You have set up a Site-to-Site VPN through VPN Plus Server, but the status consistently shows connecting instead of connected.

1. Configure port forwarding rules

   Ports 500 and 4500 (for IPSec protocol) need to be open on both Synology Router devices for Site-to-Site VPN service to function. If either Synology Router is located behind a NAT device (e.g. router or switch), port forwarding rules are required to forward packets from the NAT device to the Synology Router.

   If the NAT device is also a Synology Router, please refer to this article for detailed instructions on configuring port forwarding rules.

2. Confirm that VPN service is not forwarded to clients

   Connection issues may occur if any of the following settings are in use:

   • Synology Router has port forwarding rules configured to route packets to network clients’ ports 500 or 4500.
   • Synology Router has DMZ enabled and the DMZ host is assigned to a network client.
   • One or more network clients have UPnP (Universal Plug and Play) enabled, which will automatically forward router packets to port 500 or 4500.

   To troubleshoot connection issues:

   • Go to SRM > Network Center > Port Forwarding > Port Forwarding and delete the port forwarding rules on your Synology Router devices.
   • Go to SRM > Network Center > Port Forwarding > DMZ and disable DMZ on your Synology Router devices.
   • Disable UPnP on the network clients.



3. Add a firewall rule

   To ensure Site-to-Site VPN connectivity, make sure that your firewall is not blocking the VPN connection, especially if the option If IPv4/IPv6 WAN-to-SRM traffic matches no rules is set to Deny. To allow connections to your Synology Router devices through the Site-to-Site VPN tunnel, follow these steps to add a firewall rule:

   1. Go to SRM > Network Center > Security > Firewall.
   2. Click Create.
   3. Under the Name section, enter a name for the firewall rule.
   4. Under the Protocol section, select UDP.
   5. Under the Source section, select All for both IP address and Ports.
   6. Under the Destination section, select the following options:
      • IP address: Select SRM.
      • Ports: Tick Select from a list of built-in applications, click Select, and then tick VPN Plus Server (IPsec).
   7. Under the Action section, select Allow.
   8. Click OK, then Save to finish.

   For detailed instructions about firewall configurations on SRM, please refer to this article.

   

4. Ensure DNS functionality if you use DDNS to set up VPN

   VPN Plus Server allows you to use Synology DDNS (Dynamic Domain Name Service) to identify the locations of your Synology Router devices (using Local ID and Remote ID) during Site-to-Site VPN configuration. If you use DDNS but encounter issues connecting the Site-to-Site VPN, follow these troubleshooting steps:

   • If you are using both DDNS and IPv6 for Site-to-Site VPN configurations on any of your Synology Router devices, temporarily disable IPv6 by going to SRM > Network Center > Local Network > IPv6. Then, reconfigure the Site-to-Site VPN and try connecting again.
   • Try connecting your Synology Router devices using their external IP addresses (e.g., 210.61.203.200) and DDNS during the setup of the Site-to-Site VPN. If connecting via the external IP address works properly but the DDNS does not, try using Google's DNS "8.8.8.8" as the preferred DNS server. To configure the DNS server, go to SRM > Network Center > Internet > Connection on both Synology Router devices, and then set up the Site-to-Site VPN again.

5. Make sure your Site-to-Site and L2TP VPN use different pre-shared keys

   IPsec protocol is required to configure both Site-to-Site VPN and L2TP VPN on a Synology Router. Avoid using the same pre-shared key (PSK) for both VPN connection types.

6. Enter correct information during setup

   Ensure that the information entered for Site-to-Site VPN configuration is accurate and consistent on both Synology Router devices. If the status remains "Connecting" instead of "Connected" after configuration, review the configuration information and reconfigure the Site-to-Site VPN.

7. Ensure the VPN subnets of both sites do not overlap

   Make sure the VPN subnets on both sites do not overlap with each other.

   If your Site-to-Site VPN network has been set up successfully after following all the steps above, but you still cannot ping devices deployed on the local network of the other site, please refer to this article for more information.