How to establish Site to Site IPSec VPN between Nebula and Non-Nebula devices ?

Nebula_CSONebula_CSO Zyxel Official Agent Posts: 138  mod
edited October 15, 2018 3:32PM in Configurations
The following is an example to setup site to site VPN between Nebula device(NSG100) and Non-Nebula device(USG200)
o7m9bkz7xcha.png


Nebula Device Configuration

1. Go to Gateway > Configure > Site-to-Site VPN

2w3ngjokjfru.jpg


2. Go to Gateway > Configure > Site-to-Site VPN > Outgoing Interface to choose WAN interface
Local networks > Toggle on LAN1

3. For Non-Nebula VPN peers section, click Add to create entry.
Provide a name, Non-Nebula Public IP (WAN IP), Remote Private Subnet and setup preshared security for authentication between them
yr54647u7r9n.jpg


IPsec policy can be customized based on Non-nebula devices with four modes
  • Custom
  • Default
  • Azure
  • AWS
dqiwnc9umnjp.png

Custom IPsec Policy

Phase 1
  • Encryption
  • Authentication
  • Diffie-Hellman group
  • Lifetime (seconds)
Phase 2
  • Set1 to 3 proposals for Encryption and Authentication
  • PFS group
  • Lifetime (seconds)
kad9ntsbsfho.png

Please ensure that default VPN IPsec protocol and modes are consistent between Nebula and Non-Nebula devices prior to establishing a VPN Tunnel since they are default setting and cannot be configurable on NCC

IKE Phase 1
  • Main Mode
IKE Phase 2
  • IPsec Protocol: ESP (Encapsulation Security Protocol)
  • Encapsulation Mode: Transport mode

Non-Nebula Device Configuration (Ex: USG200)

5. Confirm WAN/LAN IPs
&nbsp&nbsp&nbsp Go go Configuration > Network > Interface > Ethernet
lexc7x5ea8r6.png


6. Create Remote network subnet address
  • Go to Configuration > Object > Address/Geo IP > Address > Add > Select Address Type: SUBNET
  • Specify remote LAN subnet address (ex: NSG100)
8aq8urimniig.png

7.Configure VPN Gateway page
  • Configuration > VPN > IPSec VPN > VPN Gateway > Add
  • Provide a VPN Gateway Name
  • On Peer Gateway Address, specify Static Address > Primary for remote WAN IP (ex: NSG100)
  • On Authentication, enter Pre-Shared key as same as Preshared secret on previous NCC setting
3wyekbqgzop5.png

8. Configure VPN Connection page
  • Configuration > VPN > IPSec VPN > VPN Connection > Add
  • Select Site-to-Site under Application Scenario
  • Select VPN Gateway that just created in Step 7
  • Select Local and Remote policy to map two LANs via VPN
rut5z8lb3mcd.png

9. Connect to IPSec VPN
  • Configuration > VPN > IPSec VPN > VPN Connection > Click Connect
  • Connect icon will turn into colorful from greyed out if IPsec VPN is connected successfully
pirix19lm89n.png

10. Result of VPN establishment on NCC
Go to Gateway > Monitor > VPN connection, it will display VPN Site connection between nebula and non-nebula devices.
j0hj78sptf5o.jpg


P.S. The configuration from Step 5 to Step 9 is subject to third-party devices, that means settings are different and required more detailed information in their user manuals.
Sign In to comment.