-
[ATP/FLEX] How can I check if the iPhone L2TP VPN connection has access to the internal LAN network?
Scenario : If you want to use the iphone L2TP VPN connection can access the internal LAN network, you can refer to this article. Answer : Once you establish L2TP successfully on the iPhone. Then you can navigate to Site-wide > Configure > Firewall > Interface to check the lan interface IP address. You can use a third-party…
-
[ATP/FLEX]Support NAT-T customize IP in Remote Access VPN
Now, In Nebula Phase 17.20. We support NAT-T feature. Select NAT Traversal "Auto", The domain name will resolved to Public IP used by the Firewall connect to Nebula. Select NAT Traversal "None", The domain name will resolved WAN IP of the firewall. With this enhacement, Administrator can deploy the VPN installed script…
-
[ATP/FLEX] Does ATP/FLEX Support RemoteAccess IKEV2 with Pre-Shared key?
ATP/FLEX only support EAP for IKEV2 VPN. We don't support Pre-Shared key currently.
-
[ATP/FLEX] How to block GeoIP to establish IPsec VPN connection with your firewall?
Scenario : If you want to block specific GeoIP addresses from establishing an IPsec VPN connection with your firewall to enhance the security of your network services, how can you configure this? Answer : Please navigate to Site-wide> Configure > Firewall > Security policy and add a security policy to deny UDP 500, and UDP…
-
[ATP/FLEX] How to configure a DNS server on the remote VPN site?
In this scenario, there are specific resources on a local domain in the HQ site and want to reach them from the remote sites (branches). Set "This Gateway" as the DNS server for the Branch Firewall Set "This Gateway" as the DNS server for the Branch Firewall Go to Site-wide > Configure > Firewall > Interface, and select…
-
[ATP/FLEX]How to fix WAN1 for NCAS auth when WAN2 is UP but no internet connection?
Scenario : In a specific scenario, the USG Flex/ATP has two WAN interfaces: WAN1 for internet access and WAN2 for special intranet policy and static route purposes only. In this situation, when using WAN1 as the IPsec/L2TP remote VPN server authenticated by NCAS (Nebula Cloud Authentication Server), there are instances…
-
[ATP/FLEX] How to configure the firewall for IPSec VPN server behind NAT router?
Topology nebula firewall (wan1: 192.168.1.34)----(lan1: 192.168.1.1)Router(wan: 61.222.x.y)-----Internet-----IPSec VPN client (IKEv2 client) On Router, you need to create a NAT rule and open ports(IKE, NATT). NAT Rule:Extermal IP: 61.222.x.y Intermal IP: 192.168.1.34 Port mapping: IKE, NATT Firewall Rule: Destination:…
-
[ATP/FLEX] Why is the L2TP VPN client disconnected approximately in 30 minutes?
Question: I set Up L2TP over IPSec VPN with Nebula Cloud Authentication and L2TP VPN client is established successfully. Why is the L2TP VPN client disconnected approximately in 30 minutes? Answer: It may be related to the reauthentication setting. You can go to Monitor > Firewall > Event log and check if the log "re-auth…
-
[ATP/FLEX] How to check the phase 1 and phase 2 proporal of Site-to-Site VPN?
Question: On nebula, there is no configuration for phase 1 and phase 2 proposal in Site-to-Site VPN. How to check the phase 1 and phase 2 proposal of Site-to-Site VPN? Answer: Access the device via SSH. Enter the command. Router> debug sdwan show vpn running-config
-
[ATP/FLEX] Can I use Windows native VPN client to establish VPN to the firewall on nebula?
Turn on "IPSec VPN server" or "L2TP VPN server", and click "save". The download button for Windows VPN configuration script appears. Download the VPN script and execute the script file on Windows.
-
[ATP/FLEX] What does "Partial VPN connected" mean on VPN orchestrator?
The status "Partial VPN connected" means not all VPN tunnels are connected successfully. For example, two Spokes have WAN1 only. However, WAN2 is enabled and select "Auto" outgoing interface in Site-to-Site VPN on one site. In the result, the VPN tunnel from spoke’s WAN2 will fail to establish. It is considered as…
-
[ATP/FLEX] How to restrict L2TP VPN access using Geo IP?
Create two security policy rules. In the following example, only Geo IP "Taiwan" is allowed to establish L2TP VPN. In the first policy, action: Allow, source: allowed Geo-IP, destination: Device, dst. port: 1701, 4500, 500 In the second policy, action: Deny, source: Any, destination: Device, dst. port: 1701, 4500, 500
-
[ATP/FLEX] Auth Fail with Cloud Authentication if use Remote Access VPN
Issue: Auth Fail with Cloud Authentication when you connected ikev2/l2tp VPN. Checking: In path: Organization-wide → Organization-wide manage → Cloud authentication 1)Please check you have allowd "VPN access" 2)Please check you already added the site to Authorized 3)Please check your Login type is Username or Email
-
What does the remote access VPN domain resolve to?
Question: What does the remote access VPN domain resolve to? Answer: The domain name is resolved to the WAN interface IP addresses instead of the Public IP addresses. The priority is WAN1 first, then WAN2. And yes, it would update automatically when the WAN interface IP addresses change.
-
[ATP/FLEX] Why does Remote Access VPN only allow one user to be connected at a time?
Why does Remote Access VPN only allow one user to be connected at a time? When another user is connected, the current user must log off. If you set subnet mask 192.168.18.0/32, only one IP address is available for pool of IKEv2 clients. It means only one IKEv2 client can be connected simultaneously to the site. We suggest…
-
[ATP/FLEX] How to route all traffic to IPSec peer gateway
When site to site VPN is configured between Nebula Firewall and the peer
gateway, we can use policy routes to force the subnet of Nebula Firewall to
access the Internet via the WAN connection of the peer gateway. The article instructs
how to configure a policy route on each device to route all traffic to the peer
gateway.…
-
[ATP/FLEX] How to Set up VPN area and VPN topology on Nebula site-to-site VPN
First of
all, you need to have a Nebula Professional Pack to implement this feature. Nebula
VPN Orchestrator provides software-defined design to build scalable VPN
topology within an organization. We can create multiple VPN areas within an
organization and each area has its own sites and VPN topology. The users need
Nebula…
-
[ATP/FLEX] How to establish Site-to-Site IPsec VPN between Nebula and non-Nebula devices
The
following is an example of setup site-to-site VPN between Nebula device(USG
FLEX 100) and non-Nebula device(USG40). Non-Nebula
device USG40(on-premises) has a public IP, but Nebula device USG FLEX 100 is
behind NAT. Configure
Steps Nebula
Device Configuration (USG FLEX 100) Navigate
to Configure > Firewall >…
-
[ATP/FLEX] How to Set up IKEv2 VPN tunnel and Authenticate with your RADIUS server on Nebula Gateway
Nebula Control
Center provides a VPN solution that allows remote VPN users to connect VPN
tunnels from Internet. This guide will assist in the configuration IKEv2 VPN tunnel
and authenticate with existing RAIDUS domain server. Set
up external authentication server setting Go
to Firewall > Configuration > Firewall Settings…
-
[ATP/FLEX] How to Set up IKEv1 VPN tunnel and Authenticate with your AD server on Nebula Gateway
Nebula Control
Center provides a VPN solution that allows remote VPN users to connect VPN
tunnels from Internet. This guide will assist in the configuration IKEv1 VPN
tunenl and authenticating with exist AD domain server. Set
up external authentication server setting Go
to Configure > Firewall > Firewall settings and…