[NEBULA] How to establish Site to Site IPSec VPN between Nebula and Non-Nebula devices ?
Options
Zyxel_CSO
Posts: 379 Zyxel Employee
The following is an example to setup site to site VPN between Nebula device(NSG100) and Non-Nebula device(USG200)
Nebula Device Configuration
1. Go to Configure > Security gateway > Site-to-Site VPN
2. Go to Gateway > Configure > Site-to-Site VPN > Outgoing Interface to choose WAN interface
Local networks > Toggle on LAN1
3. For Non-Nebula VPN peers section, click Add to create entry.
Provide a name, Non-Nebula Public IP (WAN IP), Remote Private Subnet and setup preshared security for authentication between them
IPsec policy can be customized based on Non-nebula devices with four modes
Custom IPsec Policy
Phase 1
Please ensure that default VPN IPsec protocol and modes are consistent between Nebula and Non-Nebula devices prior to establishing a VPN Tunnel since they are default setting and cannot be configurable on NCC
IKE Phase 1
Non-Nebula Device Configuration (Ex: USG200)
5. Confirm WAN/LAN IPs
    Go go Configuration > Network > Interface > Ethernet
6. Create Remote network subnet address
7.Configure VPN Gateway page
8. Configure VPN Connection page
9. Connect to IPSec VPN
10. Result of VPN establishment on NCC
Go to Security gateway > Monitor > VPN connections, it will display VPN Site connection between nebula and non-nebula devices.
P.S. The configuration from Step 5 to Step 9 is subject to third-party devices, that means settings are different and required more detailed information in their user manuals.
Nebula Device Configuration
1. Go to Configure > Security gateway > Site-to-Site VPN
2. Go to Gateway > Configure > Site-to-Site VPN > Outgoing Interface to choose WAN interface
Local networks > Toggle on LAN1
3. For Non-Nebula VPN peers section, click Add to create entry.
Provide a name, Non-Nebula Public IP (WAN IP), Remote Private Subnet and setup preshared security for authentication between them
IPsec policy can be customized based on Non-nebula devices with four modes
- Custom
- Default
- Azure policy-based
- Azure static route
- AWS
Custom IPsec Policy
Phase 1
- IKE version
- Encryption
- Authentication
- Diffie-Hellman group
- Lifetime (seconds)
- Mode
- Local ID
- Peer ID
- Set1 to 3 proposals for Encryption and Authentication
- PFS group
- Lifetime (seconds)
Please ensure that default VPN IPsec protocol and modes are consistent between Nebula and Non-Nebula devices prior to establishing a VPN Tunnel since they are default setting and cannot be configurable on NCC
IKE Phase 1
- Main Mode
- IPsec Protocol: ESP (Encapsulation Security Protocol)
- Encapsulation Mode: Transport mode
Non-Nebula Device Configuration (Ex: USG200)
5. Confirm WAN/LAN IPs
    Go go Configuration > Network > Interface > Ethernet
6. Create Remote network subnet address
- Go to Configuration > Object > Address/Geo IP > Address > Add > Select Address Type: SUBNET
- Specify remote LAN subnet address (ex: NSG100)
7.Configure VPN Gateway page
- Configuration > VPN > IPSec VPN > VPN Gateway > Add
- Provide a VPN Gateway Name
- On Peer Gateway Address, specify Static Address > Primary for remote WAN IP (ex: NSG100)
- On Authentication, enter Pre-Shared key as same as Preshared secret on previous NCC setting
8. Configure VPN Connection page
- Configuration > VPN > IPSec VPN > VPN Connection > Add
- Select Site-to-Site under Application Scenario
- Select VPN Gateway that just created in Step 7
- Select Local and Remote policy to map two LANs via VPN
9. Connect to IPSec VPN
- Configuration > VPN > IPSec VPN > VPN Connection > Click Connect
- Connect icon will turn into colorful from greyed out if IPsec VPN is connected successfully
10. Result of VPN establishment on NCC
Go to Security gateway > Monitor > VPN connections, it will display VPN Site connection between nebula and non-nebula devices.
P.S. The configuration from Step 5 to Step 9 is subject to third-party devices, that means settings are different and required more detailed information in their user manuals.
Tagged:
0
Categories
- All Categories
- 395 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight