[NEBULA] How to establish Site to Site IPSec VPN between Nebula and Non-Nebula devices ?

Zyxel_CSO Posts: 378  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
The following is an example to setup site to site VPN between Nebula device(NSG100) and Non-Nebula device(USG200)

Nebula Device Configuration

1. Go to Configure > Security gateway > Site-to-Site VPN


2. Go to Gateway > Configure > Site-to-Site VPN > Outgoing Interface to choose WAN interface
Local networks > Toggle on LAN1

3. For Non-Nebula VPN peers section, click Add to create entry.
Provide a name, Non-Nebula Public IP (WAN IP), Remote Private Subnet and setup preshared security for authentication between them

IPsec policy can be customized based on Non-nebula devices with four modes
  • Custom
  • Default
  • Azure policy-based
  • Azure static route
  • AWS

Custom IPsec Policy

Phase 1
  • IKE version
  • Encryption
  • Authentication
  • Diffie-Hellman group
  • Lifetime (seconds)
  • Mode
  • Local ID
  • Peer ID
Phase 2
  • Set1 to 3 proposals for Encryption and Authentication
  • PFS group
  • Lifetime (seconds)


Please ensure that default VPN IPsec protocol and modes are consistent between Nebula and Non-Nebula devices prior to establishing a VPN Tunnel since they are default setting and cannot be configurable on NCC

IKE Phase 1
  • Main Mode
IKE Phase 2
  • IPsec Protocol: ESP (Encapsulation Security Protocol)
  • Encapsulation Mode: Transport mode

Non-Nebula Device Configuration (Ex: USG200)

5. Confirm WAN/LAN IPs
&nbsp&nbsp&nbsp Go go Configuration > Network > Interface > Ethernet

6. Create Remote network subnet address
  • Go to Configuration > Object > Address/Geo IP > Address > Add > Select Address Type: SUBNET
  • Specify remote LAN subnet address (ex: NSG100)

7.Configure VPN Gateway page
  • Configuration > VPN > IPSec VPN > VPN Gateway > Add
  • Provide a VPN Gateway Name
  • On Peer Gateway Address, specify Static Address > Primary for remote WAN IP (ex: NSG100)
  • On Authentication, enter Pre-Shared key as same as Preshared secret on previous NCC setting

8. Configure VPN Connection page
  • Configuration > VPN > IPSec VPN > VPN Connection > Add
  • Select Site-to-Site under Application Scenario
  • Select VPN Gateway that just created in Step 7
  • Select Local and Remote policy to map two LANs via VPN

9. Connect to IPSec VPN
  • Configuration > VPN > IPSec VPN > VPN Connection > Click Connect
  • Connect icon will turn into colorful from greyed out if IPsec VPN is connected successfully

10. Result of VPN establishment on NCC
Go to Security gateway > Monitor > VPN connections, it will display VPN Site connection between nebula and non-nebula devices.

P.S. The configuration from Step 5 to Step 9 is subject to third-party devices, that means settings are different and required more detailed information in their user manuals.