[NEBULA] How to establish Site to Site IPSec VPN between Nebula and Non-Nebula devices ?

Zyxel_CSO
Posts: 444
Zyxel Employee





The following is an example to setup site to site VPN between Nebula device(NSG100) and Non-Nebula device(ZyWall USG 200)
Nebula Device Configuration
1. Go to Configure > Security gateway > Site-to-Site VPN

2. Go to Gateway > Configure > Site-to-Site VPN > Outgoing Interface to choose WAN interface
Local networks > Toggle on LAN1
3. For Non-Nebula VPN peers section, click Add to create entry.
Provide a name, Non-Nebula Public IP (WAN IP), Remote Private Subnet and setup preshared security for authentication between them

IPsec policy can be customized based on Non-nebula devices with four modes
Custom IPsec Policy
Phase 1
Please ensure that default VPN IPsec protocol and modes are consistent between Nebula and Non-Nebula devices prior to establishing a VPN Tunnel since they are default setting and cannot be configurable on NCC
IKE Phase 1
Non-Nebula Device Configuration (Ex: ZyWall USG 200)
5. Confirm WAN/LAN IPs
    Go go Configuration > Network > Interface > Ethernet

6. Create Remote network subnet address
7.Configure VPN Gateway page
8. Configure VPN Connection page
9. Connect to IPSec VPN
10. Result of VPN establishment on NCC
Go to Security gateway > Monitor > VPN connections, it will display VPN Site connection between nebula and non-nebula devices.

P.S. The configuration from Step 5 to Step 9 is subject to third-party devices, that means settings are different and required more detailed information in their user manuals.

Nebula Device Configuration
1. Go to Configure > Security gateway > Site-to-Site VPN

2. Go to Gateway > Configure > Site-to-Site VPN > Outgoing Interface to choose WAN interface
Local networks > Toggle on LAN1
3. For Non-Nebula VPN peers section, click Add to create entry.
Provide a name, Non-Nebula Public IP (WAN IP), Remote Private Subnet and setup preshared security for authentication between them

IPsec policy can be customized based on Non-nebula devices with four modes
- Custom
- Default
- Azure policy-based
- Azure static route
- AWS

Custom IPsec Policy
Phase 1
- IKE version
- Encryption
- Authentication
- Diffie-Hellman group
- Lifetime (seconds)
- Mode
- Local ID
- Peer ID
- Set1 to 3 proposals for Encryption and Authentication
- PFS group
- Lifetime (seconds)



Please ensure that default VPN IPsec protocol and modes are consistent between Nebula and Non-Nebula devices prior to establishing a VPN Tunnel since they are default setting and cannot be configurable on NCC
IKE Phase 1
- Main Mode
- IPsec Protocol: ESP (Encapsulation Security Protocol)
- Encapsulation Mode: Transport mode
Non-Nebula Device Configuration (Ex: ZyWall USG 200)
5. Confirm WAN/LAN IPs
    Go go Configuration > Network > Interface > Ethernet

6. Create Remote network subnet address
- Go to Configuration > Object > Address/Geo IP > Address > Add > Select Address Type: SUBNET
- Specify remote LAN subnet address (ex: NSG100)

7.Configure VPN Gateway page
- Configuration > VPN > IPSec VPN > VPN Gateway > Add
- Provide a VPN Gateway Name
- On Peer Gateway Address, specify Static Address > Primary for remote WAN IP (ex: NSG100)
- On Authentication, enter Pre-Shared key as same as Preshared secret on previous NCC setting

8. Configure VPN Connection page
- Configuration > VPN > IPSec VPN > VPN Connection > Add
- Select Site-to-Site under Application Scenario
- Select VPN Gateway that just created in Step 7
- Select Local and Remote policy to map two LANs via VPN

9. Connect to IPSec VPN
- Configuration > VPN > IPSec VPN > VPN Connection > Click Connect
- Connect icon will turn into colorful from greyed out if IPsec VPN is connected successfully

10. Result of VPN establishment on NCC
Go to Security gateway > Monitor > VPN connections, it will display VPN Site connection between nebula and non-nebula devices.

P.S. The configuration from Step 5 to Step 9 is subject to third-party devices, that means settings are different and required more detailed information in their user manuals.
Zyxel Nebula Support
Tagged:
0
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 102 Nebula Status and Incidents
- 5.8K Security
- 300 USG FLEX H Series
- 283 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.7K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight