IPSec VPN Configuration Example: Juniper SRX 220


IPSec VPN Configuration Example: Juniper SRX 220

This example illustrates how to configure two IPSec VPN tunnels from a Juniper SRX 220 firewall to two Zscaler Enforcement Nodes (ZENs).

As shown in the figure below, the corporate office sends its internal traffic on the web interfaces ge-0/0/1.0 through ge-0/0/7.0 in the trust zone. The device forwards outbound traffic through ge-0/0/0.0. It sends Internet-bound traffic through the tunnel interface st0, which has two sub interfaces unit 0 and unit 1.

A network diagram showing the primary and backup IPSec tunnels from a Juniper SRX to two Zscaler ZENs.

Zscaler IPSec tunnels support a limit of 200 Mbps for each public source IP address. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends configuring more IPSec VPN tunnels with different public source IP addresses. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization forwards 600 Mbps of traffic, you can configure three primary VPN tunnels and three backup VPN tunnels.

Dead Peer Detection (DPD) and VPN monitoring must be enabled so the firewall can detect if one VPN goes offline and move the Internet-bound traffic to the other VPN. In this configuration example, a route-based VPN is configured, where two tunnels are created and then inserted as the default routes in the routing table.

Prerequisites

Ensure you have the Virtual IP (VIP) addresses of the ZENs.

Configuring the IPSec VPN Tunnel in the Zscaler Admin Portal

In this configuration example, the peers are using a FQDN and a pre-shared key (PSK) for authentication.

To configure the IPSec VPN tunnels in the Zscaler Admin Portal:

  1. Adding the VPN Credential

Note the FQDN and PSK of the added VPN credentials. You need this information when linking the VPN credentials to a location and creating the IKE gateways.

  1. Linking the VPN Credentials to a Location

Configuring the IPSec VPN Tunnel on Juniper SRX

Choose one of the following IKE versions and configure accordingly.

Zscaler recommends using IKEv2 because it's faster and simpler than IKEv1 and fixes IKEv1 vulnerabilities.

Troubleshooting

You can use the following CLI commands to monitor and troubleshoot the IPSec VPN tunnels.

Enter the following command to view the routing table. Ensure that st0.0 and st0.1 routes are in the routing table.

show route
inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:28:59
                      via st0.0
                    > via st0.1
                    [Access-internal/12] 00:28:33
                    > to 10.10.120.1 via ge-0/0/0.0
10.10.104.0/24     *[Static/5] 00:28:33
                    > to 10.10.120.1 via ge-0/0/0.0
10.10.120.0/24     *[Direct/0] 00:28:33
                    > via ge-0/0/0.0
10.10.120.43/32    *[Local/0] 00:28:33
                      Local via ge-0/0/0.0
192.168.1.0/24     *[Direct/0] 00:28:45
                    > via vlan.0
192.168.1.1/32     *[Local/0] 00:28:59
                      Local via vlan.0

Enter the following command to view the Phase 1 SA:

show security ike security-associations
Index    Remote Address                 State   Initiator cookie   Responder cookie   Mode
762537   <Primary Tunnel VIP Address>   UP      d4fe08bb5caa5236   8c2e7176846414f6   Aggressive
762540   <Backup Tunnel VIP Address>    UP      16c40476f1b054b9   a3fba378716129fa   Aggressive

Enter the following command to view the Phase 2 SA:

show security ipsec security-associations
Total active tunnels: 2
ID        Gateway                        Port   Algorithm       SPI        Life:sec/kb Mon vsys
<131073   <Primary Tunnel VIP Address>   500    ESP:null/sha1   1a39db6d   1763/ unlim U root
>131073   <Primary Tunnel VIP Address>   500    ESP:null/sha1   c362105    1763/ unlim U root
<131074   <Backup Tunnel VIP Address>    500    ESP:null/sha1   7d034970   3241/ unlim U root
>131074   <Backup Tunnel VIP Address>    500    ESP:null/sha1   933e2cd    3241/ unlim U root

Enter the following commands to clear the Phase 2 SA. Similarly, you can use the clear security isakmp command to clear the Phase 1 SA.

root> show security ipsec security-associations
 Total active tunnels: 1
 ID        Gateway                        Port   Algorithm       SPI        Life:sec/kb Mon vsys
 <131073   <Primary Tunnel VIP Address>   500    ESP:null/sha1   3491a9ba   2758/ unlim U root
 >131073   <Primary Tunnel VIP Address>   500    ESP:null/sha1   6840028    2758/ unlim U root

root> clear security ipsec security-associations index 131073

root> show security ipsec security-associations
 Total active tunnels: 1
 ID        Gateway                        Port   Algorithm       SPI        Life:sec/kb Mon vsys
 <131073   <Primary Tunnel VIP Address>   500    ESP:null/sha1   d4dd1b0c   3590/ unlim U root
 >131073   <Primary Tunnel VIP Address>   500    ESP:null/sha1   85115fd    3590/ unlim U root

You must have a Juniper SRX 220 router running version 11.4R3.7 or later to configure IKEv2.

This section provides sample commands for configuring an IPSec VPN tunnel interface on a Juniper SRX 220 router running version 11.4R3.7. To learn more about the commands, refer to the Juniper SRX documentation.

You must provide the following information to configure the tunnels:

  • <Primary VIP Address> and <Backup VIP Address> - The VIP addresses of the ZENs.
  • <FQDN> - The FQDN of the VPN credentials you created in the Zscaler Admin Portal.
  • <Pre-Shared Key> - The pre-shared key (PSK) of the VPN credentials you created in the Zscaler Admin Portal.

To configure the IPSec VPN Tunnel on Juniper SRX:

Configure the following interfaces on the router. Ensure the following:

  • ge-0/0/0.0 is the WAN external interface. It uses the IP address from a DHCP server.
  • ge-0/0/1.0 through ge-0/0/7.0 are in the VLAN interface.
  • st0 and st1 are the tunnel interfaces. The sub-interfaces unit 0 and unit 1 are configured in st0. Two default routes are configured using st0.0 and st0.1.

Enter the following commands:

set interfaces ge-0/0/0.0 unit 0 family inet dhcp
set interfaces ge-0/0/1.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet
set interfaces st1 unit 0 family inet
set interfaces vlan unit 0 family inet address 192.168.1.1/24

The CLI output should be similar to the following:

interfaces {
 	ge-0/0/0.0 {
 		unit 0 {
 			family inet {
 				dhcp;
 			}
 		}
 	}
  	ge-0/0/1.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
				}
 			}
 		}
 	}
 	ge-0/0/2.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/3.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/4.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/5.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/6.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/7.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	st0 {
 		unit 0 {
 			family inet;
 		}
 		unit 1 {
 			family inet;
 		}
 	}
 	st1 {
 		unit 0 {
 			family inet;
 		}
 	}
 	vlan {
 		unit 0 {
 			family inet {
 				address 192.168.1.1/24;
 			}
 		}
 	}
}

Configure the security zones and associate the interfaces with the zones. Ensure the following:

  • ge-0/0/0.0 is in the untrust zone.
  • All Interfaces in the VLAN interface (e.g., ge-0/0/1.0 through ge-0/0/7.0) are in the trust zone.
  • st0.0 is in vpn zone.

Enter the following commands:

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone trust interfaces vlan0.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn host-inbound-traffic system-services all

The CLI output should be similar to the following:

zones {
     security-zone untrust {
         host-inbound-traffic {
             system-services {
                 ike;
             }
         }  
         interfaces {
             ge-0/0/0.0; 
         }
     }
     security-zone trust {
         host-inbound-traffic {
             system-services {
                 all;
             }
         }  
         interfaces {
             vlan0.0; 
         }
     }
     security-zone vpn {
         host-inbound-traffic {
             system-services {
                 all;
             }
         }  
         interfaces {
             st0.0; 
         }
     }

Configure a security policy to allow traffic from the trust zone to the vpn zone.

In the CLI example below, the source-address, destination-address, and application are set to any. Adding address book entries can make the policy strict.

