How do I configure IPsec VPN tunnels?


How do I configure IPsec VPN tunnels?

You can configure an IPsec VPN tunnel between the gateway of your corporate network and a Zscaler Enforcement Node (ZEN). Zscaler recommends configuring two separate VPNs to two different ZENs for high availability. If the primary IPsec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPsec tunnel to the secondary ZEN.

Prerequisites

Ensure that you have the following information for each tunnel:

NOTE: Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three backup VPN tunnels.

Configuration Tasks

Following are the tasks to configure an IPsec VPN to a Zscaler ZEN:

  1. Review the configuration guidelines.
  2. Add VPN credentials to the admin portal.
  3. Link the VPN credentials to a location.
  4. Configure your edge router to forward traffic to the Zscaler service. See the following configuration examples:

NOTE: Zscaler recommends to always send traffic from Router, but not a firewall. Currently, Zscaler doesn't recommend forwarding traffic from Check Point (GAIA version 77.20)  for the following reasons:

  • Check Point doesn't support GRE tunnels.
  • Check Point doesn't support tunnel monitoring on third-party vendors.
  • Check Point doesn't support automatic tunnel failover, so customers must perform this manually.
  • Check Point doesn't support sending all ports and protocols down the tunnel without complex configuration.

See the Interoperability List.

  1. Go to ips.<your cloud name>.net. You can find the name of your cloud in the URL your admins use to log into the Zscaler service.

For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name? 

  1. From the menu on the left, click Cloud Enforcement Node Ranges
  2. Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel. 

For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination. 
See image.

Cloud ENR 

This section lists the IPsec parameters that Zscaler supports. Note that when there are multiple options, the values in bold are the recommended settings.

IKE Phase 1

  • Mode: Aggressive mode when the authentication method is PSK and the FQDN of the peer is used to identify it. Main mode when the authentication method PSK and the peer has a static IP address.
  • Encryption algorithm: AES-128, 3DES, DES
  • Authentication Algorithm: SHA1-128, MD5
  • Diffie-Hellman Group 2
  • SA Lifetime: 24 hours
  • Lifebytes: Unlimited
  • Authentication: Pre-shared keys, digital signature using RSA, external authentication and pre-shared keys, or external authentication and RSA
  • NAT-T: NAT-T is supported if the device initiating the IPsec VPN is behind another firewall or router performing NAT.
  • NAT keepalive interval: 20 secs
  • Enable dead-peer-detection keepalives (timeout is 20 secs and max retry 5)

IKE Phase 2

  • Mode: Quick mode
  • Encryption and Authentication Algorithms: NULL/MD5, AES-128/MD5

NOTE: If you'd like to use AES, you must purchase a separate subscription. Zscaler doesn't recommend using 3DES for Phase 2 encryption.

  • Diffie-Hellman Group 2
  • SA Lifetime: 8 hours
  • Lifebytes: Unlimited
  • Perfect Forward Secrecy (PFS) option is disabled. This option enables each IPsec SA to generate a new shared secret through a Diffie-Hellman exchange. This option is not recommended for Zscaler VPNs.
  • MTU (Maximum Transmission Unit): 1400 bytes
  • MSS (Maximum Segment Size: 1300 bytes

Do any of the following to add VPN credentials to the Zscaler admin portal:

  1. Go to Administration > Resources > VPN Credentials.
  2. Click Add and complete the following:
    • Choose which will be used to identify the peer, FQDN or IP, and then enter the FQDN of the peer or select the IP address of your local gateway. The entries here were those you sent to Zscaler beforehand.
    • Choose XAUTH if you are creating a mobile VPN. Enter the XAuth User ID of the peer.
    • If you chose FQDN or IP, enter the pre-shared key in the New Pre-Share Key andConfirm New Pre-Share Key text boxes.
    • If you chose XAUTH, enter the password in the New XAuth Password and Confirm New XAuth Password text boxes.
    • Optionally, enter additional notes or information. The comments cannot exceed 10,240 characters.
  3. Click Save and activate the change.
  1. Go to Administration > Resources > VPN Credentials.
  2. Ensure that your CSV file is in the correct format. Click Sample Import CSV file to download a sample.
  3. Once you have the CSV file in the correct format, click Import.
  4. From the Import VPN Credentials dialog, click Choose file, navigate to the CSV file you want to import and click Import.

Log in to the admin portal and do the following:

  1. Go to Administration > Resources > Locations.
  2. Add or edit a location.
  3. From the VPN Credentials menu, choose the IP address or FQDN.
  4. Click Done to exit the dialog.
  5. Click Save and activate the change.

The following vendors and software versions have been tested and verified by the Zscaler QA team.

Vendor Model Software Version
Cisco ASA 8.2.5
Cisco ISR 881 15.1 (3) T
Cisco ISR 2821 12.4 (16)
Juniper SSG5 6.0.0
Juniper SRX210,     
SRX220  
10.4R4.5