Full VPN tunnel from FlexH 1.32 FW to Nebula Org firewall

GiuseppeR

Hello everyone,

I have a FlexH configured on prem since months ago but where it is installed I have limited connection, blocked ports and useless filters.

I need to create a full tunnel VPN with another Org that I have configured on Nebula so all the traffic from the FlexH goes to that Org in Nebula where I have NO filters outbound applied and then the FlexH could go on internet free and happy.

Is it possible to do that?

PeterUK

Are outbound ports UDP 500 and 4500 (if direct WAN to WAN protocol 50) allowed where you are? and this Org allows inbound ports UDP 500 and 4500 (if direct WAN to WAN protocol 50)?

GiuseppeR

FlexH is ORG1.

Nebula receiver is ORG2.

The ORG2 can use all the open ports needed, it has also static Public IPs with 2 FTTHs.

I manage it on Nebula and it works fine since 3 years.

If you can link me a guide to setup ORG1 to full VPN tunnel via ORG2 I can check other ports outbound on ORG1.

Thanks in advance

PeterUK

So do both ends have FLEX H?

A VTI (Route-based) would do what you want if ORG1 can connect out to ORG2 for out going traffic for ORG1.

GiuseppeR

No, ORG2 has a standard Flex 200 managed in Nebula.

ORG2 has 2 WANs with FTTH free and full open.

Is it possible to set a full tunnel VPN on ORG2 via WAN2 created on Nebula and started from Flex 100H on ORG1?

I never used VTI on FlexH: is it a sort of rule to route all the traffic as Next-Hop via VPN?

Zyxel_Melen

Hi @GiuseppeR,

If another firewall is USG FLEX/ATP, please reference this FAQ to set auto-link VPN to connect USG FLEX H.

How to configure Auto-Link VPN on Nebula? — Zyxel Community

In addition, for your scenario, you will need to use custom preset which allows you to set VTI interface.

Once the VPN is connected, you will need to add policy route rule for LAN interfaces and ZyWall (if needed).