H Series Firewalls: Site-to-Site VPN in Nebula vs. Local GUI
Zyxel Employee
Zyxel’s Nebula Control Center (NCC) now offers comprehensive VPN management for H Series firewalls, including both SD-VPN (Software-Defined VPN) and manual link VPN options.
This guide outlines key details and differences between cloud and local configuration, how to monitor VPN tunnels, and important tips for managing routing and interface visibility.
SD-VPN: Route-Based VPN
What is SD-VPN?
- SD-VPN is Nebula’s route-based VPN feature.
- It automatically forms tunnels between devices in the same organization when enabled.
- Supported devices include USG FLEX, ATP, and H Series firewalls.
SD-VPN must be configured in the Nebula Control Center. Local GUI configuration is not supported.
How to Monitor SD-VPN (Locally and via NCC)
Even though SD-VPN cannot be configured locally, status and tunnel information are visible:
In Local GUI:
- Go to: VPN > Status > IPsec Site-to-Site VPN
- You’ll see active VPN tunnels including Name and Remote ID
- Example: Name SA_BCCF41234567_11, Remote ID S202L12345678_11
- SA_"BCCF41234567”_11 is peer MAC address of cloud managed device
- “S202L12345678”_11 is peer serial number of cloud managed device
- SA_BCCF41234567_11 is Local/Remote WAN Interface ID (e.g., 1 = WAN1, 2 = WAN2)
Diagnostic Tools:
- show interface: Displays the VPN VTI (Virtual Tunnel Interface)
- show ipv4-routes zyxel table all: Confirms if traffic is routed through the VTI
- show config running: Reveals remote address (domain) used in tunnel creation
Use nslookup on the remote VPN domain to check for NAT traversal issues (e.g., private vs. public IP).
Manual Link VPN: Advanced Site-to-Site Configuration
Nebula also supports Manual Link VPN, which corresponds to the manual Site-to-Site VPN on local GUI.
Differences:
Cloud does not automatically sets phase 2 to policy to 0.0.0.0/0 when selecting route-based, in local GUI is automatically created.
VTI interface naming is customizable on creation: Nebula allows you to assign descriptive names to VPN Virtual Tunnel Interfaces (e.g., HeadOfficeVPN), making it easier to manage when multiple tunnels exist.
When configured via Nebula, administrators must manually create static routes for Manual Link VPN. In contrast, the local firewall automatically adds routing for manually configured VPNs.
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 164 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 364 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 262 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight