The Auto-Link VPN scenario

Zyxel_Kevin
Zyxel_Kevin Posts: 944  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
in VPN

Scenario:

When establishing a VPN with a third-party gateway (Such like Check Point or Fortigate), you need to use auto-link VPN (previously called non-nebula VPN).

In fact, after completing the connection by following the default profile, the Phase 2 Local Policy will only set the first subnet, which may cause traffic from other subnets to be blocked.

For example:

In this case, Local Policy will only set to "192.168.1.0/24"

But you may have requirements for other subnet traffic like 192.168.3.0/24.

image.png

Answer:

We recommend using a route-based VPN on Nebula.

1)Please modify IPSec Policy "Custom"

image.png

And give the VPN tunnel interface

image.png

In this case, Local Policy will be "0.0.0.0/0". Firewall would allow other subnets into Tunnel after you completed the next routing setup.

2)Click Routing, and set the correct Policy Route.

For example:

Source Address: 192.168.3.0/24

Destination Address: Peer Subnet

Next-hop: VPN profile