How do I configure IPsec VPN tunnels?

How do I configure IPsec VPN tunnels?

You can configure an IPsec VPN tunnel between the gateway of your corporate network and a Zscaler Enforcement Node (ZEN). Zscaler recommends configuring two separate VPNs to two different ZENs for high availability. If the primary IPsec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPsec tunnel to the secondary ZEN.


Ensure that you have the following information for each tunnel:

Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three backup VPN tunnels.

Configuration Tasks

Following are the tasks to configure an IPsec VPN to a Zscaler ZEN:

  1. Review the configuration guidelines.
  2. Add VPN credentials to the admin portal.
  3. Link the VPN credentials to a location.
  4. Configure your edge router to forward traffic to the Zscaler service. See the following configuration examples:

Zscaler recommends to always send traffic from Router, but not a firewall. Currently, Zscaler doesn't recommend forwarding traffic from Check Point (GAIA version 77.20)  for the following reasons:

  • Check Point doesn't support GRE tunnels.
  • Check Point doesn't support tunnel monitoring on third-party vendors.
  • Check Point doesn't support automatic tunnel failover, so customers must perform this manually.
  • Check Point doesn't support sending all ports and protocols down the tunnel without complex configuration.

Also be aware that NAT-T encapsulation mode is not supported with Check Point and this setting has to be disabled. To disable this setting:

  1. Open the Check Point gateway properties.
  2. Select IPSec VPN > VPN Advanced.
  3. Uncheck Support NAT traversal (applies to Remote Access and Site to Site connections).
    See image.
  4. Click OK.

See the Interoperability List. 

This section lists the IPsec parameters that Zscaler supports. When there are multiple options, the values in bold are the recommended settings.

IKE Phase 1

  • Mode: Aggressive mode when the authentication method is PSK and the FQDN of the peer is used to identify it. Main mode when the authentication method PSK and the peer has a static IP address.
  • Encryption algorithm: AES-128
  • Authentication Algorithm: SHA1-128, MD5
  • Diffie-Hellman Group 2
  • SA Lifetime: 24 hours
  • Lifebytes: Unlimited
  • Authentication: Pre-shared keys, digital signature using RSA, external authentication and pre-shared keys, or external authentication and RSA
  • NAT-T: NAT-T is supported if the device initiating the IPsec VPN is behind another firewall or router performing NAT.
  • NAT keepalive interval: 20 secs
  • Enable dead-peer-detection keepalives (timeout is 20 secs and max retry 5)

IKE Phase 2

  • Mode: Quick mode
  • Encryption and Authentication Algorithms: NULL/MD5, AES-128/MD5

If you'd like to use AES, you must purchase a separate subscription.

  • Diffie-Hellman Group 2
  • SA Lifetime: 8 hours
  • Lifebytes: Unlimited
  • Perfect Forward Secrecy (PFS) option is disabled. This option enables each IPsec SA to generate a new shared secret through a Diffie-Hellman exchange. This option is not recommended for Zscaler VPNs.
  • MTU (Maximum Transmission Unit): 1400 bytes
  • MSS (Maximum Segment Size: 1300 bytes

Do any of the following to add VPN credentials to the Zscaler admin portal:

  1. Go to Administration > Resources > VPN Credentials.
  2. Click Add and complete the following:
    • Choose which will be used to identify the peer, FQDN or IP, and then enter the FQDN of the peer or select the IP address of your local gateway. The entries here were those you sent to Zscaler beforehand.
    • Choose XAUTH if you are creating a mobile VPN. Enter the XAuth User ID of the peer.
    • If you chose FQDN or IP, enter the pre-shared key in the New Pre-Share Key and Confirm New Pre-Share Key text boxes.
    • If you chose XAUTH, enter the password in the New XAuth Password and Confirm New XAuth Password text boxes.
    • Optionally, enter additional notes or information. The comments cannot exceed 10,240 characters.
  3. Click Save and activate the change.
  1. Go to Administration > Resources > VPN Credentials.
  2. Ensure that your CSV file is in the correct format. Click Sample Import CSV file to download a sample.
  3. Once you have the CSV file in the correct format, click Import.
  4. From the Import VPN Credentials dialog, click Choose file, navigate to the CSV file you want to import and click Import.

Log in to the admin portal and do the following:

  1. Go to Administration > Resources > Locations.
  2. Add or edit a location.
  3. From the VPN Credentials menu, choose the IP address or FQDN.
  4. Click Done to exit the dialog.
  5. Click Save and activate the change.

The following vendors and software versions have been tested and verified by Zscaler.

Vendor Model Software Version
Cisco ASA 8.2.5
Cisco ISR 881 15.1 (3) T
Cisco ISR 2821 12.4 (16)
Juniper SSG5 6.0.0
Juniper SRX210,     

Screenshot of a Gateway settings page with the Support NAT traversal check box circled by an orange box