Configuring an IPSec VPN Tunnel


Configuring an IPSec VPN Tunnel

You can configure an IPSec VPN tunnel between the gateway of your corporate network and a Zscaler Enforcement Node (ZEN). Zscaler recommends configuring two separate VPNs to two different ZENs for high availability. If the primary IPSec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPSec VPN tunnel to the backup ZEN.

Zscaler IPSec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPSec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three backup VPN tunnels.

Prerequisites

Ensure that you have the following information for each tunnel:

Configuring an IPSec VPN Tunnel

To configure an IPSec VPN to a Zscaler ZEN:

  1. Review the supported IPSec VPN parameters.
  2. Add VPN credentials in the Admin Portal.
  3. Link the VPN credentials to a location.
  4. Configure your edge router or firewall to forward traffic to the Zscaler service. See the following configuration examples:

To learn more, see the Interoperability List.

Zscaler recommends to always send traffic from a router and not a firewall.

Integrating Zscaler with Check Point

Zscaler currently doesn't recommend forwarding traffic from Check Point (GAIA version 77.20) because Check Point doesn't support:

  • tunnel monitoring on third-party vendors
  • automatic tunnel failover, so customers must perform this manually
  • sending all ports and protocols down the tunnel without complex configuration

Also be aware that NAT-T encapsulation mode is not supported with Check Point and this setting has to be disabled.

To disable this setting:

  1. Open the Check Point gateway properties.
  2. Select IPSec VPN > VPN Advanced.
  3. Uncheck Support NAT traversal (applies to Remote Access and Site to Site connections).
    See image.
  4. Click OK.

Screenshot of a Gateway settings page with the Support NAT traversal check box circled by an orange box