-
[Nebula] Is it possible to allow GeoIP for VPN connection?
Question: How can I configure my VPN to only allow traffic from specific countries? Answer: You can set up a Policy Control rule to allow IKE/ESP traffic from specific countries. Here’s how you can do it: Navigate to Site-wide > Configure > Firewall > Security Policy. Create the necessary rules for the specific country:…
-
[Nebula] The status of Site to site VPN is up on Nebula but unable to ping the other site
Checking: 1)Firewall will allow related protocol by implicat rule, please ensure you don't have rule block Any to Device You don't have rule block ESP Protocol from any to Device. Firewall cannot decrypt packets without allowing ESP rule. 2)Check the Private Subnet is reachable.
-
Why can't my L2TP VPN connection connect from Windows to ATP/USG/NSG?
Sometimes, due to Microsoft patches, even with the same VPN settings, connections may not be established. Please try the settings as shown in the following figure. If it still doesn't work, please uncheck "Microsoft CHAP Version 2" and check "Unencrypted password" instead. The second thing you can check is to ensure that…
-
[ATP/FLEX]Unable to establish Nebual Site to Site VPN
Symptom: You are unable to establish Nebula Site to Site VPN But using the non-nebula method is no problem. You find there were Fragmented packets when IKE negoiated. Workaround: This is because Nebula VPN establishes connections using certificates, which can cause issues with ISPs that have smaller MTUs. Please use a…
-
[Nebula]How to set up remote access VPN on Android phone?
Question: I would like to use remote access VPN on my Android phone. How do I set up remote access VPN on an Android phone? Answer: Nebula remote access VPN supports StrongSwan for remote access VPN. We can easily download the StrongSwan configuration file and import it to the Android phone to establish remote access VPN.…
-
[Nebula]Where can I download remote access VPN script?
Question: I would like to deploy remote access VPN for my client. My client has various OS types: Windows, macOS, iOS, and Android. Where can I download the remote access VPN script for deployment? Answer: The remote access VPN can be downloaded at Site-wide > Configure > Firewall > Remote Access VPN. Nebula supports the…
-
[ATP/FLEX] We have problems with VPN l2tp over ipsec on mac device.
Scenario : Users may encounter a situation which they successfully establish an L2TP VPN connection using an Apple Mac device, but cannot ping or access the intranet hosts of the peer site. This article will guide you on how to resolve this issue. L2TP VPN server related settings on the Nebula: The Mac device successfully…
-
[Nebula] The window for 2FA does not launch when VPN is connected
Question: When the user use Windows native client to establish IPSec VPN to Nebula firewall, the window for 2FA does not launch and Internet does not work. How to access the 2FA page? Answer: If you're using Windows native VPN client, 2FA does not pop up automatically. You need to open the browser and enter…
-
[ATP/FLEX] How to check the DNS name of the remote VPN server?
Scenario : Users may not establish the IPsec remote VPN connection with the Nebula firewall successfully due to the DNS names of certificates are different. This article will guide you on how to check the DNS names of certificates on the firewall. Answer : Navigate to Site-wide > Configure > Firewall > Remote access VPN to…
-
[ATP/FLEX] How to check site-to-site VPN disconnection status in Nebula?
Scenario : The administrator may wonder how the site-to-site VPN stability is in Nebula. This article will guide you on how to check it. Answer : You could navigate to Site-wide > Monitor > Firewall > VPN connections to check the historical disconnection status. If there was a disconnection record, it would display a red…
-
[ATP/FLEX]When using Nebula VPN, the site-to-site VPN fail
Symptom: You have two firewalls in the same Org different Sites, The Site-to-Site VPN cannot build successfully. You will see many Fragmented packets within IKE negotiation Workaround: Due to Nebula VPN using certificates for establishment, negotiation packets include certificates. This may result in issues with ISPs…
-
[ATP/FLEX] Why am I unable to access the internal LAN network through the remote VPN?
Scenario : The user may encounter an awkward situation when successfully establishing a remote VPN connection (such as L2TP, IPsec VPN) but cannot access the internal LAN network resources. This article will outline possible reasons for this issue: Answer : To check the security policy if the remote VPN IP range can access…
-
[ATP/FLEX] How can I check if the iPhone L2TP VPN connection has access to the internal LAN network?
Scenario : If you want to use the iphone L2TP VPN connection can access the internal LAN network, you can refer to this article. Answer : Once you establish L2TP successfully on the iPhone. Then you can navigate to Site-wide > Configure > Firewall > Interface to check the lan interface IP address. You can use a third-party…
-
[ATP/FLEX]Support NAT-T customize IP in Remote Access VPN
Now, In Nebula Phase 17.20. We support NAT-T feature. Select NAT Traversal "Auto", The domain name will resolved to Public IP used by the Firewall connect to Nebula. Select NAT Traversal "None", The domain name will resolved WAN IP of the firewall. With this enhacement, Administrator can deploy the VPN installed script…
-
[ATP/FLEX] Does ATP/FLEX Support RemoteAccess IKEV2 with Pre-Shared key?
ATP/FLEX only support EAP for IKEV2 VPN. We don't support Pre-Shared key currently.
-
[ATP/FLEX] How to block GeoIP to establish IPsec VPN connection with your firewall?
Scenario : If you want to block specific GeoIP addresses from establishing an IPsec VPN connection with your firewall to enhance the security of your network services, how can you configure this? Answer : Please navigate to Site-wide> Configure > Firewall > Security policy and add a security policy to deny UDP 500, and UDP…
-
[ATP/FLEX] How to configure a DNS server on the remote VPN site?
In this scenario, there are specific resources on a local domain in the HQ site and want to reach them from the remote sites (branches). Set "This Gateway" as the DNS server for the Branch Firewall Set "This Gateway" as the DNS server for the Branch Firewall Go to Site-wide > Configure > Firewall > Interface, and select…
-
[ATP/FLEX]How to fix WAN1 for NCAS auth when WAN2 is UP but no internet connection?
Scenario : In a specific scenario, the USG Flex/ATP has two WAN interfaces: WAN1 for internet access and WAN2 for special intranet policy and static route purposes only. In this situation, when using WAN1 as the IPsec/L2TP remote VPN server authenticated by NCAS (Nebula Cloud Authentication Server), there are instances…
-
[ATP/FLEX] How to configure the firewall for IPSec VPN server behind NAT router?
Topology nebula firewall (wan1: 192.168.1.34)----(lan1: 192.168.1.1)Router(wan: 61.222.x.y)-----Internet-----IPSec VPN client (IKEv2 client) On Router, you need to create a NAT rule and open ports(IKE, NATT). NAT Rule:Extermal IP: 61.222.x.y Intermal IP: 192.168.1.34 Port mapping: IKE, NATT Firewall Rule: Destination:…
-
[ATP/FLEX] Why is the L2TP VPN client disconnected approximately in 30 minutes?
Question: I set Up L2TP over IPSec VPN with Nebula Cloud Authentication and L2TP VPN client is established successfully. Why is the L2TP VPN client disconnected approximately in 30 minutes? Answer: It may be related to the reauthentication setting. You can go to Monitor > Firewall > Event log and check if the log "re-auth…