[ATP/FLEX] How to establish Site-to-Site IPsec VPN between Nebula and non-Nebula devices
![Zyxel_James](https://us.v-cdn.net/6029482/uploads/defaultavatar/nN4PAQRO7TCNP.jpg)
![](https://us.v-cdn.net/6029482/uploads/userpics/FN0BI9T10CTX/n6O940IZ5DEW6.png)
![First Anniversary](https://us.v-cdn.net/6029482/uploads/badges/SJKCAIG91R5S.png)
![10 Comments](https://us.v-cdn.net/6029482/uploads/badges/818CA6MI9BTU.png)
![Friend Collector](https://us.v-cdn.net/6029482/uploads/badges/HNJASEUSC535.png)
![First Answer](https://us.v-cdn.net/6029482/uploads/badges/OV6XOPPO8V59.png)
The following is an example of setup site-to-site VPN between Nebula device(USG FLEX 100) and non-Nebula device(USG40).
![](https://us.v-cdn.net/6029482/uploads/editor/b6/z0bxa7v47adg.png)
Non-Nebula device USG40(on-premises) has a public IP, but Nebula device USG FLEX 100 is behind NAT.
Configure Steps
Nebula Device Configuration (USG FLEX 100)
Navigate to Configure > Firewall > Site-to-Site VPN > Non-Nebula VPN peers, click +Add and configure the VPN profile.
Input USG40 Public IP, Remote Private subnet, and Pre-Shared Secret
Click IPsec Policy Default, configure Phase1 and Phase 2 parameters
![](https://us.v-cdn.net/6029482/uploads/editor/zf/wfp0c0l1cneb.png)
Non-Nebula Device Configuration (USG40)
Navigate to Configuration > VPN > IPsec VPN > VPN Gateway, click +Add to create a Gateway profile “NebulaFLEX100”
- Select IKEv1 as IKE version
- Select WAN1_ppp as My gateway address
- Input Pre-Shared Secret. It must be the same as Nebula device configuration
![](https://us.v-cdn.net/6029482/uploads/editor/f4/6pettrrl1rjq.png)
Scroll down to configure Phase1 parameters
Encryption: AES128, Authentication: SHA1, Key Group: DH2
Navigate to Configuration > VPN > IPsec VPN > VPN Connection, click +Add to create a Connection profile
- Select Remote Access(Server Role)
- Select the VPN Gateway profile “NebulaFLEX100”
- Select LAN1 subnet as Local Policy
![](https://us.v-cdn.net/6029482/uploads/editor/dl/todqbf3ncack.png)
Scroll down to configure Phase 2 parameters
Proposal 1: AES128, SHA1
Proposal 2: AES192, SHA256
PFS: DH2
Test Result
On Nebula Control Center, go to Monitor > Firewall > VPN connections to check VPN connection status
![Image: https://us.v-cdn.net/6029482/uploads/editor/ic/h9vntspolluj.png](https://us.v-cdn.net/6029482/uploads/editor/ic/h9vntspolluj.png)
On Non-Nebula device(on-premises), go to Monitor > VPN Monitor > IPsec to check VPN connection status
![Image: https://us.v-cdn.net/6029482/uploads/editor/tt/usexl00ej028.png](https://us.v-cdn.net/6029482/uploads/editor/tt/usexl00ej028.png)
Ping from USG FLEX 100 LAN1 device to USG40 LAN1 device
![Image: https://us.v-cdn.net/6029482/uploads/editor/wq/bpkkv2923k4z.png](https://us.v-cdn.net/6029482/uploads/editor/wq/bpkkv2923k4z.png)
Categories
- All Categories
- 413 Beta Program
- 2.3K Nebula
- 192 Nebula Ideas
- 87 Nebula Status and Incidents
- 5.3K Security
- 142 USG FLEX H Series
- 253 Security Ideas
- 1.3K Switch
- 75 Switch Ideas
- 993 Wireless
- 51 Wireless Ideas
- 6.1K Consumer Product
- 231 Service & License
- 362 News and Release
- 74 Security Advisories
- 23 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 101 About Community
- 67 Security Highlight