Enter the following commands:

set security policies from-zone trust to-zone vpn policy <Security Policy Name> match source-address any
set security policies from-zone trust to-zone vpn policy <Security Policy Name> match destination-address any
set security policies from-zone trust to-zone vpn policy <Security Policy Name> match application any
set security policies from-zone trust to-zone vpn policy <Security Policy Name> then permit

The CLI output should be similar to the following:

from-zone trust to-zone vpn {
     policy <Security Policy Name> {
          match {
             source-address any;
             destination-address any;
             application any;
          }
          then {
               permit;
          }
     }
}

Configure static routing. Specify the traffic you want to route through the IPSec VPN tunnels to Zscaler.

Enter the following commands:

set routing-options static route 0.0.0.0/0 next-hop st0.0 st0.1

The CLI output should be similar to the following:

routing-options {
     static {
         route 0.0.0.0/0 next-hop [ st0.0 st0.1 ];
     }
}

Configure the IKE proposal for IKE Phase 1. The IKE proposal is a list of security parameters used to protect the IKE connection.

Enter the following commands:

set security ike proposal <IKE Proposal Name> authentication-method pre-shared-keys
set security ike proposal <IKE Proposal Name> dh-group group14
set security ike proposal <IKE Proposal Name> authentication-algorithm sha-256
set security ike proposal <IKE Proposal Name> encryption-algorithm aes-256-cbc
set security ike proposal <IKE Proposal Name> lifetime-seconds 3600

The CLI output should be similar to the following:

ike {
     proposal <IKE Proposal Name> {
         authentication-method pre-shared-keys;
         dh-group group14;
         authentication-algorithm sha-256;
         encryption-algorithm aes-256-cbc;
         lifetime-seconds 3600;
     }

You will need the <IKE Proposal Name> for F. Configure the IKE Policy.

Configure the IKE policy to associate with the IKE proposal. The IKE policy defines the PSK of the peer and the IKE proposal used during the IKE negotiation. You need the <IKE Proposal Name> created in E. Configure the IKE Proposal.

Enter the following commands:

set security ike policy <IKE Policy Name> mode aggressive
set security ike policy <IKE Policy Name> proposals <IKE Proposal Name>
set security ike policy <IKE Policy Name> pre-shared-key <Pre-Shared Key>

The CLI output should be similar to the following:

     policy <IKE Policy Name> {
         mode aggressive;
         proposals <IKE Proposal Name>;
         pre-shared-key ascii-text "$9$iHfz9Cu1Eyp0"; ## SECRET-DATA
     }

You will need the <IKE Policy Name> for G. Configure the IKE Gateways.

Configure two IKE gateways. You need the <IKE Policy Name> created in F. Configure the IKE Policy.

Enter the following commands:

set security ike gateway <Primary IKE Gateway Name> ike-policy <IKE Policy Name>
set security ike gateway <Primary IKE Gateway Name> address <Primary VIP Address>
set security ike gateway <Primary IKE Gateway Name> dead-peer-detection always-send
set security ike gateway <Primary IKE Gateway Name> dead-peer-detection interval 20
set security ike gateway <Primary IKE Gateway Name> dead-peer-detection threshold 5
set security ike gateway <Primary IKE Gateway Name> nat-keepalive 10
set security ike gateway <Primary IKE Gateway Name> local-identity user-at-hostname "<FQDN>"
set security ike gateway <Primary IKE Gateway Name> external-interface ge-0/0/0.0
set security ike gateway <Primary IKE Gateway Name> version v2-only
set security ike gateway <Backup IKE Gateway Name> ike-policy <IKE Policy Name>
set security ike gateway <Backup IKE Gateway Name> address <Backup VIP Address>
set security ike gateway <Backup IKE Gateway Name> dead-peer-detection always-send
set security ike gateway <Backup IKE Gateway Name> dead-peer-detection interval 20
set security ike gateway <Backup IKE Gateway Name> dead-peer-detection threshold 5
set security ike gateway <Backup IKE Gateway Name> nat-keepalive 10
set security ike gateway <Backup IKE Gateway Name> local-identity user-at-hostname "<FQDN>"
set security ike gateway <Backup IKE Gateway Name> external-interface ge-0/0/0.0
set security ike gateway <Backup IKE Gateway Name> version v2-only

The CLI output should be similar to the following:

 	gateway <Primary IKE Gateway Name> {
 		ike-policy <IKE Policy Name>;
 		address <Primary VIP Address>;
 		dead-peer-detection {
 			always-send;
 			interval 20;
 			threshold 5;
 		}
 		nat-keepalive 10;
        local-identity user-at-hostname "<FQDN>";
 		external-interface ge-0/0/0.0;
        version v2-only;
 	}
 	gateway <Backup IKE Gateway Name> {
 		ike-policy <IKE Policy Name>;
 		address <Backup VIP Address>;
 		dead-peer-detection {
 			always-send;
 			interval 20;
 			threshold 5;
 		}
 		nat-keepalive 10;
        local-identity user-at-hostname "<FQDN>";
        external-interface ge-0/0/0.0;
        version v2-only;
 	}
}

You will need the <Primary IKE Gateway Name> and <Backup IKE Gateway Name> for K. Configure the IPSec VPNs.

Configure VPN monitoring for IKE Phase 2 SAs.

Enter the following commands:

set security ipsec vpn-monitor-options interval 30
set security ipsec vpn-monitor-options threshold 4

The CLI output should be similar to the following:

ipsec {
     vpn-monitor-options {
         interval 30;
         threshold 4;
     }  

Configure the IPSec proposal. The IPSec proposal is a list of protocols and algorithms used to negotiate with the IPSec peer.

Zscaler recommends using null encryption because it reduces the load on the local router/firewall for traffic destined for the Internet. If you would like to use AES, you can purchase a separate subscription.

Enter the following commands:

set security ipsec proposal <IPSec Proposal Name> protocol esp
set security ipsec proposal <IPSec Proposal Name> authentication-algorithm hmac-sha-256-128
set security ipsec proposal <IPSec Proposal Name> lifetime-seconds 3600

The CLI output should be similar to the following:

     proposal <IPSec Proposal Name> {
         protocol esp;
         authentication-algorithm hmac-sha-256-128;
         lifetime-seconds 3600;
     }

You will need the <IPSec Proposal Name> for J. Configure the IPSec Policy.

Configure the IPSec policy to associate with the IPSec proposal. The IPSec policy defines the proposal used during the IPSec negotiation. You need the <IPSec Proposal Name> created in I. Configure the IPSec Proposal.

Enter the following command:

set security ipsec policy <IPSec Policy Name> proposals <IPSec Proposal Name>

The CLI output should be similar to the following:

     policy <IPSec Policy Name> {
         proposal-set <IPSec Proposal Name>;
     }

You will need the <IPSec Policy Name> for K. Configure the IPSec VPNs.

Configure two IPSec VPNs that are associated with your tunnel interfaces and IKE gateways. You need the <Primary IKE Gateway Name><Backup IKE Gateway Name>, and <IPSec Policy Name> configured in G. Configure the IKE Gateways and J. Configure the IPSec Policy.

In the CLI example below, the IPSec VPNs are binding to tunnel interfaces st0.0 and st0.1. If you want local subnets to use the VPN, you can define a proxy ID with the proxy-identity statement. In this example, the local subnet is 10.10.10.0/24.

Enter the following commands:

set security ipsec vpn <Primary IPSec VPN Name> bind-interface st0.0
set security ipsec vpn <Primary IPSec VPN Name> df-bit copy
set security ipsec vpn <Primary IPSec VPN Name> ike gateway <Primary IKE Gateway Name>
set security ipsec vpn <Primary IPSec VPN Name> ike proxy-identity local 10.10.10.0/24 remote 0.0.0.0/0
set security ipsec vpn <Primary IPSec VPN Name> ike ipsec-policy <IPSec Policy Name>
set security ipsec vpn <Primary IPSec VPN Name> establish-tunnels immediately
set security ipsec vpn <Backup IPSec VPN Name> bind-interface st0.1
set security ipsec vpn <Backup IPSec VPN Name> df-bit copy
set security ipsec vpn <Backup IPSec VPN Name> ike gateway <Backup IKE Gateway Name>
set security ipsec vpn <Backup IPSec VPN Name> ike proxy-identity local 10.10.10.0/24 remote 0.0.0.0/0
set security ipsec vpn <Backup IPSec VPN Name> ike ipsec-policy <IPSec Policy Name>
set security ipsec vpn <Backup IPSec VPN Name> establish-tunnels immediately

The CLI output should be similar to the following:

     vpn <Primary IPSec VPN Name> {
         bind-interface st0.0;
         df-bit copy;
         }
         ike {
             gateway <Primary IKE Gateway Name>;
             proxy-identity {
                local 10.10.10.0/24; 
                remote 0.0.0.0/0; 
                } 
             ipsec-policy <IPSec Policy Name>;
         }
         establish-tunnels immediately;
     }
     vpn <Backup IPSec VPN Name> {
         bind-interface st0.1;
         df-bit copy;
         }
         ike {
             gateway <Backup IKE Gateway Name>;
             proxy-identity {
                local 10.10.10.0/24; 
                remote 0.0.0.0/0; 
                }
             ipsec-policy <IPSec Policy Name>;
         }
         establish-tunnels immediately;
     }
}

Configure the source NAT parameters so that the firewall performs NAT on the traffic and doesn't send it through the tunnel interface. Source NAT isn't required for the traffic from the trust zone to the VPN zone because, as configured in the routing table, all internet traffic is sent through the IPSec VPN tunnels.

In the source NAT rule below, the source IP address 192.168.1.0/24 is the LAN IP subnet.

Enter the following commands:

set security nat source rule-set <NAT Rule Set Name> from zone trust
set security nat source rule-set <NAT Rule Set Name> to zone untrust
set security nat source rule-set <NAT Rule Set Name> rule <NAT Rule Name> match source-address 192.168.1.0/24
set security nat source rule-set <NAT Rule Set Name> rule <NAT Rule Name> match destination-address 0.0.0.0/0
set security nat source rule-set <NAT Rule Set Name> rule <NAT Rule Name> then source-nat interface

The CLI output should be similar to the following:

nat {
 	source {
 		rule-set <NAT Rule Set Name> {
 			from zone trust;
 			to zone untrust;
 			rule <NAT Rule Name> {
 				match {
 					source-address 192.168.0.0/16;
 					destination-address 0.0.0.0/0;
 				}
 				then {
 					source-nat {
 						interface;
               } 
 				}
 			}
 		}
 	}
}

This section provides sample commands for configuring an IPsec VPN tunnel interface on a Juniper SRX 220 router running version 10.4. To learn more about the commands, refer to the Juniper SRX documentation.

You must provide the following information to configure the tunnels:

  • <Primary VIP Address> and <Backup VIP Address> - The VIP addresses of the ZENs.
  • <FQDN> - The FQDN of the VPN credentials you created in the Zscaler Admin Portal.
  • <Pre-Shared Key> - The pre-shared key (PSK) of the VPN credentials you created in the Zscaler Admin Portal.

To configure the IPSec VPN Tunnel on Juniper SRX:

Configure the following interfaces on the router. Ensure the following:

  • ge-0/0/0.0 is the WAN external interface. It uses the IP address from a DHCP server.
  • ge-0/0/1.0 through ge-0/0/7.0 are in the VLAN interface.
  • st0 and st1 are the tunnel interfaces. The sub-interfaces unit 0 and unit 1 are configured in st0. Two default routes are configured using st0.0 and st0.1.

