Nebula site to site VPN between two USG lite 60AX

SistemistaDaRidere

I'm very new to nebula environment, especially on nebula vpn. I was wondering if i can have two usg lite 60 ax, each one behind a nat (i can solve this with 1:1 on isp router) and set a nebula vpn between the two of them.

My first choice was having one usg lite 60 ax and one usg flex 50 (NOT the H model) and set an ipsec site to site with dynamic peer on the flex 50, then use the auto-link VPN on the usg lite 60ax but doing some tests i found very difficult to have it to work..

Zyxel_Barry

Hi @SistemistaDaRidere,

Yes, you can establish a Nebula site-to-site VPN between two USG LITE 60AX devices, even when they are behind NAT, provided you configure NAT traversal appropriately.

Here's how to approach your setup:

Initial Solution

1. For two USG LITE 60AX devices with Nebula Site-to-Site VPN:

   • Enable Nebula VPN: On both USG LITE 60AX devices within the Nebula Control Center (NCC), navigate to Site-wide > Configure > Security router > Site-to-Site VPN.
   • Enable Nebula VPN: Turn on the "Nebula VPN enable" option.
   • Select VPN Topology: Choose "Site-to-Site" as the Nebula VPN topology.
   • Configure NAT Traversal: If your security routers are behind NAT (which they are in your scenario, even with 1:1 NAT), you need to enable NAT traversal. Go to "ADVANCED OPTIONS" and set the IP address type to "Custom" and select "WAN: Auto" under the NAT Traversal section. Ensure you configure the NAT traversal IP addresses in Nebula for proper connectivity.
   • Local Networks: For each site, ensure at least one LAN subnet has the 'Use VPN' option enabled to route traffic through the VPN.
   • Verification: After configuring both sites, the VPN connection should establish automatically. You can verify the connection status by navigating to Site-wide > Monitor > Security router > VPN connections in the Nebula Control Center.

2. Regarding your previous attempt with USG LITE 60AX (Auto-Link VPN) and USG FLEX 50 (Dynamic Peer IPSec):

   • The USG LITE 60AX supports Auto-Link VPN (formerly called Non-Nebula VPN) for connecting to third-party or locally managed devices.
   • If you are establishing a VPN with a non-Nebula gateway, you typically need to use Auto-Link VPN.
   • A critical point for Auto-Link VPN with devices behind NAT is that Auto-Link VPN does not support NAT-Traversal, meaning you would need to set up port forwarding for UDP 500 and 4500 on the uplink router. This could explain why you found it difficult to get working.

Information Collection Guide

To provide further assistance, please provide the following details:

• Organization and Site Name(s): In Nebula, go to Help > Support Request and enable Zyxel Support Access. Then, share your Organization and Site names. This will allow our support team to view your cloud configuration and assist more effectively.
• Current Firmware Version: For both USG LITE 60AX devices.
• Network Topology: A simple diagram showing how your USG LITE 60AX devices are connected to your ISP routers and how the 1:1 NAT is configured.
• Screenshots: Any error messages or VPN connection status from the Nebula Control Center for the site-to-site VPN.

Zyxel_Melen

Hi @SistemistaDaRidere

Two USG Lite 60AX or USG Lite 60AX and USG FLEX 50 are supported to connect site-to-site VPN. Could you share which part you get troubles?

For configuration, please reference this FAQ first:

[NEBULA] How to establish Site to Site IPSec VPN between Nebula and Non-Nebula devices ? — Zyxel Community

For connecting issue, please help to collect the IPSec VPN tunnel log on USG Lite 60AX and USG FLEX 50. We can help to check which part has issue.