that participates in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.

Last updated