Configuring GRE Tunnels

To configure GRE tunnels from your corporate network to the Zscaler service:

  1. Review the configuration guidelines.
  2. Contact your Zscaler representative or Customer Support to have a GRE tunnel provisioned to your account.
  3. Log in to the service portal and add your gateway location.
  4. Configure your router or firewall to allow the GRE tunnel. Please refer to the documentation of your router or firewall to configure instructions. Following are configuration examples:
  • Zscaler recommends configuring two separate GRE tunnels to two ZENs that are each located in a different data center for high availability. If the primary GRE tunnel or an intermediate connection goes down, all traffic is then rerouted through the backup GRE tunnel to the secondary ZEN. 
    Ensure that if the primary tunnel goes down, that the router detects it and changes the routing table or routing instance so that the secondary tunnel is used for traffic forwarding and vice versa.
  • Use the GRE tunnel to forward internet traffic to the service. If supported, use policy based-routing (PBR) to ensure that only Internet-bound traffic is sent through the GRE tunnel. PBR is a mechanism that enables a router to determine where to forward packets based on configured policies. When you configure a GRE tunnel, you can use PBR to ensure that only Internet-bound traffic is sent thru the tunnel. A policy typically includes a match criteria and the action that the router takes on the traffic. Match criteria can include the source and destination IP addresses and ports, and the protocol, such as HTTP or HTTPS. The action specifies the next hop of the packets. When a packet arrives at a router with PBR enabled, it determines if the packet matches a configured policy and then routes it accordingly. PBR enables packets to take different paths based on the match criteria.
  • If supported, enable GRE keepalives on the primary and secondary tunnels.
    When you configure a GRE tunnel to the service, enable GRE keepalives so the traffic can switch from the primary to the secondary tunnel in the event of a failure. Additionally, ensure that the settings are neither too aggressive nor too slow in detecting when the tunnel is down. If your router does not support GRE keepalives, you can configure ICMP probes instead.
  • For Cisco routers, you can use IPSLAs to monitor the tunnels. You can set a threshold so the traffic can switch from the primary to the secondary tunnel when the threshold is exceeded. For Juniper routers, you can use RPM(real-time performance monitoring) to monitor the VPNs.
  • Network Address Translation (NAT) 
    Most routers apply the policy based route to redirect traffic to the tunnel before they apply NAT to the traffic. Therefore, the internal client IP addresses of traffic routed through the tunnel are preserved. If your router performs NAT before it sends traffic through the tunnel, consider disabling NAT to allow the Zscaler service to see internal IP addresses. This enables the service to use the internal IP addresses for logging and reporting. Additionally, you can configure sub-locations to identify internal networks whose outbound traffic is encapsulated in the GRE tunnel. When using sub-locations, the service can retrieve the IP addresses of the internal networks and apply custom policies to the traffic of the internal networks.
  • If your firewall has an ACL blocking inbound connections, configure a rule to allow GRE traffic (protocol 47).

 

Contact Zscaler Customer Support and provide the following information so Zscaler can provision the GRE tunnels:

  • Public IP address of the tunnel source
  • The physical location of your router.

Zscaler then assigns VIPs (virtual IP addresses) for use as the source and destination addresses inside the tunnel. Zscaler assigns these addresses from a pool of non-routable address space that Zscaler manages to ensure that no two customers attempt to use the same IP addresses. Zscaler sends the IP addresses to your organization, as shown in the example below.

 

After your IP addresses have been provisioned on the Zscaler service, log in to the service and define your organization’s gateway location as follows:

  1. Go to Administration > Resources > Locations.
  2. Click Add.
  3. Enter general information about the location:
    • Type in its Name
    • Choose the Country.
    • Enter a State/Province, if applicable.
    • Choose the Time Zone of the location. 
      When you specify the location in a policy, the service applies the policy according to the location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook between 8 a.m. and 5 p.m., and the rule is applied to locations in Spain and California, users at each location will be blocked during their respective daytime hours.
  4. Choose the IP addresses for the location:
    • The Public IP Addresses list displays the IP addresses that you sent to Zscaler when it provisioned your organization. Choose IP addresses for the location.
    • Optionally, enable the other features on this page.
  5. Click Save and activate the change.

 

Zscaler then assigns VIPs (virtual IP addresses) for use as the source and destination addresses inside the tunnel. Zscaler assigns these addresses from a pool of non-routable address space that Zscaler manages to ensure that no two customers attempt to use the same IP addresses. The following table provides an example of what Zscaler sends to an organization that wants to configure GRE tunnels together with an example for each IP address:

Example of what Zscaler sends to organizations configuring GRE tunnels

When Zscaler assigns the VIPs, the Zscaler service binds the source and destination addresses to the specified primary and secondary ZENs. The ZENs will be listening specifically for traffic from the source VIP and addressed to its destination VIP. When your GRE tunnel sends traffic to the Zscaler service, the ZEN associates the virtual source and destination addresses with your organization.