Enter the following commands:

set interfaces ge-0/0/0.0 unit 0 family inet dhcp
set interfaces ge-0/0/1.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7.0 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet
set interfaces st1 unit 0 family inet
set interfaces vlan unit 0 family inet address 192.168.1.1/24

The CLI output should be similar to the following:

interfaces {
 	ge-0/0/0.0 {
 		unit 0 {
 			family inet {
 				dhcp;
 			}
 		}
 	}
  	ge-0/0/1.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
				}
 			}
 		}
 	}
 	ge-0/0/2.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/3.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/4.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/5.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/6.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/7.0 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	st0 {
 		unit 0 {
 			family inet;
 		}
 		unit 1 {
 			family inet;
 		}
 	}
 	st1 {
 		unit 0 {
 			family inet;
 		}
 	}
 	vlan {
 		unit 0 {
 			family inet {
 				address 192.168.1.1/24;
 			}
 		}
 	}
}

Configure the security zones and associate the tunnel interfaces with the zones. Ensure the following:

  • ge-0/0/0.0 is in the untrust zone.
  • All Interfaces in the VLAN interface (e.g., ge-0/0/1.0 through ge-0/0/7.0) are in the trust zone.
  • st0.0 is in vpn zone.

Enter the following commands:

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone trust interfaces vlan0.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn host-inbound-traffic system-services all

The CLI output should be similar to the following:

zones {
     security-zone untrust {
         host-inbound-traffic {
             system-services {
                 ike;
             }
         }  
         interfaces {
             ge-0/0/0.0; 
         }
     }
     security-zone trust {
         host-inbound-traffic {
             system-services {
                 all;
             }
         }  
         interfaces {
             vlan0.0; 
         }
     }
     security-zone vpn {
         host-inbound-traffic {
             system-services {
                 all;
             }
         }  
         interfaces {
             st0.0; 
         }
     }

Configure the security policy to allow traffic from the trust zone to the vpn zone.

In the CLI example below, the source-address, destination-address, and application are set to any. Adding address book entries can make the policy strict.

Enter the following commands:

set security policies from-zone trust to-zone vpn policy <Security Policy Name> match source-address any
set security policies from-zone trust to-zone vpn policy <Security Policy Name> match destination-address any
set security policies from-zone trust to-zone vpn policy <Security Policy Name> match application any
set security policies from-zone trust to-zone vpn policy <Security Policy Name> then permit

The CLI output should be similar to the following:

from-zone trust to-zone vpn {
     policy <Security Policy Name> {
          match {
             source-address any;
             destination-address any;
             application any;
          }
          then {
               permit;
          }
     }
}

Configure static routing. Specify the internet traffic you want to route through the IPSec VPN tunnels to Zscaler.

Enter the following commands:

set routing-options static route 0.0.0.0/0 next-hop st0.0 st0.1

The CLI output should be similar to the following:

routing-options {
     static {
         route 0.0.0.0/0 next-hop [ st0.0 st0.1 ];
     }
}

Configure the IKE proposal for IKE Phase 1. The IKE proposal is a list of security parameters used to protect the IKE connection.

Enter the following commands:

set security ike proposal <IKE Proposal Name> authentication-method pre-shared-keys
set security ike proposal <IKE Proposal Name> dh-group group2
set security ike proposal <IKE Proposal Name> authentication-algorithm sha1
set security ike proposal <IKE Proposal Name> encryption-algorithm aes-128-cbc
set security ike proposal <IKE Proposal Name> lifetime-seconds 86400

The CLI output should be similar to the following:

ike {
     proposal <IKE Proposal Name> {
         authentication-method pre-shared-keys;
         dh-group group2;
         authentication-algorithm sha1;
         encryption-algorithm aes-128-cbc;
         lifetime-seconds 86400;
     }

You will need the <IKE Proposal Name> for F. Configure the IKE Policy.

Configure the IKE policy to associate with the IKE proposal. The IKE policy defines the PSK of the peer and the IKE proposal used during the IKE negotiation. You need the <IKE Proposal Name> created in E. Configure the IKE Proposal.

Enter the following commands:

set security ike policy <IKE Policy Name> mode aggressive
set security ike policy <IKE Policy Name> proposals <IKE Proposal Name>
set security ike policy <IKE Policy Name> pre-shared-key <Pre-Shared Key>

The CLI output should be similar to the following:

     policy <IKE Policy Name> {
         mode aggressive;
         proposals <IKE Proposal Name>;
         pre-shared-key <Pre-Shared Key>;
     }

You will need the <IKE Policy Name> for G. Configure the IKE Gateways.

