[ATP/FLEX] How to establish Site-to-Site IPsec VPN between Nebula and non-Nebula devices

Zyxel_James
Zyxel_James Posts: 663  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
edited June 2023 in VPN

The following is an example of setup site-to-site VPN between Nebula device(USG FLEX 100) and non-Nebula device(USG40).


Non-Nebula device USG40(on-premises) has a public IP, but Nebula device USG FLEX 100 is behind NAT.

Configure Steps

Nebula Device Configuration (USG FLEX 100)

Navigate to Configure > Firewall > Site-to-Site VPN > Non-Nebula VPN peers, click +Add and configure the VPN profile.

Input USG40 Public IP, Remote Private subnet, and Pre-Shared Secret


Click IPsec Policy Default, configure Phase1 and Phase 2 parameters



Non-Nebula Device Configuration (USG40)

Navigate to Configuration > VPN > IPsec VPN > VPN Gateway, click +Add to create a Gateway profile “NebulaFLEX100”

  •  Select IKEv1 as IKE version
  •  Select WAN1_ppp as My gateway address
  • Input Pre-Shared Secret. It must be the same as Nebula device configuration

Scroll down to configure Phase1 parameters

Encryption: AES128, Authentication: SHA1, Key Group: DH2


Navigate to Configuration > VPN > IPsec VPN > VPN Connection, click +Add to create a Connection profile

  • Select Remote Access(Server Role)
  • Select the VPN Gateway profile “NebulaFLEX100”
  • Select LAN1 subnet as Local Policy

Scroll down to configure Phase 2 parameters

Proposal 1: AES128, SHA1

Proposal 2: AES192, SHA256

PFS: DH2


Test Result

On Nebula Control Center, go to Monitor > Firewall > VPN connections to check VPN connection status


On Non-Nebula device(on-premises), go to Monitor > VPN Monitor > IPsec to check VPN connection status


Ping from USG FLEX 100 LAN1 device to USG40 LAN1 device