icon-zia.svg
Secure Internet and SaaS Access (ZIA)

IPSec VPN Configuration Guide for FortiGate Firewall

This article uses only sample IP addresses in the configuration steps and screenshots. For tunnel interface configuration, you must use only RFC 1918 IP addresses and not APIPA addresses.

This article illustrates how to configure two IPSec VPN tunnels from a FortiGate firewall to two ZIA Public Service Edges: a primary tunnel from the FortiGate firewall to a ZIA Public Service Edgein one data center and a backup tunnel from the same firewall to a ZIA Public Service Edge in another data center. In this example, the peers are using a pre-shared key for authentication. DPD is enabled, so the firewall can detect if one VPN goes offline and move the internet-bound traffic to the backup VPN.

This article uses private IP addresses because it was tested in a lab environment.

A network diagram of the primary and secondary IPSec tunnels from a FortiGate 60D firewall to two Zscaler ZIA Public Service Edges

Zscaler IPSec tunnels support a limit of 400 Mbps for each public source IP address. If your organization wants to forward more than 400 Mbps of traffic, Zscaler recommends using one of the following configurations:

  • Configure multiple IPSec tunnels with different public source IP addresses.
  • Configure multiple IPSec VPN tunnels with the same public source IP address using NAT-T and source port randomization with IKEv2 for all the configured tunnels.

For example, if your organization forwards 800 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels.

Prerequisites

Before you start configuring the Zscaler service and the firewall, ensure that you send Zscaler the following information:

Configuring the IPSec VPN Tunnel in the ZIA Admin Portal

In this configuration example, the peers are using an FQDN and a pre-shared key (PSK) for authentication.

To configure the IPSec VPN tunnels in the ZIA Admin Portal:

  1. Add the VPN Credential

    You need the FQDN and PSK to link the VPN credentials to a location and create the IKE gateways.

  2. Link the VPN Credentials to a Location

Configuring the IPSec VPN Tunnel in FortiOS

This article only covers the configuration details of IPSec VPN tunnels between the FortiOS and the ZIA Public Service Edges. For any other specific information about FortiOS, refer to the Fortinet documentation.

This section describes how to configure two IPSec VPN tunnel interfaces on a FortiGate 300E firewall running version v6.0.2. Refer to the Fortinet documentation for additional information about the user interface.

The following figure shows the lab setup:

Screenshot of the internal and external tunnel interfaces in the FortiGate 60D web UI

The corporate office sends its traffic through the internal interface in the internal network. It sends traffic destined for any external network through the external interface, wan1.

To configure the IPSec VPN tunnels on a FortiGate firewall:

Zscaler does not support Extended Sequence Number (ESN) based proposals during IPSec tunnel negotiation.

  • Define the VPN parameters for the primary and backup VPN tunnels.

    1. Go to VPN > IPsec Tunnels.

    2. Click Create New.

    3. In the VPN Setup tab:

      • Name: Enter a name for the VPN tunnel. In this example, it's Zscaler.
      • Template Type: Select Custom.

    4. In the New VPN Tunnel tab:

      1. Under the Network section:

        • IP Version: Choose IPv4.
        • Remote Gateway: Select Static IP Address.
        • IP Address: Enter your IP address.
        • Interface: Select an interface based on your requirements.
        • NAT Traversal: Choose Enable.
        • Keepalive Frequency: Enter 10.
        • Dead peer Detection: Select On Demand.

      2. Under the Authentication section:

        • Method: Select Pre-shared Key.
        • Pre-shared Key: Enter the Pre-shared Key value.
        • IKE Version: Select 2.
        • Accept Types: Select Any Peer ID.

      3. Under Phase 1 proposal and Phase 2 selectors sections, configure the parameters for the primary tunnel as shown in the following image:

        For Phase 2, Zscaler recommends using AES-GCM-based ciphers if you have purchased a separate encryption SKU. If you do not have a separate subscription, Zscaler recommends using NULL encryption.

    5. Repeat this procedure for the backup tunnel.

    After configuring both tunnels, you can go to VPN > IPsec > Tunnels to view them.

    Close

  • Define the IPv4 policies to allow access to the newly configured tunnels.

    1. Go to Policy & Objects > Policy > IPv4.

    2. Click Create New.

    3. Create a new policy rule to allow the Zscaler primary tunnel access to the Fortigate external interface (wan1). In this example, we are forwarding all traffic to the service.

      If you want to forward only HTTP and HTTPS traffic to the Zscaler service, select them in the Service field.

    4. Create a new policy rule to allow internal network access to the Zscaler primary tunnel.

    5. Repeat this procedure to configure similar policy rules for the backup tunnel.

    Once all four policies are defined, you can go to Policy & Objects > Policy > IPv4 to view them.

    Close

  • Establish static routes for the primary and backup tunnels and configure them with the same priority and distance as the default route.

    1. Go to Network > Static Routes.

    2. Click Create New.

    3. Define the primary tunnel route as shown in the following image. Ensure that this tunnel gets an equal distance and a larger priority value than the default route. A tunnel with a larger priority value has a lower priority. The PBR overrides that priority setting. Since there are two tunnels, the primary tunnel priority value must have a lower priority than the secondary tunnel.

    4. Define the secondary tunnel route as shown in the following figure:

    After establishing the static routes, you can go to Monitor > Routing Monitor and verify the routing table.

    Close

  • Define a policy route for each tunnel. In this example, we are forwarding all traffic to Zscaler.

    1. Go to Network > Policy Routes.
    2. Define the primary tunnel as shown in the following image:

    If you want to forward only HTTP and HTTPS traffic to the Zscaler service:

    • Select port 80 as the destination port and define rules for the primary and secondary tunnels.
    • Define similar rules that specify port 443 as the destination port.
    Close

Troubleshooting

In the ZIA Admin Portal, you can go to Analytics > Tunnel Insights to see data as well as monitor the health and status of your configured IPSec VPN tunnels. To learn more, see About Insights and About Insights Logs.

In FortiOS, go to VPN > Monitor > IPsec Monitor to verify the status and that traffic is flowing through the primary tunnel.

The network processor (NP) of some Fortinet devices doesn’t support offloading VPN phase one traffic, resulting in an unacceptable drop in VPN tunnel performance. To learn more, see How to disable offloading IPVPN ESP packets to NP per Phase 1.

For more troubleshooting information on FortiOS, see the Fortinet FortiOS Handbook.

Related Articles
Understanding IPSec VPNsConfiguring an IPSec VPN TunnelAbout VPN CredentialsAdding VPN CredentialsImporting VPN Credentials from a CSV FileIPSec VPN Configuration Guide for Cisco ASA 55xxIPSec VPN Configuration Guide for Cisco 881 ISRIPSec VPN Configuration Guide for Juniper SRXIPSec VPN Configuration Guide for Juniper SSG 20IPSec VPN Configuration Guide for FortiGate FirewallIPSec VPN Configuration Guide for Palo Alto Networks FirewallIPSec VPN Configuration Guide for SonicWall TZ 350Locating the Hostnames and IP Addresses for ZIA Public Service Edges