-
How to establish an VPN connection with the USG Lite 60 AX by the macOS Sonoma native VPN client?
Question : How to establish the VPN connection with the USG Lite 60 AX by the macOS Sonoma native VPN client? Answer : This article will guide you on how to establish an IKEv2 VPN connection with the USG Lite 60 AX using the macOS Sonoma native VPN client. Navigate to Site-wide> Configure > Cloud authentication > To add a…
-
How to establish an VPN connection with a Nebula firewall by the macOS Sonoma native VPN client?
Question : After updating to macOS Sonoma, if you cannot establish an IKEv2 VPN connection with the Nebula firewall, how do you resolve this problem? Answer : Since there are changes to the VPN Phase 1 and Phase 2 parameters for macOS Sonoma's native VPN client, please modify them accordingly to allow the remote VPN to…
-
[ATP/FLEX] How to test a ping from one site to the remote VPN site on Nebula firewall?
Question: How to test a ping from one site to the remote VPN site on Nebula firewall? Answer: Firstly, ensure the VPN tunnel is established. Then access SSH or console of one Nebula firewall. [ATP/FLEX] How to access SSH service of Nebula Firewall? On SSH or console, enter the command to ping the client located in the…
-
How to Add a Second WAN Interface for VPN Failover on Nebula?
Question: How can I add a second WAN interface for VPN failover on my Nebula CC? Answer: To add a second WAN interface for VPN failover on your Nebula CC, follow these steps: * Navigate to Site-wide > Configure > Firewall > Site-to-Site VPN. * Change the outgoing interface to auto and set WAN 1 as the preferred link. * If…
-
How to troubleshoot the message "no proposal chosen" when it appeares in event logs?
Question: How to troubleshoot the message "no proposal chosen" when it appeares in event logs? Answer: Site-to-Site VPN (Both sites are Nebula firewalls) On nebula, there is no configuration for phase 1 and phase 2 proposal in Site-to-Site VPN. You can check phase 1 and phase 2 proposal using command via SSH. [ATP/FLEX]…
-
Where is the option of Dead Peer Detection on Nebula?
Question: Where is the option of Dead Peer Detection on Nebula? Answer: DPD is enabled by default in Nebula, so you cannot see the option in Nebula.
-
Do I have to add extra security policies to ping IPSec VPN tunnel when IPSec VPN tunnel is connected
Question : Currently, Nebula supports site-to-site, hub-spoke, and remote VPN services. Is it necessary for the user to add extra security policies to enable pinging across the IPSec VPN tunnel when it's connected? Answer : No, once the user creates site-to-site, hub-spoke, and remote VPN settings on Nebula, corresponding…
-
[Nebula] Is it possible to allow GeoIP for VPN connection?
Question: How can I configure my VPN to only allow traffic from specific countries? Answer: You can set up a Policy Control rule to allow IKE/ESP traffic from specific countries. Here’s how you can do it: Navigate to Site-wide > Configure > Firewall > Security Policy. Create the necessary rules for the specific country:…
-
[Nebula] The status of Site to site VPN is up on Nebula but unable to ping the other site
Checking: 1)Firewall will allow related protocol by implicat rule, please ensure you don't have rule block Any to Device You don't have rule block ESP Protocol from any to Device. Firewall cannot decrypt packets without allowing ESP rule. 2)Check the Private Subnet is reachable.
-
[ATP/FLEX]Unable to establish Nebual Site to Site VPN
Symptom: You are unable to establish Nebula Site to Site VPN But using the non-nebula method is no problem. You find there were Fragmented packets when IKE negoiated. Workaround: This is because Nebula VPN establishes connections using certificates, which can cause issues with ISPs that have smaller MTUs. Please use a…
-
[ATP/FLEX] We have problems with VPN l2tp over ipsec on mac device.
Scenario : Users may encounter a situation which they successfully establish an L2TP VPN connection using an Apple Mac device, but cannot ping or access the intranet hosts of the peer site. This article will guide you on how to resolve this issue. L2TP VPN server related settings on the Nebula: The Mac device successfully…
-
[ATP/FLEX]When using Nebula VPN, the site-to-site VPN fail
Symptom: You have two firewalls in the same Org different Sites, The Site-to-Site VPN cannot build successfully. You will see many Fragmented packets within IKE negotiation Workaround: Due to Nebula VPN using certificates for establishment, negotiation packets include certificates. This may result in issues with ISPs…
-
[ATP/FLEX] How to configure a DNS server on the remote VPN site?
In this scenario, there are specific resources on a local domain in the HQ site and want to reach them from the remote sites (branches). Set "This Gateway" as the DNS server for the Branch Firewall Set "This Gateway" as the DNS server for the Branch Firewall Go to Site-wide > Configure > Firewall > Interface, and select…
-
[ATP/FLEX] What does "Partial VPN connected" mean on VPN orchestrator?
The status "Partial VPN connected" means not all VPN tunnels are connected successfully. For example, two Spokes have WAN1 only. However, WAN2 is enabled and select "Auto" outgoing interface in Site-to-Site VPN on one site. In the result, the VPN tunnel from spoke’s WAN2 will fail to establish. It is considered as…
-
What does the remote access VPN domain resolve to?
Question: What does the remote access VPN domain resolve to? Answer: The domain name is resolved to the WAN interface IP addresses instead of the Public IP addresses. The priority is WAN1 first, then WAN2. And yes, it would update automatically when the WAN interface IP addresses change.
-
[ATP/FLEX] How to route all traffic to IPSec peer gateway
When site to site VPN is configured between Nebula Firewall and the peer
gateway, we can use policy routes to force the subnet of Nebula Firewall to
access the Internet via the WAN connection of the peer gateway. The article instructs
how to configure a policy route on each device to route all traffic to the peer
gateway.…
-
[ATP/FLEX] How to Set up VPN area and VPN topology on Nebula site-to-site VPN
First of
all, you need to have a Nebula Professional Pack to implement this feature. Nebula
VPN Orchestrator provides software-defined design to build scalable VPN
topology within an organization. We can create multiple VPN areas within an
organization and each area has its own sites and VPN topology. The users need
Nebula…
-
[ATP/FLEX] How to establish Site-to-Site IPsec VPN between Nebula and non-Nebula devices
The
following is an example of setup site-to-site VPN between Nebula device(USG
FLEX 100) and non-Nebula device(USG40). Non-Nebula
device USG40(on-premises) has a public IP, but Nebula device USG FLEX 100 is
behind NAT. Configure
Steps Nebula
Device Configuration (USG FLEX 100) Navigate
to Configure > Firewall >…
-
[ATP/FLEX] How to Set up IKEv2 VPN tunnel and Authenticate with your RADIUS server on Nebula Gateway
Nebula Control
Center provides a VPN solution that allows remote VPN users to connect VPN
tunnels from Internet. This guide will assist in the configuration IKEv2 VPN tunnel
and authenticate with existing RAIDUS domain server. Set
up external authentication server setting Go
to Firewall > Configuration > Firewall Settings…
-
[ATP/FLEX] How to Set up IKEv1 VPN tunnel and Authenticate with your AD server on Nebula Gateway
Nebula Control
Center provides a VPN solution that allows remote VPN users to connect VPN
tunnels from Internet. This guide will assist in the configuration IKEv1 VPN
tunenl and authenticating with exist AD domain server. Set
up external authentication server setting Go
to Configure > Firewall > Firewall settings and…