[NEBULA] How to configure the Zyxel VPN client to Nebula Control Center ?

Zyxel_Chris Posts: 674  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited June 2023 in Nebula Security Gateway

Since Nebula phase 8.1 we have support IPSec VPN client which allow you to connect your devices at home to a VPN server at your work place.

Figure 1 Connect IPSec VPN tunnel via home


In this scenario client can still connect to the tunnel even it uses private IP (located behind the NAT gateway). On the other hand, if your NSG is located behind the NAT gateway then please remember to set port forwarding on UDP 4500 and 500 on it (NAT gateway) and also remember to configure NAT traversal. (NAT-T)

Configure Setting

You will need to download and install Zywall IPSec VPN client in Zyxel download library, this application which can fulfill the scenario of client to server VPN.

1     In Configure>security gateway>Remote access VPN select client VPN server as IPSec client and also notice the pool size you have configure. For instance, if subnet is /32, it means only 1 host can reach to the server.

2     Create VPN client user in Organization-wide>Organization-wide manage>Cloud authentication if your auth. type is Nebula Cloud Authentication.

3     Back to the IPSec VPN client application right click on IKEv1Gateway and create New VPN Connection.

4    Enable Mode Config and X-Auth Popup in IKEv1 Gateway (In Advanced tab).

5     In Authentication tab specify the Encryption/Auth. Key group proposal to 3DES, SHA-1 and DH2, also type the NSG public IP in Remote Gateway.

6    In IKev1 Tunnel tab (phase 2) same proposal setting as the IKev1 Gateway.

Test the Result

1     Connecting the tunnel, should pop-up the login credential.

2. In your computer, the command “ipconfig/all” and find TheGreenBow Virtual Miniport Adapter that has the IP address from NSG’s VPN subnet.

What Could Go Wrong?

1     Confirm if the subnet pool size in Remote access VPN is enough for the LAN user.

2     Disable the service of “IKE and AuthIP IPsec Keying Modules” and then try again.