This guide will assist in the configuration of the Zyxel IPSec VPN Client (version 3.8.204.61.32) for VPN connectivity with the Nebula CC IPSec Remote Access VPN (C2S) feature using Nebula Security Gateway (NSG).

Table of Contents

1. Overview
2. Supported Devices
3. Nebula Control Center Setup
4. VPN Client Setup (SecuExtender IPSEC VPN Client)

Overview

A VPN (Virtual Private Network) provides secure communication between sites without the expense of leased lines. VPNs are used to securely transport traffic over the internet of an insecure network that uses TCP/IP communications. A remote-access VPN (client-to-site) allows employees who are traveling or teleworkers, secure access to company network resources. There are multiple types of VPN protocols/technologies that can be used to establish a secure link to the company network, L2TP, PPTP, SSL, OpenVPN, etc. This guide will reference the IPSec protocol to establish a secure VPN tunnel between external hosts (users connected to the internet outside the company network structure) and the NebulaCC gateway. Third-party IPSec software is required to establish the VPN connection as current operating systems lack a built-in IPSec client. This walkthrough will help configure the VPN setup on the IPSec VPN client (version 3.8.204.61.32).

Supported Devices

NSG Series (50/100/200/300)
USG FLEX Series (100/100W/200/500/700)

Nebula CC VPN Setup

Note: On Nebula Control Center, there is a requirement that there has to be a user database in the background to with the IPSec-Client is authenticating toward to. For this, to work, we will have to in the client set up "X-Auth" and "Config Mode". 

Click into the new Nebula CC user interface and go to:

Site-wide > Configure > Remote Access VPN

Specify the Client VPN server as an IPSec client. If your NSG/USG FLEX is located behind the NAT gateway, you will need to type NAT traversal.

Create a VPN client account for authentication. The type is Nebula Cloud Authentication. Make sure to create a user in the respective submenu

Site-Wide -> Configure -> Firewall -> Cloud Authentication

Zyxel VPN Client Setup

The latest version of the Zyxel IPSec VPN client can be downloaded from here.  Once the client has been installed, launch the program and open the Configuration Panel. Click on the "IKE V1" folder under VPN Configuration, once the folder is selected hit the "Ctrl + N" keys on the keyboard to add an "Ikev1Gateway" rule.  Make the following changes on the rule:

1. Remote Gateway
   
   • Interface – Select the interface the computer will use to establish the VPN connection.  Set this to Any if the VPN client will be allowed to use any connection available on the computer.
   • Remote Gateway – Type in the FQDN/DDNS/IP of the NebulaCC gateway you will be connecting to.
2. Authentication
   
   • Select the "Preshared Key" option.
   • Type in the preshared key used on the NebulaCC IPSec configuration and "Confirm" the key.
3. X-Auth
   
   • Enable – This box should be checked.
   • X-Auth Popup – This box should only be checked if you wished to be prompted for the username and password upon connection
     • Login – Provide the NebulaCC VPN account username.  Only if "X-Auth Popup" is unchecked.
     • Password – Provide the NebulaCC VPN account password.  Only if "X-Auth Popup" is unchecked.
4. Cryptography (Example Setup)
   • Encryption – Select AES256 from the drop-down.
   •  
   • Authentication – Select SHA-256 from the drop-down.
   • Key Group – Select DH14 (1024) from the drop-down.

From the "Ikev1Gateway" click on the Protocol tab and make the following change:

Enable the Mode Config option.
While "Ikev1Gateway" is highlighted hit the "Ctrl + N" keys on the keyboard again to add the "Ikev1Tunnel" portion of the connection.  Make the following changes:

1. Address
   
   • VPN Client Address – Leave this option as is.&nbsp (0.0.0.0 by default)
   • Address Type – Select Subnet Address from the drop-down.
   • Remote LAN Address – Type in the NebulaCC local LAN IP scheme.
   • Subnet Mask – Type int he NebulaCC local LAN subnet mask.
2. ESP
   
   • Encryption – Select AES256 from the drop-down.
   • Authentication – Select SHA-256 from the drop-down.
   • Mode – Select Tunnel from the drop-down.
3. PFS
   
   • Leave this option unchecked.
4. Lifetime
   
   • The lifetime is the amount of time, in seconds, before the client re-negotiates the algorithms.

Once all the settings have been made, click the Configuration option on the toolbar and select Save.  This will save all the changes made to the client.

To establish the VPN connection to the NebulaCC gateway, right-click the "Ikev1Tunnel" option and select Open Tunnel or hit (Ctrl + O) on your keyboard.

Verification

Once the VPN connection is established you can verify the connection by opening a command prompt windows (or PowerShell) and issuing the following commands.

• ipconfig
  This command will provide the IP address for the VPN interface.
  
• ping [remote_address]
  This command will allow you to run a ping test to a device located on the NebulaCC gateways LAN network.
  

On the NCC, you should now be able to see logs which show that the VPN is working properly. In the below screenshot you can see that the Main Mode requests have reached the USG, Phase 1 could been successfully established and the XAuth in the Nebula Control Center works fine.