Org-to-Org VPN
Org-to-Org VPN allows devices in different organizations in a group to access each other’s services, such as a website, database, or ERP server, through VPN tunnels.
Configure Org-to-Org VPN
Follow the steps below to configure Org-to-Org VPN in the group.
1 Configure Smart VPN for each organization you want included in the Org-to-Org VPN.
1a In the Organization list, select the organization.
1b Go to Organization-wide > Organization-wide manage > VPN orchestrator.
1c Configure a VPN area with hub-and-spoke topology, and then assign at least one site as a hub. If a site contains a server that you want to share between organizations, then ensure the server is in a hub site or that Branch to Branch VPN is enabled.
2 Go to Group-wide > Group-wide manage > Org-to-Org VPN, and then enable Hub to Hub VPN.
3 Click + Hub. In the Select Hubs window, add at least one hub site from each organization to the Within Org-to-Org list.
4 Click + Org-to-Org Service, and add a server’s fully qualified domain name (FQDN) and IP address.
5 Devices in the organizations included in the Org-to-Org VPN are now able to access the server by IP address or FQDN.
Org-to-Org VPN Example
Org-to-Org VPN Example shows organization O1 with two VPN areas and hubs H1 and H2. Area communication and Branch to Branch VPN are both enabled. It shows another organization O2 with its own set of sites and a hub. H1 and H3 belong to the Org-to-Org VPN. The server behind S9 is listed as an org-to-org service. If a Nebula Device behind S5 wants to access the server behind S9, traffic will pass through its hub H2 and then to H1 and H3.
Org-to-Org VPN Example
Org-to-Org VPN Screen
Click Group-wide > Group-wide manage > Org-to-Org VPN to access this screen.
Group-wide > Group-wide manage > Org-to-Org VPN
The following table describes the labels in this screen.
Label | Description |
|---|---|
Reserved IP Address Pool | Specify the IP addresses that Nebula Devices use to create the VPN tunnels between the gateway devices in the org-to-org VPN network. You can select a set or custom range. This IP address range must not overlap with any IP address ranges already in use within any sites in the org-to-org VPN. |
AutoVPN | |
Hub to Hub VPN | Turn the switch to On to enable create VPN tunnels between the hubs in the list. This is required to enable Org-to-Org VPN. When this setting is disabled, Org-to-Org VPN will not work and can only be configured. |
Organization | This column lists down the organization to which the hub site belongs. |
Hub | This column lists down the names of the hub sites included in the Org-to-Org VPN. |
+Hub | Click this to set up which hub site you want to add to the Org-to-Org VPN. |
Service | |
Organization | This displays the organization to which the network service belongs. |
FQDN | This displays the Fully-Qualified Domain Name (FQDN) associated with the network service which Security Gateway devices and Nebula Devices behind them are given access. |
IP Address | This displays the IP address of the network service which Security Gateway devices and Nebula Devices behind them are given access. |
+Org-to-Org Service | Click this to add a service that can be accessed within the org-to-org VPN. |
Save | Click this button to save your changes and close the screen. |
Cancel | Click Cancel to exit this screen without saving. |
Add Hub
Click the +Hub button on the Group-wide > Group-wide manage > Org-to-Org VPN screen to access the following screen. If Hub to Hub VPN is enabled, use this screen to select which hubs you want to include in the Org-to-Org VPN.
Group-wide > Group-wide manage > Org-to-Org VPN: SD-WAN Hubs
Hubs are listed in this screen and you may choose whether to include them in the org-to-org network or not by clicking the “<”and “>” buttons. The “<<” and “>>” buttons move all hubs at once. Details about this screen are described in the table below.
The following table describes the labels in this screen.
label | description |
|---|---|
All Organization Hubs | This box lists all hub sites in the group that are outside the org-to-org network. It shows the name of the hub followed by the Organization it belongs to in parentheses. |
Within Org-to-Org | This box lists all hub sites inside the org-to-org network. It shows the name of the hub followed by the Organization it belongs to in parentheses. |
Cancel | Click Cancel to exit this screen without saving. |
Save | Click Save to add the hubs to the org-to-org network. |
Service
Use this screen to add a service accessible through the org-to-org VPN. Note that you can choose to add only the FQDN or only the IP address. Click +Org-to-Org Service and then the following screen appears.
Group-wide > Group-wide manage > Org-to-Org VPN: Service
The following table describes the labels in this screen.
label | description |
|---|---|
Organization | Select the organization to which the service you want to add is linked to. |
FQDN | Enter the Fully-Qualified Domain Name (FQDN) associated with the service. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Underscores are not allowed. Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com). |
IP Address | Enter the IP address of the service you want to add to the org-to-org VPN. |
Save | Click Save to allow access to the service through the org-to-org VPN. |
Cancel | Click Cancel to exit this screen without saving. |