Nebula USG FLEX 100H remote access vpn

MarkoK · May 6

The customer has several offices that are connected with USG FLEX 100H firewalls via nebula.
we would like to make a remote access vpn, ike2 windows native client, through which we could also access other offices. this probably requires a policy route, but I haven't gotten it to work properly.
could I get instructions for this

MarkoK · May 8

it's workin

Thank you

Zyxel_Melen · May 11

Hi @MarkoK

IkeV2 split tunnel, please reference this FAQ:

Does the USG Flex H model support multiple split tunnels for the Windows native VPN client? — Zyxel Community

SSLVPN in the latest firmware version support multiple local networks for Split Tunnel mode. You can add the remote subnet directly.

Additionally, the remote site must add static route.

Zyxel_Melen · May 6

Hi @MarkoK

To better help you on this requirement, could you share the current VPN setting between each site?

Are you using Nebula SD-VPN? Or?

MarkoK · May 6

Are you using Nebula SD-VPN?

Nebula SD-VPN used

remote access vpn full tunnel

side a lan 192.168.200.1

side b lan 192.168.150.1

remote access vpn ip pooll 10.10.12.0/24

remote accees connect side a, and i want it can connect also side b lan

MarkoK · May 6

update

remote access connection works side a, but it canot connect side b

Zyxel_Melen · May 7

Hi @MarkoK

You need to setup static route on side b, so side b firewall knows where should it send the packet back to remote access vpn client.

Here is the setup steps (side a use test#1 as example, side b use test#2 as example):

Navigate to Nebula side b > Menu > Monitor > firewall > VPN connection. Find the VTI IP of side a.
Navigate to Menu > Site-wide > Configure > Firewall > Routing. Add the static routing rule like below.
Connect remote access VPN and ping side b. Test result should be success.