VPN - Zyxel Community

How to Add a Second WAN Interface for VPN Failover on Nebula?
Question: How can I add a second WAN interface for VPN failover on my Nebula CC? Answer: To add a second WAN interface for VPN failover on your Nebula CC, follow these steps: * Navigate to Site-wide > Configure > Firewall > Site-to-Site VPN. * Change the outgoing interface to auto and set WAN 1 as the preferred link. * If…
Why Smart VPN does not work
Scenario: You have on cloud Firewall are trying to establish Non-Nebula VPN by Smart VPN function, but there are no negotiation packets, seems to the funciton does not enable. Answer: Please verify you have enabled "Nebula VPN enable" Feel free to reach out for further assistance if the issue persist.
How to troubleshoot the message "no proposal chosen" when it appeares in event logs?
Question: How to troubleshoot the message "no proposal chosen" when it appeares in event logs? Answer: Site-to-Site VPN (Both sites are Nebula firewalls) On nebula, there is no configuration for phase 1 and phase 2 proposal in Site-to-Site VPN. You can check phase 1 and phase 2 proposal using command via SSH. [ATP/FLEX]…
Where is the option of Dead Peer Detection on Nebula?
Question: Where is the option of Dead Peer Detection on Nebula? Answer: DPD is enabled by default in Nebula, so you cannot see the option in Nebula.
How to reset 2 factor authentication for Remote VPN user?
Scenario: I was trying to reset 2FA for a Remote VPN user, but the user has a new phone, and I need to update this 2FA, how can I do it? Answer: Go to Site-wide > Configure > Cloud authentication, edit the user, tick "Email to user" and click Update User, the user will receive a new email for 2fa authentication, then the…
How to fix non-Nebula VPN tunnel with Phase 2 policy mismatch
Scenarion: I was trying to configure non-Nebula VPN between two different Nebula orgs. The configuration was configured correctly, but the event logs show "Phase 2 policy mismatch". What happen? Answer: It could be remote subnet is mismatched. For Site_A, there are 3 local interfaces enabled for Site-to-Site VPN, and the…
[ATP/FLEX] How to Configure Multiple IP Segments Routing in Non-Nebula VPN scenario?
To connect remote LANs with non-Nebula IPSEC VPN, you need to set up a VTI interface in "Non-Nebula VPN" setting. 1. Navigate to the Non-Nebula VPN settings and click "IPSec Policy" Setting button. —> Under VPN tunnel interface, enter a custom IP address for the VPN tunnel. 2. Set up routing policies for your VPN traffic…
[ATP/FLEX]How do I renew IKEV2 certificate
Question: How do I renew IKEV2 certificate? Configuration steps: When the IKEv2 IPSec Client VPN certificate expires, follow these steps: Disable and enable IPSEC remote VPN on Nebula GUI. The firewall will re-generate a new certificate. Reinstall the new VPN script. Reboot the Firewall Note: Starting from 15th April 2024,…
[Nebula]Can I use a custom certificate for 2FA deployment on Nebula Remote Access IKEv2 VPN?
Question Can I use a custom certificate for 2FA deployment on Nebula Remote Access VPN? Answer The device's HTTPS uses a self-signed certificate and does not support importing third-party certificates. This limitation results in a certificate warning when accessing the 2FA screen, and using a custom certificate is not…
[ATP/FLEX] How do I view connected VPN users on Nebula?
Question: How do I view connected VPN users on Nebula? Answer: To view connected VPN users on Nebula, navigate to Monitor > Firewall > VPN Connections > Client to site VPN login account. This will display a list of currently connected VPN users. You can then view information such as the user's username, Assigned IP…
Why there is only one user can connect L2TP vpn tunnel?
Please make sure that your subnet settings have the correct subnet mask configuration. In most cases, users set it to /32, which means only one host can be connected.
Do I have to add extra security policies to ping IPSec VPN tunnel when IPSec VPN tunnel is connected
Question : Currently, Nebula supports site-to-site, hub-spoke, and remote VPN services. Is it necessary for the user to add extra security policies to enable pinging across the IPSec VPN tunnel when it's connected? Answer : No, once the user creates site-to-site, hub-spoke, and remote VPN settings on Nebula, corresponding…
Remote Access VPN on USG LITE
Remote Access VPN on USG LITE Introduction The latest update brings remote access VPN capabilities to the USG LITE series. The USG LITE series can now support secure remote access for users. This article highlights the differences between the remote access VPN features of USG LITE and firewall models. Key Differences…
[Nebula] Is it possible to allow GeoIP for VPN connection?
Question: How can I configure my VPN to only allow traffic from specific countries? Answer: You can set up a Policy Control rule to allow IKE/ESP traffic from specific countries. Here’s how you can do it: Navigate to Site-wide > Configure > Firewall > Security Policy. Create the necessary rules for the specific country:…
[Nebula] The status of Site to site VPN is up on Nebula but unable to ping the other site
Checking: 1)Firewall will allow related protocol by implicat rule, please ensure you don't have rule block Any to Device You don't have rule block ESP Protocol from any to Device. Firewall cannot decrypt packets without allowing ESP rule. 2)Check the Private Subnet is reachable.
Why can't my L2TP VPN connection connect from Windows to ATP/USG/NSG?
Sometimes, due to Microsoft patches, even with the same VPN settings, connections may not be established. Please try the settings as shown in the following figure. If it still doesn't work, please uncheck "Microsoft CHAP Version 2" and check "Unencrypted password" instead. The second thing you can check is to ensure that…
[ATP/FLEX]Unable to establish Nebual Site to Site VPN
Symptom: You are unable to establish Nebula Site to Site VPN But using the non-nebula method is no problem. You find there were Fragmented packets when IKE negoiated. Workaround: This is because Nebula VPN establishes connections using certificates, which can cause issues with ISPs that have smaller MTUs. Please use a…
[Nebula]How to set up remote access VPN on Android phone?
Question: I would like to use remote access VPN on my Android phone. How do I set up remote access VPN on an Android phone? Answer: Nebula remote access VPN supports StrongSwan for remote access VPN. We can easily download the StrongSwan configuration file and import it to the Android phone to establish remote access VPN.…
[Nebula]Where can I download remote access VPN script?
Question: I would like to deploy remote access VPN for my client. My client has various OS types: Windows, macOS, iOS, and Android. Where can I download the remote access VPN script for deployment? Answer: The remote access VPN can be downloaded at Site-wide > Configure > Firewall > Remote Access VPN. Nebula supports the…
[ATP/FLEX] We have problems with VPN l2tp over ipsec on mac device.
Scenario : Users may encounter a situation which they successfully establish an L2TP VPN connection using an Apple Mac device, but cannot ping or access the intranet hosts of the peer site. This article will guide you on how to resolve this issue. L2TP VPN server related settings on the Nebula: The Mac device successfully…

Welcome!

It looks like you're new here. Sign in or register to get started.