Nebula VPN - Configure Routing from L2TP VPN to Site To Site Tunnel

This article will show you how to set up access to a resource via L2TP over at a remote site connected via a Site-to-Site VPN based on Nebula.
This Article works with USG FLEX / ATP / 3rd Party Firewall (Distant Location).

 

First, we need to set up the Site to Site VPN; for this, we need to set the following on both USGs:


Navigate to:

Site-wide > Configure > Firewall > Site-to-Site VPN

 

Site 1:
Choose "none" for NAT-Traversal only if you have a Public IP on the WAN interface of the USG FLEX / ATP!
If you are behind NAT (the WAN Interface has an IP like this: 192.168.10.123), use the NAT-traversal function!

 

Site 2:

Choose "none" for NAT-Traversal only if you have a Public IP on the WAN interface of the USG FLEX / ATP!
If you are behind NAT (the WAN Interface has an IP like this: 192.168.10.123), use the NAT-traversal function!



Check the VPN Orchestrator if the Tunnel is built successfully (Note that it can take up to 10 Minutes for the Link to show up!):

Organization-wide > Organization-wide manage -> VPN Orchestrator 

mceclip16.png

 

Then we need to create the L2TP Access for Site 1:

Site-wide > Configure > Firewall > Remote access VPN

 

This will give us the settings for our client:

mceclip5.png

For manual setup (via CMD):

powershell -command "Add-VpnConnection -Name '[Sitename]' -ServerAddress '[Public IP/Domain Name]' -TunnelType 'L2tp' -AuthenticationMethod Pap -EncryptionLevel 'Optional' -L2tpPsk '[YourPSK/Secret]' -Force -RememberCredential -PassThru"

 

Now we need to create a user for the remote VPN:

Site-wide -> Configure -> Cloud Authentication

mceclip7.png

 

This will give us the login data for the Tunnel:
mceclip8.png

 

Now for the most critical Part!
This needs to be done on the second Site (Location of the Client we try to access).
This works as well with 3rd Party Firewalls.
We need to set up a return route on the second Firewall so that our Traffic is being returned to the L2TP Tunnel:

Site-wide > Configure > Firewall > Routing

Create a policy route for the remote subnet (Destination address) and direct the traffic into the VPN tunnel by choosing the Next-hop type VPN traffic under "policy route" and then choose your VPN tunnel you wish the traffic to enter.

 

After this is done, we can access the client:

mceclip11.png

 

Navigate to the other side and check another client on the otherside, in this example the USG20-VPN firewall.

mceclip13.png

mceclip14.png

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share