IPsec VPN Configuration Example: FortiGate 60D Firewall

IPsec VPN Configuration Example: FortiGate 60D Firewall

This example illustrates how to configure two IPsec VPN tunnels from a FortiGate 60D firewall to two ZENs: a primary tunnel from the FortiGate 60D firewall to a ZEN in one data center, and a backup tunnel from the same firewall to a ZEN in another data center. In this example, the peers are using a pre-shared key for authentication. DPD is enabled so the firewall can detect if one VPN goes offline and move the Internet-bound traffic to the backup VPN.

This example uses private IP addresses because it was tested in a lab environment.

NOTE: Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three secondary VPN tunnels.


Before you start configuring the Zscaler service and the firewall, ensure that you send Zscaler the following information:

  • The IP address of the tunnel interface on the firewall.
  • The PSK.

Additionally, ensure that you have the IP addresses of the ZENs. (Learn how to locate ZEN IP addresses for your tunnels.)

Configure the Zscaler Service

Do the following to configure the Zscaler service:

Configure the FortiGate 60D Firewall

This section describes how to configure two IPsec VPN tunnel interfaces on a FortiGate 60D firewall running version 5.2.1. Refer to the Fortinet documentation for additional information about the user interface.

The following figure shows the lab setup.

The corporate office sends its traffic through the internal interface in the internal network. It sends traffic destined for any external network through the external interface, wan1.

A. Define the VPN parameters for the primary VPN tunnel.

  1. Go to VPN > IPsec > Tunnels and click Create New.

  1. Enter a name for the tunnel, which is Zscaler in this example, and select Custom VPN Tunnel as the template.

  1. Configure the primary tunnel as shown in the following figures.

B. Configure the secondary tunnel as described in the preceding steps. After both tunnels are configured, you can go to VPN > IPsec > Tunnels to view them.

C. Define IPv4 policies to allow access to the newly configured tunnels.

  1. Go to Policy and Objects > Policy > IPv4 and click Create New.

  1. Create a new policy rule to allow the Zscaler primary tunnel access to the Fortigate external interface (wan1). In this example, we are forwarding all traffic to the service. The following figure shows the required settings.

NOTE: If you want to forward only HTTP and HTTP traffic to the Zscaler service, then select them in the Service field.

  1. Create a new policy rule to allow internal network access to the Zscaler primary tunnel. The following figure shows the required settings.

D. Configure similar policy rules for the backup tunnel. Once all four policies are defined, you can go to Policy and Objects > Policy > IPv4 to view them.

E. Verify that both the tunnels are up by going to VPN > Monitor > IPsec Monitor.

F. Establish static routes for the primary and backup tunnels and configure them with the same priority and distance as the default route.

  1. Go to Router > Static > Static Routes and click Create New.

  1. Define the primary tunnel route as shown in the following figure. Make sure that this tunnel gets equal distance and a larger priority value compared to the default route. A tunnel with a larger priority value has lower priority. The PBR will override that priority setting. Since there are two tunnels, the primary tunnel priority value must have a lower priority than the secondary tunnel.

  1. Define the secondary tunnel route as shown in the following figure.

  1. Go to Router > Monitor > Routing Monitor and verify the routing table.

At this stage, the default route has the highest priority followed by the Zscaler primary tunnel, and then the secondary tunnel.

G. Define a policy route for each tunnel. In this example, we are forwarding all traffic to Zscaler.

  1. Go to Router > Static > Policy Routes.
  2. Define the primary tunnel as shown in the following figure.

NOTE: If you are forwarding only HTTP and HTTPS traffic to the Zscaler service, do the following:

  • Select port 80 as the destination port and define rules for the primary and secondary tunnels.
  • Define similar rules that specify port 443 as the destination port.


Go to VPN > Monitor > IPsec Monitor and verify that traffic is flowing through the primary tunnel.

The network processor (NP) of some Fortinet devices don’t support offloading VPN phase one traffic, resulting in an unacceptable drop in VPN tunnel performance. For further information, see the following URL: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36044.

For more troubleshooting tips, please visit the troubleshooting page of the Fortinet FortiOS Handbook at http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/TestandMonitor.129.08.html.

  1. Go to ips.<your cloud name>.net

You can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name?

  1. From the menu on the left, click Cloud Enforcement Node Ranges
  2. Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel. 

For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination. 
See image.

Cloud ENR 

  1. In the admin portal, go to Administration > Resources > VPN Credentials.
  2. Click Add and do the following:
    • Choose IP, and then choose the gateway IP address. This is the IP address that was given to Zscaler beforehand.
    • Enter the pre-shared key abc in the text box and confirmation box.
  3. Click Save and activate the change.
  1. In the admin portal, go to Administration > Resources > Locations.
  2. Click Add.
  3. In the Add Location page, do the following:
    • Enter the location name.
    • Click the down arrow beside VPN Credentials and choose the credentials you created.
  4. Click Save and activate the change.