Hi All
Searching for this topic I found some threat but it's not clear if some one has established an IPSEC tunnel with Meraki to Zscaler cloud
Anyone did it successfully ?
Thank you
Solved! Go to solution.
Yes, this is my MX configuration for zscaler tunnel with meraki.
under non Meraki section enter the name for your zscaler node and the public ip of your zscaler node.now the ipsec custom policies i have configured like below.
Now you have to whitelist your MX wan ip with zscaler by raising a ticket with them.
and then you need to configure the VPN credentials at Zscaler for your MX WAN ip. Make sure it matches with meraki also.
Now add location at zscaler and call your vpn credentials and add your private ip's range as sub location.
Yes, this is my MX configuration for zscaler tunnel with meraki.
under non Meraki section enter the name for your zscaler node and the public ip of your zscaler node.now the ipsec custom policies i have configured like below.
Now you have to whitelist your MX wan ip with zscaler by raising a ticket with them.
and then you need to configure the VPN credentials at Zscaler for your MX WAN ip. Make sure it matches with meraki also.
Now add location at zscaler and call your vpn credentials and add your private ip's range as sub location.
Thank you very much
I was missing the sublocation on Zsclaer. I created only the main location
Your vpn configuration fields are different. Which firmware are you using ?
I'm running the 14.39
I'm missing the field user fqdn and phase 1 mode
My mx is running on the same 14.39
But this is my VPN setting page:
so are you able to establish the tunnel with zscaler node?
Yes. I marked your first reply as solution
Thank you
Max
May I ask after setting up the tunnel, how do you create policy to send http/https to this tunnel?
@RichardChen1 you need to put your zscaler node ip under proxy setting to ensure your http and https traffic travels through zscaler.
or
you can download the pac file for that.
I see what you mean.
The PAC is doing the http/https redirection, not the MX.
MX is just making sure Zscaler node is reachable via vpn right?
Absolutely right @RichardChen1 . I believe as of now you can't configure the policy for Non Meraki VPN peer.
Sorry Guys
Once you have established a tunnel IPSEC with Zscaler and subnet 0.0.0.0/0 is enough to send traffic to the firewall and it will send all traffic to zscaler
Even if you don't have the pac file or the zapp on the pc the traffic will flow trough zscaler and you will have to configure the firewall to let the right traffic exit
@Max70 agreed it should be like this but i’m using pac also.
and the route preference for the meraki is
Since non meraki vpn peers are on number 5 then and then NAT come . It should choose non meraki vpn path and hence traffic flow through zscaler tunnel directly not through nating.
quick question,
can I use this with a multi site ORG? and will it work if the sites have 2 internet feeds?