IPsec VPN Configuration Example: SonicWALL TZ 100

This example illustrates how to configure two IPsec VPN tunnels from a SonicWALL TZ 100 firewall to two ZENs in the Zscaler cloud. As shown in the figure, the corporate office sends its internal traffic to LAN port X0 in the internal network. It sends the outbound traffic to the WAN interface X1.

NOTE: Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three secondary VPN tunnels.

In this example, the peers are using a pre-shared key for authentication and the FQDN of the peer. DPD must be enabled so the firewall can detect if one VPN goes offline and move the Internet-bound traffic to the other VPN. Note that the SonicWALL TZ 100 firewall does not support VPN monitoring, so it must rely on DPD to fail over.

Prerequisites

Before you start configuring the Zscaler service and the router, ensure that you send Zscaler the following information:

  • The FQDN of the peer. In this example, it is abc@test.net.
  • The PSK. In this example, the PSK is abc.

Additionally, ensure you have the IP addresses of the ZENs. Learn how to locate ZEN IP addresses for your tunnels

Loc

  1. Go to ips.<your cloud name>.net

    You can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name?
  2. From the menu on the left, click Cloud Enforcement Node Ranges.
  3. Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel.

    For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination.
    See image.  

Cloud ENR

Cloud ENR

Configure the Zscaler Service

Log in to the admin portal and add the VPN credentials, and then link them to the location as described below.

Adding VPN Credentials

  1. In the admin portal, go to Administration > Resources > VPN Credentials.
  2. Click Add and do the following:
    • Choose FQDN and enter the FQDN abc@test.net. This is the FQDN that was given to Zscaler beforehand.
    • Enter the pre-shared key abc in the text box and confirmation box.
  3. Click Save and activate the change.

Linking VPN Credentials to the Location

  1. In the admin portal, go to Administration > Resources > Locations.
  2. Click Add.
  3. In the Add Location page, do the following:
    • Enter the location name NW Branch.
    • Click the down arrow beside VPN Credentials and choose the credentials you created.
  4. Click Save and activate the change.

Configure the SonicWALL TZ 100 Firewall

This section describes how to log in to the user interface of the SonicWALL TZ 100 firewall running version 5.6.0.11-61 and configure two IPsec VPN tunnel interfaces. Refer to the SonicWALL documentation for additional information about the user interface.

Log in to the SonicWALL TZ 100 and complete the following tasks:

Configure the interfaces.

Configure the following interfaces:

  • Port X0 in the Trusted zone LAN
  • Port X1 in the Untrusted zone WAN.
  1. Navigate to Network > Interfaces and click Configure beside the X0 interface.
  2. Complete the following and click OK:
    • IP Assignment: Static
    • IP Address and Subnet Mask: 192.168.168.168, 255.255.255.0
    • Management: Select HTTP, HTTPS, Ping and SSH
  3. Click Configure beside the X1 interface.
  4. In the General tab, complete the following:
    • IP Assignment: DHCP
    • Management: Select HTTP and HTTPS
    • Select Add rule to enable redirect from HTTP to HTTPS
  5. In the Advanced tab, complete the following:
    • Interface MTU: 1400
  6. Click OK.

Configure the DNS server and a default route on X1.

Configure the DNS server.

  1. Navigate to Network > DNS.
  2. Click Specify DNS Server Manually and enter the DNS server IP address. In this example, the IP address is 10.10.104.23. (See Prerequisites to learn how to locate ZEN IP addresses for your organization)
  3. Click Apply.

Configure the default route on the WAN port X1:

  1. Navigate to Network > Routing.
  2. Under Route Policies, click Add and complete the following:
    • Source: Any
    • Destination: 0.0.0.0
    • Service: Any
    • Gateway: 0.0.0.0
    • Interface: X1
    • Metric: 255
  3. Click OK.

Define the VPN policy and specify the IKE settings.

  1. Navigate to VPN > Settings.
  2. Click Add to create a new VPN policy.
  3. In the General tab, complete the following:
    • Security Policy
      • Policy Type: Site to Site
      • Authentication Method: IKE using Preshared Secret
      • Name: vpn-test
      • IPsec Primary Gateway Name or Address: 10.10.104.71 (See Prerequisites to learn how to locate ZEN IP addresses for your organization)
      • IPsec Secondary Gateway Name or Address: : 10.10.104.235 (See Prerequisites to learn how to locate ZEN IP addresses for your organization)
    • IKE Authentication
      • Enter the shared secret abc.
      • Local IKE ID: Select Email Address and enter abc@test.net
      • Peer IKE ID: Select IP Address.
  4. In the Network tab, select the local network and remote networks for which the traffic will be tunneled via the IPsec tunnel:
    • Local Networks: Click Choose local network from list and select LAN Subnets.
    • Remote Networks: Select Use this VPN Tunnel as default route for all Internet traffic.
  5. In the Proposals tab, specify the parameters for the IKE Phase 1 and Phase 2 proposals:
    • IKE (Phase 1) Proposal
      • Exchange: Aggressive Mode
      • DH Group: Group 2
      • Encryption: AES-128
      • Authentication: SHA1
      • Lifetime (seconds): 86400
    • IKE (Phase 2) Proposal
      • Protocol: ESP
      • Encryption: NONE
      • Authentication: MD5
      • DH Group: Group 2
      • Life Time (seconds): 28800
  6. In the Advanced tab, complete the following:
    • Select Enable Keep Alive.
    • VPN Policy bound to: Select Zone WAN.
    • Select Preempt Secondary Gateway.
    • Primary Gateway Detection Interval (seconds): Enter 28800.
  7. Click OK.

Enable DPD, packet fragmenting and NAT traversal.

Navigate to VPN > Advanced, and do the following:

  1. Select Enable IKE Dead Peer Detection and set the following:
    • Dead Peer Detection Interval: 60 seconds
    • Failure Trigger Level: 3 missed heartbeats
  2. Select Enable Fragmented Packet Handling and Ignore DF (Don’t Fragment) Bit.
  3. Select Enable NAT Traversal.
  4. Select Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP address.

After you complete the configuration, you can monitor the status of the tunnel and view packet level statistics by navigating to VPN > Settings.

Troubleshooting

To troubleshoot your configuration:

  • Verify that the default route is configured properly so traffic can reach the Zscaler ZENs.
  • If the tunnel goes down, click Renegotiate as shown in the following figure: