Nebula [VPN] - How to configure IKEv2 IPsec VPN

This article will help you understand what you can do with the IKEv2 VPN in Nebula. It explains how to set up IKEv2, create Nebula Cloud users for VPN access, and configure the SecuExtender client.

IKEv2 Limitations

Nebula currently doesn't officially support using:

  • IKEv2 with pre-shared key

Configuring IKEv2 in Nebula 

  • Enable the "IPsec VPN server" 
Go to  Site-wide -> Configure -> Firewall -> Remote access VPN
  • Enable the "IPsec VPN server"
  • Enter the Client VPN subnet (this is the subnet that the VPN clients will receive and CAN NOT overlap with any other subnet in your Nebula organization, nor remote VPN subnets (should be written as xx.xx.xx.xx/xx "ex. 192.168.50.0/24")
  • Select IKEv2 version
  • If needed, provide the name servers (DNS servers) for VPN clients. If you're using internal DHCP/DNS servers, specify the internal DNS server and use Google DNS (8.8.8.8) as the second name server entry. This setup helps prevent any potential DNS and communication issues with VPN clients.
  • Nebula Cloud Authentication-  we use in our example. But you have options for authentication. You can go for Nebula Cloud Authentication, your own Active Directory or RADIUS server, or even use two-factor authentication via the Google Authenticator App. This can be set up by turning on the "two-factor authentication with Captive Portal" feature. When a user connects to the VPN, they will be directed to log in with the Google Authenticator. They can also sign up for two-factor authentication through an email that includes their login details.
  • SecuExtender IKEv2 VPN configuration provision -  Select the email(s) that you want to use to send the VPN configuration file for the SecuExtender IKEv2 VPN (you can add and remove emails here which doesn't take effect until you press "save").
  • Click "Save"

  • The next step is to change the "Policy", to do this Click on "Default" and configure the Phase 1 and Phase 2 settings as below (don't forget to save the settings by clicking the "Save" button):
Phase 1
Encryption: AES256,
Authentication: SHA256,
Diffie-Hellman group: DH14, Lifetime (seconds): 86400
Phase 2
Encryption: AES256,
Authentication: SHA256,
Diffie-Hellman group: None, Lifetime (seconds): 28800

  • After changing the Policies, remember to save the changes by clicking on the "Save" button.

Note: MacOS can require higher encryption and authentication where AES256 & SHA256 work great in our experience

 

Creating Nebula Cloud Users

Organization-wide -> Organization-wide manage -> Cloud authentication
  • Click "Add" a new VPN user
  • Fill in "Email" that can be used for sending the credentials and also for login (if selected).
  • Fill in the "Username" and "Password
  • VPN Access - should be enabled for the VPN user to be able to access the VPN and successfully authenticate with the user credentials
  • Authorized - select which sites you want to allow access to
  • Login by - choose if the user can login to the VPN / 802.1x with username, email address, or using either of them
  • Two-Factor Auth. - check the box if you Do NOT Want Two-Factor Authentication to be set for this user
  • Email to user - select if you want to email the credentials to the user
  • Note: every time you hit "save" (or "create user) after changes, the user will get an email. So if you change the settings for that user, you might want to untick the box until you are done configuring the user

Additional settings that are interesting to know about:
 

  • Dynamic Personal Pre-shared Key (Professional Pack Feature) is dynamic password management for WiFi (not VPN), which can make your VPN users and network more secure. It creates a unique password for each user so that a user can be isolated more easily if it's getting hacked.
  • 802.1X -  For Network authentication (not VPN), this can make the users authenticate using the network with 802.1x using Nebula Cloud authentication.
  • VLAN assignment - VLAN assignment is a Professional Pack feature that configures a static VLAN to the user when it enters the network.

Configuring the SecuExtender Client

  • Send the .tgb-file (VPN config) via email
Site-wide -Configure Firewall -> Remote access VPN
  • Send the VPN configuration to your email by adding your email (or the users' emails) and then hit "Add new" if it's not present. Then click on "Send email" and check your email (and spam folder)

  •  Install the .tgb-file into SecuExtender

mceclip4.png

  • If you cannot get the pop-up to show, please open the SecuExtender on the desktop so you see the SecuExtender IPsec VPN client (the window shown in the picture below), and then open the .tgb-file from the email again


 

  • Connection check

After you have imported the configuration to the VPN client, please double-click on "RemoteAccessVPN" then enter  "Login" and "Password" and click "OK"

  • If you run into some problems, please double-check the phase 1 and phase 2 settings in the SecuExtender and make sure you have the same encryption and authentication on the Nebula IKEv2 VPN settings

 

  • Disabling Split tunneling

If you're having problems with all traffic going through the VPN tunnel (both internet and VPN traffic), please look at this article: 

https://support.zyxel.eu/hc/en-us/articles/360001121480-Split-Tunneling-L2TP-IPSec-SecuExtender

  • Verifying the VPN Connection

Once the VPN connection is established you can verify the connection by opening a command prompt window (or PowerShell) and issuing the following commands.

  • ipconfig

This command will provide the IP address for the VPN interface.

mceclip4.png

  • ping [remote_address]

This command will allow you to run a ping test to a device located on the NebulaCC gateways LAN network.

mceclip5.png

  • On the NCC, you should now be able to see logs that show that the VPN is working properly. In the below screenshot, you can see that the Main Mode requests have reached the USG, Phase 1 could be successfully established and the XAuth in the Nebula Control Center works fine. 

mceclip0.png

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.