Configure two IKE gateways. You need the <IKE Policy Name> created in F. Configure the IKE Policy.

Enter the following commands:

set security ike gateway <Primary IKE Gateway Name> ike-policy <IKE Policy Name>
set security ike gateway <Primary IKE Gateway Name> address <Primary VIP Address>
set security ike gateway <Primary IKE Gateway Name> dead-peer-detection always-send
set security ike gateway <Primary IKE Gateway Name> dead-peer-detection interval 20
set security ike gateway <Primary IKE Gateway Name> dead-peer-detection threshold 5
set security ike gateway <Primary IKE Gateway Name> nat-keepalive 20
set security ike gateway <Primary IKE Gateway Name> local-identity user-at-hostname "<FQDN>"
set security ike gateway <Primary IKE Gateway Name> external-interface ge-0/0/0.0
set security ike gateway <Backup IKE Gateway Name> ike-policy <IKE Policy Name>
set security ike gateway <Backup IKE Gateway Name> address <Backup VIP Address>
set security ike gateway <Backup IKE Gateway Name> dead-peer-detection always-send
set security ike gateway <Backup IKE Gateway Name> dead-peer-detection interval 20
set security ike gateway <Backup IKE Gateway Name> dead-peer-detection threshold 5
set security ike gateway <Backup IKE Gateway Name> nat-keepalive 20
set security ike gateway <Backup IKE Gateway Name> local-identity user-at-hostname "<FQDN>"
set security ike gateway <Backup IKE Gateway Name> external-interface ge-0/0/0.0

The CLI output should be similar to the following:

 	gateway <Primary IKE Gateway Name> {
 		ike-policy <IKE Policy Name>;
 		address <Primary VIP Address>;
 		dead-peer-detection {
 			always-send;
 			interval 20;
 			threshold 5;
 		}
 		nat-keepalive 20;
        local-identity user-at-hostname "<FQDN>";
 		external-interface ge-0/0/0.0;
 	}
 	gateway <Backup IKE Gateway Name> {
 		ike-policy <IKE Policy Name>;
 		address <Backup VIP Address>;
 		dead-peer-detection {
 			always-send;
 			interval 20;
 			threshold 5;
 		}
 		nat-keepalive 20;
        local-identity user-at-hostname "<FQDN>";
 		external-interface ge-0/0/0.0;
 	}
}

You will need the <Primary IKE Gateway Name> and <Backup IKE Gateway Name> for K. Configure the IPSec VPNs.

Configure VPN monitoring for IKE Phase 2 SAs.

Enter the following commands:

set security ipsec vpn-monitor-options interval 30
set security ipsec vpn-monitor-options threshold 4

The CLI output should be similar to the following:

ipsec {
     vpn-monitor-options {
         interval 30;
         threshold 4;
     }  

Configure the IPSec proposal. The IPSec proposal is a list of protocols and algorithms used to negotiate with the IPSec peer.

Zscaler recommends using null encryption because it reduces the load on the local router/firewall for traffic destined for the Internet. If you would like to use AES, you can purchase a separate subscription.

Enter the following commands:

set security ipsec proposal <IPSec Proposal Name> protocol esp
set security ipsec proposal <IPSec Proposal Name> authentication-algorithm hmac-sha1-96
set security ipsec proposal <IPSec Proposal Name> lifetime-seconds 28800

The CLI output should be similar to the following:

     proposal <IPSec Proposal Name> {
         protocol esp;
         authentication-algorithm hmac-sha1-96;
         lifetime-seconds 28800;
     }

You will need the <IPSec Proposal Name> for J. Configure the IPSec Policy.

Configure the IPSec policy to associate with the IPSec proposal. The IPSec policy defines Perfect Forward Secrecy (PFS) and the proposal used during the IPSec negotiation. You need the <IPSec Proposal Name> created in I. Configure the IPSec Proposal.

Enter the following command:

set security ipsec policy <IPSec Policy Name> proposals <IPSec Proposal Name>

The CLI output should be similar to the following:

     policy <IPSec Policy Name> {
         proposal-set <IPSec Proposal Name>;
     }

You will need the <IPSec Policy Name> for K. Configure the IPSec VPNs.

