# Zyxel Nebula Control Center

## Step 1 - Creating a new branch connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration (Default preset):**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your site
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096
* **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096
  {% endhint %}

## Step 2 - Creating a new site-to-site connection

Log in to the Zyxel Nebula Control Center, and switch to the site you want to connect to GoodAccess.

Go to **Configure** > **Firewall** > **Site-to-Site VPN**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FVxMcl80SmdgQyHIqZZIm%2FBranch_Connector_Zyxel_NCC_01.png?alt=media&#x26;token=f1b21ec7-6de0-4aba-b1e8-7afcf7bef159" alt="Nebula Control Center menu with key steps for navigating to the Site-to-Site VPN configuration."><figcaption><p>Menu of Configure > Firewall</p></figcaption></figure>

**Enable** the local network you want to access via GoodAccess.

Under the Non-Nebula VPN peers section click on the **+ Add** button, give it a name, and set the configuration as follows:

* **Public IP** - IP of your GoodAccess Gateway
* **Private subnet** - Subnet of your GoodAccess Gateway
* **Pre-shared secret** - Shared Secret [(Step 1)](#step-1-creating-a-new-branch-connection)

Click on the **Default** button, and set the  configuration as follows:

* **IKE version** - IKEv2
* **Phase 1 & 2** - Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-cloud-connection)

Click **OK**, and then **Save**.

<div data-full-width="false"><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FVa2qcW0rzHhKh60hM2hZ%2FBranch_Connector_Zyxel_NCC_02.png?alt=media&#x26;token=aef3bc88-0989-46a4-bdb3-37abe7dee678" alt="Nebula Control Center with key steps to creating a new site-to-site connection." width="563"><figcaption><p>Creating a new site-to-site connection</p></figcaption></figure></div>

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Fo95qwNDALaU71HzOJkNH%2FBranch_Connector_Zyxel_NCC_03.png?alt=media&#x26;token=ea33c92c-95aa-4e25-96fd-e3a614afe738" alt="Nebula Control Center showing configuration for the Phase 1 and 2 section of an IPSec policy."><figcaption><p>Setting up the Phase 1 &#x26; 2 configuration</p></figcaption></figure>

You have now successfully connected your branch to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports:

* **UDP 500**
* **UDP 4500**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **Nebula Control Center:** Go to **Monitor > Firewall > VPN connections**.
  {% endhint %}