Full VPN tunnel from FlexH 1.32 FW to Nebula Org firewall
Master Member
Hello everyone,
I have a FlexH configured on prem since months ago but where it is installed I have limited connection, blocked ports and useless filters.
I need to create a full tunnel VPN with another Org that I have configured on Nebula so all the traffic from the FlexH goes to that Org in Nebula where I have NO filters outbound applied and then the FlexH could go on internet free and happy.
Is it possible to do that?
All Replies
-
Are outbound ports UDP 500 and 4500 (if direct WAN to WAN protocol 50) allowed where you are? and this Org allows inbound ports UDP 500 and 4500 (if direct WAN to WAN protocol 50)?
0 -
FlexH is ORG1.
Nebula receiver is ORG2.
The ORG2 can use all the open ports needed, it has also static Public IPs with 2 FTTHs.
I manage it on Nebula and it works fine since 3 years.
If you can link me a guide to setup ORG1 to full VPN tunnel via ORG2 I can check other ports outbound on ORG1.
Thanks in advance
0 -
So do both ends have FLEX H?
A VTI (Route-based) would do what you want if ORG1 can connect out to ORG2 for out going traffic for ORG1.
0 -
No, ORG2 has a standard Flex 200 managed in Nebula.
ORG2 has 2 WANs with FTTH free and full open.
Is it possible to set a full tunnel VPN on ORG2 via WAN2 created on Nebula and started from Flex 100H on ORG1?
I never used VTI on FlexH: is it a sort of rule to route all the traffic as Next-Hop via VPN?
0 -
Hi @GiuseppeR,
If another firewall is USG FLEX/ATP, please reference this FAQ to set auto-link VPN to connect USG FLEX H.
How to configure Auto-Link VPN on Nebula? — Zyxel Community
In addition, for your scenario, you will need to use custom preset which allows you to set VTI interface.
Once the VPN is connected, you will need to add policy route rule for LAN interfaces and ZyWall (if needed).
Zyxel Melen0 -
Hello @Zyxel_Melen
I setup Nebula:
with infos from ORG1 (so IP and subnet from FlexH).
Then, considering the ORG1 private network as 192.168.200.1/24, I setup also VTI with different subnet using 192.168.201.1/24:
And I created also a specific LAN for ORG2 where I linked the VPN using 192.168.202.1/24.
I have the VPN from ORG1 to ORG2 connected:
Nebula on ORG2 confirms it:
But I cannot create a VTI on ORG1 to route all the traffic:
So I cannot use the policy you told me to set from FlexH:
Have I missed something?
0 -
0
-
I do not use Nebula so you will have to work out how to VTI setup but here is how I did it.
I have Zywall 110 so that would be ORG2
VPN gateway
IKEv1 or 2
Gateway Settings
My address your WANStatic Address your DDNS of ORG1
Set Pre-Shared Key and Phase 1 to what you like if IKEv1 use negotiation mode main
VPN connection
VPN Gateway
VPN Tunnel Interface your VPN gatewayPhase 2 to what you like
interface VTI
vti0
zone IPSec_VPN
VTI rule
IP 10.168.138.13
255.255.255.240set a static route of the LAN of ORG1
in my case
192.168.255.32
255.255.255.240
interface vti0routing rule
incoming VTI
next hop WANOn ORG2 I have FLEX200H
setup VTI add
IKEv1 or 2 from ORG2
custom select Route-Based
MY address you WAN interface
Peer Gateway Address DDNS of ORG2
Zone IPSec_VPN
Set Pre-Shared Key and Phase 1 and 2 to what you like that match ORG2
Phase 2 Initiation Nailed-up
VTI Setting
IP 10.168.138.12
255.255.255.240
You have to set a Route Setting for Remote Subnet but this will not be needed but you must set one so
127.255.0.1/30
^ you can delete this in static route afterThen add a routing rule
incoming your LAN
next hop interface and select the vti_custom
SNAT none0 -
Hi @GiuseppeR,
This is more likely you configure the site-to-site VPN is policy-based VPN.
Please help to create a route-based VPN which has the configure option for the VTI interface. The VTI interface can't be created on Network > Interface tab.
Here is a reference:
In addition, you may also reference @PeterUK configuration and create your own routing rules.
Zyxel Melen0 -
Hello @Zyxel_Melen
I rewrote the VPN rule and now it is route-based, I have the VTI and I set the policy route:
but it did not ping, for this reason the Status icon is black.
Am I missing something else on FlexH config?
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 176 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 424 USG FLEX H Series
- 298 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 274 Service & License
- 419 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight
