Configuring an IPSec VPN Tunnel

Configuring an IPSec VPN Tunnel

You can configure an IPSec VPN tunnel between the gateway of your corporate network and a Zscaler Enforcement Node (ZEN). Zscaler recommends configuring two separate VPNs to two different ZENs for high availability. If the primary IPSec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPSec VPN tunnel to the backup ZEN.

Zscaler IPSec tunnels support a limit of 200 Mbps for each public source IP address. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends configuring more IPSec VPN tunnels with different public source IP addresses. For example, if your organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization forwards 600 Mbps of traffic, you can configure three primary VPN tunnels and three backup VPN tunnels.


Ensure that you have the following information for each tunnel:

Configuring an IPSec VPN Tunnel

To configure an IPSec VPN to a ZEN:

  1. Review the supported IPSec VPN parameters
  2. Add VPN credentials in the Admin Portal
  3. Link the VPN credentials to a location
  4. Configure your edge router or firewall to forward traffic to the Zscaler service. See the following configuration guides:

To learn more, see the Interoperability List.

Zscaler recommends to always send traffic from a router and not a firewall.

Integrating Zscaler with Check Point

Zscaler currently doesn't recommend forwarding traffic from Check Point (GAIA version 77.20) because Check Point doesn't support:

  • tunnel monitoring on third-party vendors
  • automatic tunnel failover, so customers must perform this manually
  • sending all ports and protocols down the tunnel without complex configuration

Also be aware that NAT-T encapsulation mode is not supported with Check Point and this setting has to be disabled.

To disable this setting:

  1. Open the Check Point gateway properties.
  2. Select IPSec VPN > VPN Advanced.
  3. Uncheck Support NAT traversal (applies to Remote Access and Site to Site connections).
    See image.
  4. Click OK.


You can go to Analytics > Tunnel Insights to see data as well as monitor the health and status of your configured IPSec VPN tunnels. To learn more, see About Insights and About Insights Logs.

Screenshot of a Gateway settings page with the Support NAT traversal check box circled by an orange box