How do I configure IPsec VPN tunnels?

You can configure an IPsec VPN tunnel between the gateway of your corporate network and a Zscaler Enforcement Node (ZEN). Zscaler recommends configuring two separate VPNs to two different ZENs for high availability. If the primary IPsec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPsec tunnel to the secondary ZEN.

Prerequisites

Ensure that you have the following information for each tunnel:

NOTE:

  • Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three backup VPN tunnels.
  • For each tunnel, Zscaler supports 8 Phase 2 Security Associations per Phase 1.

Loc

  1. Go to ips.<your cloud name>.net

    You can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name?
  2. From the menu on the left, click Cloud Enforcement Node Ranges.
  3. Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel.

    For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination.
    See image.  

Cloud ENR

Cloud ENR

Configuration Tasks

Interoperability List

The following vendors and software versions have been tested and verified by the Zscaler QA team.

ipsec_interoperability
Vendor Model Software Version
Cisco ASA 8.2.5
Cisco ISR 881 15.1 (3) T
Cisco ISR 2821 12.4 (16)
Juniper SSG5 6.0.0
Juniper SRX210, SRX 220 10.4R4.5

Configuration Guidelines

This section lists the IPsec parameters that Zscaler supports. Note that when there are multiple options, the values in bold are the recommended settings.

IKE Phase 1

  • Mode: Aggressive mode when the authentication method is PSK and the FQDN of the peer is used to identify it. Main mode when the authentication method PSK and the peer has a static IP address.
  • Encryption algorithm: AES-128, 3DES, DES
  • Authentication Algorithm: SHA1-128, MD5
  • Diffie-Hellman Group 2
  • SA Lifetime: 24 hours
  • Lifebytes: Unlimited
  • Authentication: Pre-shared keys, digital signature using RSA, external authentication and pre-shared keys, or external authentication and RSA
  • NAT-T: NAT-T is supported if the device initiating the IPsec VPN is behind another firewall or router performing NAT.
  • NAT keepalive interval: 20 secs
  • Enable dead-peer-detection keepalives (timeout is 20 secs and max retry 5)

IKE Phase 2

  • Mode: Quick mode
  • Encryption and Authentication Algorithms: NULL/MD5, AES-128/MD5
  • Diffie-Hellman Group 2
  • SA Lifetime: 8 hours
  • Lifebytes: Unlimited
  • Perfect Forward Secrecy (PFS) option is disabled. This option enables each IPsec SA to generate a new shared secret through a Diffie-Hellman exchange. This option is not recommended for Zscaler VPNs.
  • MTU (Maximum Transmission Unit): 1400 bytes (To learn how to determine this value, see Determining the MTU.)
  • MSS (Maximum Segment Size): 1300 bytes

Add VPN Credentials

Do any of the following to add VPN credentials to the Zscaler admin portal:

Add Single VPN Credentials

  1. Go to Administration > Resources > VPN Credentials.
  2. Click Add and complete the following:
    • Choose which will be used to identify the peer, FQDN or IP, and then enter the FQDN of the peer or select the IP address of your local gateway. The entries here were those you sent to Zscaler beforehand.
    • Choose XAUTH if you are creating a mobile VPN. Enter the XAuth User ID of the peer.
    • If you chose FQDN or IP, enter the pre-shared key in the New Pre-Share Key and Confirm New Pre-Share Key text boxes.
    • If you chose XAUTH, enter the password in the New XAuth Password and Confirm New XAuth Password text boxes.
    • Optionally, enter additional notes or information. The comments cannot exceed 10,240 characters.
  3. Click Save and activate the change.

Import VPN Credentials

  1. Go to Administration > Resources > VPN Credentials.
  2. Ensure that your CSV file is in the correct format. Click Sample Import CSV file to download a sample.
  3. Once you have the CSV file in the correct format, click Import.
  4. From the Import VPN Credentials dialog, click Choose file, navigate to the CSV file you want to import and click Import.