This example illustrates how to configure two IPsec VPN tunnels from a FortiGate 60D firewall to two ZENs: a primary tunnel from the FortiGate 60D firewall to a ZEN in one data center, and a backup tunnel from the same firewall to a ZEN in another data center. In this example, the peers are using a pre-shared key for authentication. DPD is enabled so the firewall can detect if one VPN goes offline and move the Internet-bound traffic to the backup VPN.
This example uses private IP addresses because it was tested in a lab environment.
NOTE: Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three secondary VPN tunnels.
Before you start configuring the Zscaler service and the firewall, ensure that you send Zscaler the following information:
Additionally, ensure that you have the IP addresses of the ZENs. (Learn how to locate ZEN IP addresses for your tunnels.)
Do the following to configure the Zscaler service:
This section describes how to configure two IPsec VPN tunnel interfaces on a FortiGate 60D firewall running version 5.2.1. Refer to the Fortinet documentation for additional information about the user interface.
The following figure shows the lab setup.
The corporate office sends its traffic through the internal interface in the internal network. It sends traffic destined for any external network through the external interface, wan1.
A. Define the VPN parameters for the primary VPN tunnel.
B. Configure the secondary tunnel as described in the preceding steps. After both tunnels are configured, you can go to VPN > IPsec > Tunnels to view them.
C. Define IPv4 policies to allow access to the newly configured tunnels.
NOTE: If you want to forward only HTTP and HTTP traffic to the Zscaler service, then select them in the Service field.
D. Configure similar policy rules for the backup tunnel. Once all four policies are defined, you can go to Policy and Objects > Policy > IPv4 to view them.
E. Verify that both the tunnels are up by going to VPN > Monitor > IPsec Monitor.
F. Establish static routes for the primary and backup tunnels and configure them with the same priority and distance as the default route.
At this stage, the default route has the highest priority followed by the Zscaler primary tunnel, and then the secondary tunnel.
G. Define a policy route for each tunnel. In this example, we are forwarding all traffic to Zscaler.
NOTE: If you are forwarding only HTTP and HTTPS traffic to the Zscaler service, do the following:
Go to VPN > Monitor > IPsec Monitor and verify that traffic is flowing through the primary tunnel.
The network processor (NP) of some Fortinet devices don’t support offloading VPN phase one traffic, resulting in an unacceptable drop in VPN tunnel performance. For further information, see the following URL: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36044.
For more troubleshooting tips, please visit the troubleshooting page of the Fortinet FortiOS Handbook at http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/TestandMonitor.129.08.html.
You can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name?
For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination.