[NEBULA] How to establish Site to Site IPSec VPN between Nebula and Non-Nebula devices ?

Nebula_CSO
Nebula_CSO Posts: 136  Zyxel Employee
The following is an example to setup site to site VPN between Nebula device(NSG100) and Non-Nebula device(USG200)
o7m9bkz7xcha.png


Nebula Device Configuration

1. Go to Gateway > Configure > Site-to-Site VPN

2w3ngjokjfru.jpg


2. Go to Gateway > Configure > Site-to-Site VPN > Outgoing Interface to choose WAN interface
Local networks > Toggle on LAN1

3. For Non-Nebula VPN peers section, click Add to create entry.
Provide a name, Non-Nebula Public IP (WAN IP), Remote Private Subnet and setup preshared security for authentication between them
yr54647u7r9n.jpg


IPsec policy can be customized based on Non-nebula devices with four modes
  • Custom
  • Default
  • Azure
  • AWS
dqiwnc9umnjp.png

Custom IPsec Policy

Phase 1
  • Encryption
  • Authentication
  • Diffie-Hellman group
  • Lifetime (seconds)
Phase 2
  • Set1 to 3 proposals for Encryption and Authentication
  • PFS group
  • Lifetime (seconds)
kad9ntsbsfho.png

Please ensure that default VPN IPsec protocol and modes are consistent between Nebula and Non-Nebula devices prior to establishing a VPN Tunnel since they are default setting and cannot be configurable on NCC

IKE Phase 1
  • Main Mode
IKE Phase 2
  • IPsec Protocol: ESP (Encapsulation Security Protocol)
  • Encapsulation Mode: Transport mode

Non-Nebula Device Configuration (Ex: USG200)

5. Confirm WAN/LAN IPs
&nbsp&nbsp&nbsp Go go Configuration > Network > Interface > Ethernet
lexc7x5ea8r6.png


6. Create Remote network subnet address
  • Go to Configuration > Object > Address/Geo IP > Address > Add > Select Address Type: SUBNET
  • Specify remote LAN subnet address (ex: NSG100)
8aq8urimniig.png

7.Configure VPN Gateway page
  • Configuration > VPN > IPSec VPN > VPN Gateway > Add
  • Provide a VPN Gateway Name
  • On Peer Gateway Address, specify Static Address > Primary for remote WAN IP (ex: NSG100)
  • On Authentication, enter Pre-Shared key as same as Preshared secret on previous NCC setting
3wyekbqgzop5.png

8. Configure VPN Connection page
  • Configuration > VPN > IPSec VPN > VPN Connection > Add
  • Select Site-to-Site under Application Scenario
  • Select VPN Gateway that just created in Step 7
  • Select Local and Remote policy to map two LANs via VPN
rut5z8lb3mcd.png

9. Connect to IPSec VPN
  • Configuration > VPN > IPSec VPN > VPN Connection > Click Connect
  • Connect icon will turn into colorful from greyed out if IPsec VPN is connected successfully
pirix19lm89n.png

10. Result of VPN establishment on NCC
Go to Gateway > Monitor > VPN connection, it will display VPN Site connection between nebula and non-nebula devices.
j0hj78sptf5o.jpg


P.S. The configuration from Step 5 to Step 9 is subject to third-party devices, that means settings are different and required more detailed information in their user manuals.
Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!