Zyxel VPN [SecuExtender] - if certificate expired in Nebula Firewall and SecuExtender VPN no longer connects.

In this article, we'll explain the steps to take if the default certificate on your Security Gateway has expired, preventing you from establishing a VPN connection. This guide applies to both the legacy version of the Zyxel SecuExtender VPN and its supported variants.

The first step is identical for both clients


Navigate to Nebula > Firewall > Configure > Remote Access VPN and submit a request to Nebula for the IKEv2 configuration script. Once the request is submitted, you will receive an email containing the configuration script for the subscription-based SecuExtender (version 7.7). The script will be named something similar to:
IKEv2-nebula-697744d4.d2ns-nbl.com.tgb


SecuExtender client v7.7 (Subscription-based)

Navigate to Configuration > Import and use the script file you received from Nebula. Once the script is successfully imported, you should be able to establish a connection with the remote Nebula gateway.

For perpetual SecuExtender (v3.8) 

  • Open the received tgb-file in a text editor and get a certificate from it. 
  • Change the file from .tgb to .txt and open it with Notepad.
  • Remain the content between "BEGIN CERTIFICATE" and "END CERTIFICATE" and delete the rest of the content, then save it as a .crt file



Then you'll have certificate in crt-file and can add new IKEv2 profile manually with the next modification:

  • IKE Auth
  • Remote Gateway = nebula-697744d4.d2ns-nbl.com
  • Integrity: EAP

    Cryptography:

  • Encryption = AES CBC 256
  • Integrity = SHA2 256
  • KeyGroup = DH19

Protocol

Remote ID = DNS nebula-697744d4.d2ns-nbl.com

Certificate 
Add a certificate from the just-created CRT file.

Select PEM format Browse created CRT file Apply
Modify Child SA Settings
  • Update Cryptography Settings:
Add script to open 2FA page in Automation tab:


 

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share