IPSEC Tunnel withZScaler

Solved
Max70
Conversationalist

IPSEC Tunnel withZScaler

Hi All

 

Searching for this topic I found some threat but it's not clear if some one has established an IPSEC tunnel with Meraki to Zscaler cloud

 

Anyone did it successfully ?

Thank you

 

1 Accepted Solution
timeshimanshu
Getting noticed

Yes, this is my MX configuration for zscaler tunnel with meraki.

 

under non Meraki section enter the name for your zscaler node and the public ip of your zscaler node.zscaler tunnel.PNGnow the ipsec custom policies i have configured like below.

Custome non meraki vpn peers.PNG

 

Now you have to whitelist your MX wan ip with zscaler by raising a ticket with them.

 

and then you need to configure the VPN credentials at Zscaler for your MX WAN ip. Make sure it matches with meraki also.

 

Now add location at zscaler and call your vpn credentials and add your private ip's range as sub location.

View solution in original post

13 Replies 13
timeshimanshu
Getting noticed

Yes, this is my MX configuration for zscaler tunnel with meraki.

 

under non Meraki section enter the name for your zscaler node and the public ip of your zscaler node.zscaler tunnel.PNGnow the ipsec custom policies i have configured like below.

Custome non meraki vpn peers.PNG

 

Now you have to whitelist your MX wan ip with zscaler by raising a ticket with them.

 

and then you need to configure the VPN credentials at Zscaler for your MX WAN ip. Make sure it matches with meraki also.

 

Now add location at zscaler and call your vpn credentials and add your private ip's range as sub location.

Max70
Conversationalist

Thank you very much

 

I was missing the sublocation on Zsclaer. I created only the main location

Your vpn configuration fields are different. Which firmware are you using ?

I'm running the 14.39

I'm missing the field user fqdn and phase 1 mode

timeshimanshu
Getting noticed

My mx is running on the same 14.39

Max70
Conversationalist

But this is my VPN setting page:

Capture.PNG

timeshimanshu
Getting noticed

so are you able to establish the tunnel with zscaler node?

Max70
Conversationalist

Yes. I marked your first reply as solution

 

Thank you

Max

RichardChen1
Getting noticed

May I ask after setting up the tunnel, how do you create policy to send http/https to this tunnel?

 

timeshimanshu
Getting noticed

@RichardChen1  you need to put your zscaler node ip under proxy setting to ensure your http and https traffic travels through zscaler.

 

or 

 

you can download the pac file for that.

RichardChen1
Getting noticed

I see what you mean.

The PAC is doing the http/https redirection, not the MX.

MX is just making sure Zscaler node is reachable via vpn right?

timeshimanshu
Getting noticed

Absolutely right @RichardChen1 . I believe as of now you can't configure the policy for Non Meraki VPN peer. 

Max70
Conversationalist

Sorry Guys

 

Once you have established a tunnel IPSEC with Zscaler and subnet 0.0.0.0/0 is enough to send traffic to the firewall and it will send all traffic to zscaler

Even if you don't have the pac file or the zapp on the pc the traffic will flow trough zscaler and you will have to configure the firewall to let the right traffic exit

 

timeshimanshu
Getting noticed

@Max70  agreed it should be like this but i’m using pac also.

 

and the route preference for the meraki is 

  1. Directly Connected
  2. Client VPN
  3. Static Routes
  4. AutoVPN Routes
  5. Non-Meraki VPN Peers
  6. NAT*

Since non meraki vpn peers are on number 5 then and then NAT come . It should choose non meraki vpn path and hence traffic flow through zscaler tunnel directly not through nating.

Carlo
Here to help

quick question,

can I use this with a multi site ORG? and will it work if the sites have 2 internet feeds?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels