Nebula VPN - Configure Site-to-Site VPN to a Non-Nebula-Peer

Nebula Security Gateways (NSG) feature the possibility to build IPSec VPN tunnels to devices that are not controllable with Nebula - this, however, requires a bit of configuration of the NSG. This tutorial will show you an example configuration of an IPSec VPN Tunnel between one of our USG60 Firewalls and a Nebula NSG100. 

 

Step-by-Step guide:

  1. Make notes of the settings of phase 1 and phase 2 of the remote station
    (PSK, Encryption, Authentication, Lifetime, DH Group, Remote, and Local Policy)
  2. Log in to nebula.zyxel.com with your account
  3. Select the organization and site were to create the tunnel
  4. Go to the submenu Gateway> Configure> Site-to-Site VPN
  5. At the bottom of the page, you will find "Non-Nebula VPN Peers"
  6. Click on Add, enter an appropriate name, the public IP and the remote policy of the remote site.
    • Important here, the Private Subnet setting will be used for PING check-in Tunnel. Therefore, if you will reach Subnet 192.168.5.0/24, please add here a reachable/available IP,(from your Gateway/Server) like 192.168.5.253/24 for Ping check.
  7. In "IPsec policy", click on "default". Now you can adjust the settings. Enter the previously noted settings and confirm with OK
  8. Now enter the PSK and select which network (entire network or only this site) should be reached via the VPN
  9. Click Save

Also interesting:

Do you want to have a look directly on one of our test devices? Have a look here in our virtual Lab:

Virtual Lab - VPN Nebula to non Nebula device

See the below video for a nice visualization of the single steps needed.

 

KB-00116

Articles in this section

Was this article helpful?
2 out of 5 found this helpful
Share

Comments

2 comments

Please sign in to leave a comment.

  • When adding private subnet (1:50) you can't use network address. IP has to be valid IP in that subnet. This IP will be used for connectivity checks. GW address works fine.

    (Edited )
    0
  • Dear Arno, 

    we have updated this article.

    Thanks for your help.

    0