-
Site-to-Site VPN is disconnected after Nebula 18.30 is released
Question: Why is Site to site VPN disconnected after Nebula 18.30 is released? How to resolve this issue? Answer: It is a bug on Nebula 18.30. To resolve this issue, follow the steps to recover Site-to-Site VPN connection. Go to Configure > Firewall > Site-to-Site VPN. For Secondary interface, select "None". For Nebula…
-
Does the Zyxel firewall support NordVPN?
Question: Does Zyxel allow VPN client mode like NordVPN? Answer: No, it does not support this feature in the current design.
-
[ATP/FLEX] Why non-nebula VPNs only work with LAN1 while with LAN2 the tunnel does not work?
The non-Nebula VPN setting doesn't support for route multiple IP segments from local site to remote site. If you have multiple IP segments would like pass-through into VPN tunnel, you have to configure "VTI interface" and "policy route". You can refer to this article.
-
How do I manually add a VPN profile on an iPhone for an IKEv2 VPN connection with Nebula Firewall?
Question : How do I manually add a VPN profile on an iPhone for an IKEv2 VPN connection with Nebula Firewall? Answer : The user can not only import the .mobileconfig file downloaded from the firewall to the iPhone's IKEv2 VPN connection but also manually add an IKEv2 VPN profile on the iPhone. For example, the steps below…
-
How to Enable VPN Split Tunneling in SecuExtender VPN
Question: Is it possible to use split tunneling with SecuExtender VPN when using IKEv2, and how can we set it up? Answer: Yes, it is possible to enable split tunneling on the SecuExtender VPN client, although some manual configuration is required for VPN settings. Steps to Configure Split Tunneling: * Edit your VPN…
-
How to establish an VPN connection with the USG Lite 60 AX by the macOS Sonoma native VPN client?
Question : How to establish the VPN connection with the USG Lite 60 AX by the macOS Sonoma native VPN client? Answer : This article will guide you on how to establish an IKEv2 VPN connection with the USG Lite 60 AX using the macOS Sonoma native VPN client. Navigate to Site-wide> Configure > Cloud authentication > To add a…
-
How to establish an VPN connection with a Nebula firewall by the macOS Sonoma native VPN client?
Question : After updating to macOS Sonoma, if you cannot establish an IKEv2 VPN connection with the Nebula firewall, how do you resolve this problem? Answer : Since there are changes to the VPN Phase 1 and Phase 2 parameters for macOS Sonoma's native VPN client, please modify them accordingly to allow the remote VPN to…
-
[ATP/FLEX] How to test a ping from one site to the remote VPN site on Nebula firewall?
Question: How to test a ping from one site to the remote VPN site on Nebula firewall? Answer: Firstly, ensure the VPN tunnel is established. Then access SSH or console of one Nebula firewall. [ATP/FLEX] How to access SSH service of Nebula Firewall? On SSH or console, enter the command to ping the client located in the…
-
How to Add a Second WAN Interface for VPN Failover on Nebula?
Question: How can I add a second WAN interface for VPN failover on my Nebula CC? Answer: To add a second WAN interface for VPN failover on your Nebula CC, follow these steps: * Navigate to Site-wide > Configure > Firewall > Site-to-Site VPN. * Change the outgoing interface to auto and set WAN 1 as the preferred link. * If…
-
How to troubleshoot the message "no proposal chosen" when it appeares in event logs?
Question: How to troubleshoot the message "no proposal chosen" when it appeares in event logs? Answer: Site-to-Site VPN (Both sites are Nebula firewalls) On nebula, there is no configuration for phase 1 and phase 2 proposal in Site-to-Site VPN. You can check phase 1 and phase 2 proposal using command via SSH. [ATP/FLEX]…
-
Where is the option of Dead Peer Detection on Nebula?
Question: Where is the option of Dead Peer Detection on Nebula? Answer: DPD is enabled by default in Nebula, so you cannot see the option in Nebula.
-
Do I have to add extra security policies to ping IPSec VPN tunnel when IPSec VPN tunnel is connected
Question : Currently, Nebula supports site-to-site, hub-spoke, and remote VPN services. Is it necessary for the user to add extra security policies to enable pinging across the IPSec VPN tunnel when it's connected? Answer : No, once the user creates site-to-site, hub-spoke, and remote VPN settings on Nebula, corresponding…
-
[Nebula] Is it possible to allow GeoIP for VPN connection?
Question: How can I configure my VPN to only allow traffic from specific countries? Answer: You can set up a Policy Control rule to allow IKE/ESP traffic from specific countries. Here’s how you can do it: Navigate to Site-wide > Configure > Firewall > Security Policy. Create the necessary rules for the specific country:…
-
[Nebula] The status of Site to site VPN is up on Nebula but unable to ping the other site
Checking: 1)Firewall will allow related protocol by implicat rule, please ensure you don't have rule block Any to Device You don't have rule block ESP Protocol from any to Device. Firewall cannot decrypt packets without allowing ESP rule. 2)Check the Private Subnet is reachable.
-
[ATP/FLEX]Unable to establish Nebual Site to Site VPN
Symptom: You are unable to establish Nebula Site to Site VPN But using the non-nebula method is no problem. You find there were Fragmented packets when IKE negoiated. Workaround: This is because Nebula VPN establishes connections using certificates, which can cause issues with ISPs that have smaller MTUs. Please use a…
-
[ATP/FLEX] We have problems with VPN l2tp over ipsec on mac device.
Scenario : Users may encounter a situation which they successfully establish an L2TP VPN connection using an Apple Mac device, but cannot ping or access the intranet hosts of the peer site. This article will guide you on how to resolve this issue. L2TP VPN server related settings on the Nebula: The Mac device successfully…
-
[ATP/FLEX]When using Nebula VPN, the site-to-site VPN fail
Symptom: You have two firewalls in the same Org different Sites, The Site-to-Site VPN cannot build successfully. You will see many Fragmented packets within IKE negotiation Workaround: Due to Nebula VPN using certificates for establishment, negotiation packets include certificates. This may result in issues with ISPs…
-
[ATP/FLEX] How to configure a DNS server on the remote VPN site?
In this scenario, there are specific resources on a local domain in the HQ site and want to reach them from the remote sites (branches). Set "This Gateway" as the DNS server for the Branch Firewall Set "This Gateway" as the DNS server for the Branch Firewall Go to Site-wide > Configure > Firewall > Interface, and select…
-
[ATP/FLEX] What does "Partial VPN connected" mean on VPN orchestrator?
The status "Partial VPN connected" means not all VPN tunnels are connected successfully. For example, two Spokes have WAN1 only. However, WAN2 is enabled and select "Auto" outgoing interface in Site-to-Site VPN on one site. In the result, the VPN tunnel from spoke’s WAN2 will fail to establish. It is considered as…
-
What does the remote access VPN domain resolve to?
Question: What does the remote access VPN domain resolve to? Answer: The domain name is resolved to the WAN interface IP addresses instead of the Public IP addresses. The priority is WAN1 first, then WAN2. And yes, it would update automatically when the WAN interface IP addresses change.