In this article, we'll explain the steps to take if the default certificate on your Security Gateway has expired, preventing you from establishing a VPN connection. This guide applies to both the legacy version of the Zyxel SecuExtender VPN and its supported variants.
The first step is identical for both clients
Navigate to Nebula > Firewall > Configure > Remote Access VPN and submit a request to Nebula for the IKEv2 configuration script. Once the request is submitted, you will receive an email containing the configuration script for the subscription-based SecuExtender (version 7.7). The script will be named something similar to:IKEv2-nebula-697744d4.d2ns-nbl.com.tgb

SecuExtender client v7.7 (Subscription-based)
Navigate to Configuration > Import and use the script file you received from Nebula. Once the script is successfully imported, you should be able to establish a connection with the remote Nebula gateway.
For perpetual SecuExtender (v3.8)
- Open the received tgb-file in a text editor and get a certificate from it.
- Change the file from .tgb to .txt and open it with Notepad.
- Remain the content between "BEGIN CERTIFICATE" and "END CERTIFICATE" and delete the rest of the content, then save it as a .crt file
Then you'll have certificate in crt-file and can add new IKEv2 profile manually with the next modification:
- IKE Auth
- Remote Gateway = nebula-697744d4.d2ns-nbl.com
-
Integrity: EAP
Cryptography:
- Encryption = AES CBC 256
- Integrity = SHA2 256
- KeyGroup = DH19

Protocol
Remote ID = DNS nebula-697744d4.d2ns-nbl.com

Certificate
Add a certificate from the just-created CRT file.
Select PEM format | Browse created CRT file | Apply |
Modify Child SA Settings
|
Add script to open 2FA page in Automation tab: |
![]() |