Nebula provides two different methods for creating Site-to-Site VPN connections between Nebula gateways.
| VPN Type | Description | Typical Use Case | Key Characteristics |
|---|---|---|---|
| VPN Orchestrator | Centralized SD-VPN topology and VPN management | Enterprise and large multi-site deployments | Full Mesh/Hub-and-Spoke management, VPN Areas, centralized orchestration |
| Manual-link VPN | Manually configured IPSec VPN tunnels between Nebula or third-party devices | Third-party VPN interoperability, advanced/custom IPSec deployments | Manual peer configuration, custom IPSec policies, full administrator control |
| Nebula SD-VPN | Automated VPN connectivity between Nebula gateways | Simple branch-to-branch VPN connectivity | Automatic tunnel creation, cloud-managed topology, simplified deployment |
Note: Nebula SD-VPN and VPN Orchestrator support VPN connectivity only between gateways located within the same Nebula organization. For VPN deployments between different organizations or third-party devices, Manual-link VPN must be used.
Note: The configuration examples in this article are based on a Zyxel H Series firewall. The same procedures can also be used for USG FLEX and ATP Zyxel firewalls.
Related Article: For IPSec VPN deployments where one or both peers are located behind NAT, refer to the following guide: Site-to-Site VPN with NAT on Zyxel USG FLEX H - Configuration Guide
This article explains deployment scenarios:
- VPN Orchestrator
There are two topologies you can use when creating a site-to-site VPN: Site-to-Site and Hub-and-spoke. This article would take the Site-to-Site scenario as an example.
- Scenario 1 — Standard Nebula Site-to-Site VPN
Nebula Manual-link VPN
Nebula SD-VPN
- Scenario 2 — Nebula VPN Orchestrator
Nebula VPN Orchestrator
Objective:
192.168.168.0/24 can communicate with 192.168.160.0/24
192.168.160.0/24 can communicate with 192.168.168.0/24
- Navigate to "Organization-wide > Organization-wide manage > VPN orchestrator"
Enable both VPN gateways and select the subnet(s) that you want to communicate with each other.
2. We use the external interface as a VPN WAN link by default
If you want to change the VPN WAN link, please navigate to "Site-wide > Configure > Firewall > Site-to-Site VPN", select the Primary/Secondary interfaces that you want.
3. Navigate to "Organization-wide > Organization-wide manage > VPN orchestrator"
and click the refresh button of your browser
Nebula Manual-link VPN
This example demonstrates how to configure a manual IPSec Site-to-Site VPN tunnel using Nebula Manual-link VPN between two Zyxel firewalls managed by Nebula Control Center. Nebula Manual-link VPN can also be used to establish IPSec VPN tunnels between a Zyxel firewall and third-party firewalls, provided that both peers use matching IPSec parameters.
| Site | Device | Local Network | WAN Interface |
|---|---|---|---|
| Site 1 | FLEX 500HP | 192.168.88.0/24 | ge1 |
| Site 2 | FLEX 200H | 192.168.112.0/24 | ge1 |
Step 1 — Configure Manual-link VPN
Navigate to Nebula: Site-wide > Configure > Firewall > Site-to-Site VPN
Step 2 — Configure Manual-link VPN
Navigate to Nebula: Site-wide > Configure > Firewall > Site-to-Site VPN
Check the result.
Nebula SD-VPN
This example demonstrates how to configure an automatic Site-to-Site VPN connection using Nebula SD-VPN between two Nebula gateways located within the same organization.
| Site | Device | Local Network | WAN Interface |
|---|---|---|---|
| Site 1 | FLEX 500HP | 192.168.170.0/24 | ge1 |
| Site 2 | FLEX 700H | 192.168.231.0/24 | ge1 |
Step 1 — Configure Nebula SD-VPN on Site 1
Navigate to Nebula: Site-wide > Configure > Firewall > Site-to-Site VPN
|
Under the Nebula SD-VPN tab:
|
Step 2 — Configure Nebula SD-VPN on Site 2
Navigate to: Site-wide > Configure > Firewall > Site-to-Site VPN
|
Under the Nebula SD-VPN tab:
|
|
Check the result.
Comments
0 commentsPlease sign in to leave a comment.