This example illustrates how to configure two IPSec VPN tunnels from a FortiGate 60D firewall to two ZENs: a primary tunnel from the FortiGate 60D firewall to a ZEN in one data center, and a backup tunnel from the same firewall to a ZEN in another data center. In this example, the peers are using a pre-shared key for authentication. DPD is enabled so the firewall can detect if one VPN goes offline and move the Internet-bound traffic to the backup VPN.
This example uses private IP addresses because it was tested in a lab environment.
Zscaler IPSec tunnels support a limit of 200 Mbps for each public source IP address. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends configuring more IPSec VPN tunnels with different public source IP addresses. For example, if your organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization forwards 600 Mbps of traffic, you can configure three primary VPN tunnels and three backup VPN tunnels.
Before you start configuring the Zscaler service and the firewall, ensure that you send Zscaler the following information:
Additionally, ensure that you have the IP addresses of the ZENs.
Do the following to configure the Zscaler service:
This section describes how to configure two IPsec VPN tunnel interfaces on a FortiGate 60D firewall running version 5.2.1. Refer to the Fortinet documentation for additional information about the user interface.
The following figure shows the lab setup.
The corporate office sends its traffic through the internal interface in the internal network. It sends traffic destined for any external network through the external interface, wan1.
A. Define the VPN parameters for the primary VPN tunnel.
B. Configure the secondary tunnel as described in the preceding steps. After both tunnels are configured, you can go to VPN > IPsec > Tunnels to view them.
C. Define IPv4 policies to allow access to the newly configured tunnels.
If you want to forward only HTTP and HTTP traffic to the Zscaler service, then select them in the Service field.
D. Configure similar policy rules for the backup tunnel. Once all four policies are defined, you can go to Policy and Objects > Policy > IPv4 to view them.
E. Verify that both the tunnels are up by going to VPN > Monitor > IPsec Monitor.
F. Establish static routes for the primary and backup tunnels and configure them with the same priority and distance as the default route.
At this stage, the default route has the highest priority followed by the Zscaler primary tunnel, and then the secondary tunnel.
G. Define a policy route for each tunnel. In this example, we are forwarding all traffic to Zscaler.
If you are forwarding only HTTP and HTTPS traffic to the Zscaler service, do the following:
Go to VPN > Monitor > IPsec Monitor and verify that traffic is flowing through the primary tunnel.
The network processor (NP) of some Fortinet devices don’t support offloading VPN phase one traffic, resulting in an unacceptable drop in VPN tunnel performance. For further information, see the following URL: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36044.
For more troubleshooting tips, please visit the troubleshooting page of the Fortinet FortiOS Handbook at http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/TestandMonitor.129.08.html.