icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Configuring an IPSec VPN Tunnel

You can configure an IPSec VPN tunnel between the gateway of your corporate network and a ZIA Public Service Edge. Zscaler recommends configuring two separate VPNs to two different ZIA Public Service Edges for high availability. If the primary IPSec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPSec VPN tunnel to the backup ZIA Public Service Edge.

Zscaler IPSec tunnels support a limit of 400 Mbps for each public source IP address. If your organization wants to forward more than 400 Mbps of traffic, Zscaler recommends using one of the following configurations:

  • Configure multiple IPSec tunnels with different public source IP addresses.
  • Configure multiple IPSec VPN tunnels with the same public source IP address using NAT-T and source port randomization with IKEv2.

For example, if your organization forwards 800 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels.

Prerequisites

Ensure that you have the following information for each tunnel:

Configuring an IPSec VPN Tunnel

To configure an IPSec VPN to a ZIA Public Service Edge:

  1. Review the supported IPSec VPN parameters
  2. Add VPN credentials in the Admin Portal
  3. Link the VPN credentials to a location
  4. Configure your edge router or firewall to forward traffic to the Zscaler service. See the following configuration guides:

If you want to forward IPv6 traffic to ZIA, you must configure IPv6 traffic selectors for both IKEv1 and IKEv2 on your device. You must also ensure that IPv6 support is enabled for your organization and locations in the ZIA Admin Portal to forward IPv6 traffic.

To learn more, see the Interoperability List.

Integrating Zscaler with Check Point

To forward traffic from Check Point (GAIA version R80.30 or later), follow the steps recorded in the Check Point documentation.

Check Point doesn't support Layer 7 health checks on third-party vendors.

Troubleshooting

You can go to Analytics > Tunnel Insights to see data as well as monitor the health and status of your configured IPSec VPN tunnels. To learn more, see About Insights and About Insights Logs.

Related Articles
Understanding IPSec VPNsConfiguring an IPSec VPN TunnelAbout VPN CredentialsAdding VPN CredentialsImporting VPN Credentials from a CSV FileIPSec VPN Configuration Guide for Cisco ASA 55xxIPSec VPN Configuration Guide for Cisco 881 ISRIPSec VPN Configuration Guide for Juniper SRXIPSec VPN Configuration Guide for Juniper SSG 20IPSec VPN Configuration Guide for FortiGate FirewallIPSec VPN Configuration Guide for Palo Alto Networks FirewallIPSec VPN Configuration Guide for SonicWall TZ 350Locating the Hostnames and IP Addresses for ZIA Public Service Edges