Configure two IPSec VPNs that are associated with your tunnel interfaces and IKE gateways. You need the <Primary IKE Gateway Name>, <Backup IKE Gateway Name>, and <IPSec Policy Name> configured in G. Configure the IKE Gateways and J. Configure the IPSec Policy.

In the CLI example below, the IPSec VPNs are binding to tunnel interfaces st0.0 and st0.1. If you want local subnets to use the VPN, you can define a proxy ID with the proxy-identity statement. In this example, the local subnet is 10.10.10.0/24.

Enter the following commands:

set security ipsec vpn <Primary IPSec VPN Name> bind-interface st0.0
set security ipsec vpn <Primary IPSec VPN Name> df-bit copy
set security ipsec vpn <Primary IPSec VPN Name> ike gateway <Primary IKE Gateway Name>
set security ipsec vpn <Primary IPSec VPN Name> ike proxy-identity local 10.10.10.0/24 remote 0.0.0.0/0
set security ipsec vpn <Primary IPSec VPN Name> ike ipsec-policy <IPSec Policy Name>
set security ipsec vpn <Primary IPSec VPN Name> establish-tunnels immediately
set security ipsec vpn <Backup IPSec VPN Name> bind-interface st0.1
set security ipsec vpn <Backup IPSec VPN Name> df-bit copy
set security ipsec vpn <Backup IPSec VPN Name> ike gateway <Backup IKE Gateway Name>
set security ipsec vpn <Backup IPSec VPN Name> ike proxy-identity local 10.10.10.0/24 remote 0.0.0.0/0
set security ipsec vpn <Backup IPSec VPN Name> ike ipsec-policy <IPSec Policy Name>
set security ipsec vpn <Backup IPSec VPN Name> establish-tunnels immediately

The CLI output should be similar to the following:

     vpn <Primary IPSec VPN Name> {
         bind-interface st0.0;
         df-bit copy;
         }
         ike {
             gateway <Primary IKE Gateway Name>;
             proxy-identity {
                local 10.10.10.0/24; 
                remote 0.0.0.0/0; 
                } 
             ipsec-policy <IPSec Policy Name>;
         }
         establish-tunnels immediately;
     }
     vpn <Backup IPSec VPN Name> {
         bind-interface st0.1;
         df-bit copy;
         }
         ike {
             gateway <Backup IKE Gateway Name>;
             proxy-identity {
                local 10.10.10.0/24; 
                remote 0.0.0.0/0; 
                }
             ipsec-policy <IPSec Policy Name>;
         }
         establish-tunnels immediately;
     }
}

Configure the source NAT parameters so that the firewall performs NAT on the traffic and doesn't send it through the tunnel interface. Source NAT isn't required for the traffic from the trust zone to the VPN zone because, as configured in the routing table, all internet traffic is sent through the IPSec VPN tunnels. This provides you visibility of the internal IP address in the Zscaler logs, the ability to create granular firewall policies, and efficient traffic load balancing across the ZENs.

In the source NAT rule below, the source IP address 192.168.0.0/16 is the LAN IP subnet.

Enter the following commands:

set security nat source rule-set <NAT Rule Set Name> from zone trust
set security nat source rule-set <NAT Rule Set Name> to zone untrust
set security nat source rule-set <NAT Rule Set Name> rule <NAT Rule Name> match source-address 192.168.0.0/24
set security nat source rule-set <NAT Rule Set Name> rule <NAT Rule Name> match destination-address 0.0.0.0/0
set security nat source rule-set <NAT Rule Set Name> rule <NAT Rule Name> then source-nat interface

The CLI output should be similar to the following:

nat {
 	source {
 		rule-set <NAT Rule Set Name> {
 			from zone trust;
 			to zone untrust;
 			rule <NAT Rule Name> {
 				match {
 					source-address 192.168.0.0/16;
 					destination-address 0.0.0.0/0;
 				}
 				then {
 					source-nat {
 						interface;
               } 
 				}
 			}
 		}
 	}
}