Meraki

Max70 · ‎Jul 13 2019

Hi All

Searching for this topic I found some threat but it's not clear if some one has established an IPSEC tunnel with Meraki to Zscaler cloud

Anyone did it successfully ?

Thank you

timeshimanshu · ‎Jul 14 2019

Yes, this is my MX configuration for zscaler tunnel with meraki.

under non Meraki section enter the name for your zscaler node and the public ip of your zscaler node.now the ipsec custom policies i have configured like below.

Now you have to whitelist your MX wan ip with zscaler by raising a ticket with them.

and then you need to configure the VPN credentials at Zscaler for your MX WAN ip. Make sure it matches with meraki also.

Now add location at zscaler and call your vpn credentials and add your private ip's range as sub location.

View solution in original post

timeshimanshu · ‎Jul 14 2019

Yes, this is my MX configuration for zscaler tunnel with meraki.

under non Meraki section enter the name for your zscaler node and the public ip of your zscaler node.now the ipsec custom policies i have configured like below.

Now you have to whitelist your MX wan ip with zscaler by raising a ticket with them.

and then you need to configure the VPN credentials at Zscaler for your MX WAN ip. Make sure it matches with meraki also.

Now add location at zscaler and call your vpn credentials and add your private ip's range as sub location.

Max70 · ‎Jul 14 2019

Thank you very much

I was missing the sublocation on Zsclaer. I created only the main location

Your vpn configuration fields are different. Which firmware are you using ?

I'm running the 14.39

I'm missing the field user fqdn and phase 1 mode

timeshimanshu · ‎Jul 14 2019

My mx is running on the same 14.39

Max70 · ‎Jul 14 2019

But this is my VPN setting page:

timeshimanshu · ‎Jul 14 2019

so are you able to establish the tunnel with zscaler node?

Max70 · ‎Jul 14 2019

Yes. I marked your first reply as solution

Thank you

Max

RichardChen1 · ‎Jul 14 2019

May I ask after setting up the tunnel, how do you create policy to send http/https to this tunnel?

timeshimanshu · ‎Jul 15 2019

@RichardChen1 you need to put your zscaler node ip under proxy setting to ensure your http and https traffic travels through zscaler.

or

you can download the pac file for that.

RichardChen1 · ‎Jul 15 2019

I see what you mean.

The PAC is doing the http/https redirection, not the MX.

MX is just making sure Zscaler node is reachable via vpn right?

timeshimanshu · ‎Jul 16 2019

Absolutely right @RichardChen1 . I believe as of now you can't configure the policy for Non Meraki VPN peer.

Max70 · ‎Jul 16 2019

Sorry Guys

Once you have established a tunnel IPSEC with Zscaler and subnet 0.0.0.0/0 is enough to send traffic to the firewall and it will send all traffic to zscaler

Even if you don't have the pac file or the zapp on the pc the traffic will flow trough zscaler and you will have to configure the firewall to let the right traffic exit

timeshimanshu · ‎Jul 16 2019

@Max70 agreed it should be like this but i’m using pac also.

and the route preference for the meraki is

Directly Connected
Client VPN
Static Routes
AutoVPN Routes
Non-Meraki VPN Peers
NAT*

Since non meraki vpn peers are on number 5 then and then NAT come . It should choose non meraki vpn path and hence traffic flow through zscaler tunnel directly not through nating.

Carlo · ‎Aug 2 2019

quick question,

can I use this with a multi site ORG? and will it work if the sites have 2 internet feeds?

Meraki

Community

IPSEC Tunnel withZScaler

IPSEC Tunnel withZScaler