[NEBULA] How to establish Site to Site IPSec VPN between Nebula and Non-Nebula devices ?

Zyxel_CSO
Zyxel_CSO Posts: 378  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
The following is an example to setup site to site VPN between Nebula device(NSG100) and Non-Nebula device(USG200)
ms7g15qbbadu.jpg


Nebula Device Configuration

1. Go to Configure > Security gateway > Site-to-Site VPN

s7wwokp77lbe.png


2. Go to Gateway > Configure > Site-to-Site VPN > Outgoing Interface to choose WAN interface
Local networks > Toggle on LAN1

3. For Non-Nebula VPN peers section, click Add to create entry.
Provide a name, Non-Nebula Public IP (WAN IP), Remote Private Subnet and setup preshared security for authentication between them
fwmd693z9hny.jpg



IPsec policy can be customized based on Non-nebula devices with four modes
  • Custom
  • Default
  • Azure policy-based
  • Azure static route
  • AWS
w5s4ycxwac1g.jpg

Custom IPsec Policy

Phase 1
  • IKE version
  • Encryption
  • Authentication
  • Diffie-Hellman group
  • Lifetime (seconds)
Advanced
  • Mode
  • Local ID
  • Peer ID
Phase 2
  • Set1 to 3 proposals for Encryption and Authentication
  • PFS group
  • Lifetime (seconds)

ta9oz8w1p6ih.jpg
104qjcygxg0n.jpg
hpvm2ynj8k37.jpg

Please ensure that default VPN IPsec protocol and modes are consistent between Nebula and Non-Nebula devices prior to establishing a VPN Tunnel since they are default setting and cannot be configurable on NCC

IKE Phase 1
  • Main Mode
IKE Phase 2
  • IPsec Protocol: ESP (Encapsulation Security Protocol)
  • Encapsulation Mode: Transport mode

Non-Nebula Device Configuration (Ex: USG200)

5. Confirm WAN/LAN IPs
&nbsp&nbsp&nbsp Go go Configuration > Network > Interface > Ethernet
lexc7x5ea8r6.png


6. Create Remote network subnet address
  • Go to Configuration > Object > Address/Geo IP > Address > Add > Select Address Type: SUBNET
  • Specify remote LAN subnet address (ex: NSG100)
8aq8urimniig.png

7.Configure VPN Gateway page
  • Configuration > VPN > IPSec VPN > VPN Gateway > Add
  • Provide a VPN Gateway Name
  • On Peer Gateway Address, specify Static Address > Primary for remote WAN IP (ex: NSG100)
  • On Authentication, enter Pre-Shared key as same as Preshared secret on previous NCC setting
3wyekbqgzop5.png

8. Configure VPN Connection page
  • Configuration > VPN > IPSec VPN > VPN Connection > Add
  • Select Site-to-Site under Application Scenario
  • Select VPN Gateway that just created in Step 7
  • Select Local and Remote policy to map two LANs via VPN
rut5z8lb3mcd.png

9. Connect to IPSec VPN
  • Configuration > VPN > IPSec VPN > VPN Connection > Click Connect
  • Connect icon will turn into colorful from greyed out if IPsec VPN is connected successfully
pirix19lm89n.png

10. Result of VPN establishment on NCC
Go to Security gateway > Monitor > VPN connections, it will display VPN Site connection between nebula and non-nebula devices.
plotyc7evu2p.jpg


P.S. The configuration from Step 5 to Step 9 is subject to third-party devices, that means settings are different and required more detailed information in their user manuals.
Tagged: