Zscaler Deployment Guide · This deployment guide describes the configuration of a VPN connection to the “Zscaler Cloud Security Platform”. The use of IPSec allows the use of

File: Zscaler Deployment Guide.doc Date: 22.06.2018 Author: Stefan Guddat Copyright Ó 2018 LANCOM Systems GmbH Page: 1/33

Zscaler Deployment Guide

Version 1.1 Date Version Author Changes 25.04.2018 1.0 SGuddat angelegt

22.06.2018 1.1 SGuddat Small corrections


Content INTRODUCTION .................................................................................................................... 3 ACRONYM TABLE ................................................................................................................ 3 1 CONFIGURATION VIA LANCONFIG.......................................................................... 3

1.1 VPN ................................................................................................................................... 3 1.2 IPV4 NETWORK RULE ......................................................................................................... 4 1.3 IKE PROPOSAL .................................................................................................................... 5 1.4 IPSEC PROPOSAL ................................................................................................................. 7 1.5 IKE KEY AND IDENTITIY ................................................................................................... 10 1.6 CONNECTION PARAMETERS ............................................................................................... 11 1.7 VPN PEER ......................................................................................................................... 12 1.8 ROUTING ENTRY ............................................................................................................... 14 1.9 DNS FORWARDING ........................................................................................................... 16 1.10 SERVICE VALIDATION ....................................................................................................... 16

2 CONFIGURATION VIA LANCOM MANAGEMENT CLOUD (LMC) .......................... 17 2.1 VPN ................................................................................................................................. 18 2.2 IPV4 NETWORK RULE ....................................................................................................... 19 2.3 IKE PROPOSAL .................................................................................................................. 20 2.4 IPSEC PROPOSAL ............................................................................................................... 23 2.5 IKE KEY AND IDENTITIY ................................................................................................... 26 2.6 CONNECTION PARAMETERS ............................................................................................... 27 2.7 VPN PEER ......................................................................................................................... 28 2.8 ROUTING ENTRY ............................................................................................................... 30 2.9 DNS FORWARDING ........................................................................................................... 32 2.10 SERVICE VALIDATION ....................................................................................................... 33


Introduction This deployment guide describes the configuration of a VPN connection to the “Zscaler Cloud Security Platform”. The use of IPSec allows the use of dynamic WAN addresses on the client side.

Acronym table The following table describes terms used in this deployment guide. Term Explanation DPD Dead Peer Detection IKE Inter Key Exchange IPSEC Internet Protocol Security OCSP Online Certificate Status Protocol PFS Perfect Forward Secrecy RIP Routing Information Protocol Short Hold Time Describes the hold time for outgoing connections.

“0” – Connection will not be initiated automatically but hold the connection forever without disconnect “1-9998” - Connection will not be initiated automatically but will disconnect the connection if there is no traffic within the defined time “9999” - Connection will be initiated automatically and always reconnect after disconnect (keepalive)

1 Configuration via LANconfig To set up a connection to the Zscaler cloud platform via LANconfig you need to create an IKEv1 connection. To do that you need to open the device configuration and go to “Configuration – VPN”.

1.1 VPN First you need to activate the VPN function at “Configuration – VPN -> Activated”.


1.2 IPv4 Network Rule Next you need to create a network rule to support any traffic going into and coming from the VPN tunnel. This can be done under “Configuration - VPN – General – Network rules – IPv4 rules”. Please name the entry as you like (e.g. ANY-TO-ANY) and set the local and remote networks both to “0.0.0.0/0” as shown in the picture below:


1.3 IKE proposal Then you need to set up the IKE proposal for the desired VPN tunnel. This can be done under “Configuration – VPN – IKE/IPsec – IKE proposals”.

Click on “add” to create a new entry. Name the entry as desired (e.g. ZSCALERIKE) and use the following settings: IKE proposal Identitfication e.g. ZSCALERIKE Encryption AES-CBC Key length 256 bit Hash SHA256 Authentication Preshared key Lifetime 84.400 seconds

0 kBytes


Now you need to set up an IKE proposal list with this newly created IKE proposal. This can be done in “Configuration – VPN – IKE/IPsec – IKE proposal lists”. There create a new entry named as desired (e.g. ZSCALERIKEPROP) and add the previously created proposal to the list:


1.4 IPSec proposal The next step is to set up an IPSec proposal for the desired VPN tunnel. This can be done under “Configuration – VPN – IKE/IPsec – IPSec proposals”. There create a new entry named es desired (e.g. ZSCALERIPSEC1) and use the following settings:

IPSec proposal Identification e.g. ZSCALERIPSEC1 Mode Tunnel ESP encryption NULL ESP authentication HMAC-MD5 AH authentication No AH IPCOMP compression No IPCOMP Lifetime 0 seconds

2.000.000 kBytes



Next you need to create an IPSec proposal list entry. You can do that in “Configuration – VPN – IKE/IPsec – IPSec proposal lists”. There create a new entry named as desired (e.g. ZSCALERIPSECPROP) and add the previously created proposal to the list:


1.5 IKE key and identitiy The next step is to set up the IKE key and identity for the desired VPN tunnel. This can be done under “Configuration – VPN – IKE/IPsec – IKE keys and identities”. There create a new entry named as desired (e.g. ZSCALERKEY) and use the following settings: IKE keys and identities Identification e.g. ZSCALERKEY Preshared key as given Local identity type Domain name (FQDN) Local identity as given Remote identity type No identity Remote identity -


1.6 Connection parameters Now you need to link the created proposal and key information to a connection parameter entry. This can be done in “Configuration – VPN – IKE/IPsec – Connection parameters”. Please use the following settings: Connection parameters Identification e.g. ZSCALER PFS group No PFS IKE group 2 (MODP-1024) IKE proposals ZSCALERIKEPROP (as created in step 1.3) IKE key ZSCALERKEY (as created in step 1.5) IPSec proposals ZSCALERIPSECPROP (as created in step

1.4)


1.7 VPN peer Now you need to create a VPN peer entry for the VPN connection. This can be done in “Configuration – VPN – IKE/IPsec – Connection list”. Please use the following settings: Connection list Name of connection e.g. ZSCALER Short hold time 9.999 (keep alive) Dead peer detection 30 Extranet address 0.0.0.0 Gateway e.g. fra4-vpn.zscloud.net (or as given) Routing tag 1 Connection parameters ZSCLAER (as created in step 1.5) Dynamic VPN connection No dynamic VPN IKE exchange Aggressive mode OCSP check No IKE-CFG Off XAUTH Off IPsec-over-HTTPS Off Rule creation Manual IPv4 rules ANY-TO-ANY (as created in step 1.2) IPv6 rules -



1.8 Routing entry The next step is to change the default route to the VPN tunnel. To do this go to “Configuration – IP Router – Routing – IPv4 routing table”. There please change the default route to use the VPN tunnel created above: IPv4 routing table IP address 255.255.255.255 Netmask 0.0.0.0 Routing tag 0 Enable state Route is enabled and will always be

propagated via RIP (sticky) Router ZSCALER (as created in step 1.7) Distance 0 IP masquerading IP Masquerading switched off Comment -

Now all traffic which is not routed anywhere else (e.g. local networks) will be forwarded to the Zscaler cloud security platfrom. Note: Please make sure that you have a second default route (WAN) to be able to connect to the VPN tunnel endpoint as configured in step 1.7 (->”Gateway”), otherwise the router won’t be able to establish a VPN connection. To do that please set up your original default route (WAN) to your local internet provider again, but this time with the routing tag 1:


IPv4 routing table IP address 255.255.255.255 Netmask 0.0.0.0 Routing tag 1 Enable state Route is enabled and will always be

propagated via RIP (sticky) Router INTERNET (or as named during set up of

the internet connection) Distance 0 IP masquerading masking Intranet and DMZ (default) Comment -

The routing table will then look like that:


The first route is for the VPN tunnel to be established. The second route will route all other traffic to the Zscaler cloud security platform.

1.9 DNS forwarding The last step is to create a DNS forwarding entry for a proper DNS resolution. To do this go to “Configuration – IPv4 – DNS – Forwarding”: DNS Forwarding Domain * Routing tag 0 Remote site INTERNET (or as named during set up of

the internet connection)

1.10 Service validation To verify your configuration works fine please visit the webpage http://ip.zscaler.com/. There you can see if the data is sent through the newly created VPN tunnel.


2 Configuration via LANCOM Management Cloud (LMC)

To set up a VPN connection to the Zscaler cloud platform via LANCOM Management Cloud you need to create an IKEv1 connection. To do that you need to open the detail configuration of the desired device at “Devices – DeviceName – Detail configuration”:


2.1 VPN First you need to activate the VPN function of the device at “VPN -> Activated”.


2.2 IPv4 Network Rule Next you need to create a network rule to support any traffic going into and coming from the VPN tunnel. This can be done under “VPN – General – Network rules – IPv4 rules”. Please name the entry as you like (e.g. ANY-TO-ANY) and set the local and remote networks both to “0.0.0.0/0” as shown in the picture below:


2.3 IKE proposal Then you need to set up the IKE proposal for the desired VPN tunnel. This can be done under “VPN – IKE/IPsec – IKE proposals”.

Click on “add” to create a new entry. Name the entry as desired (e.g. ZSCALERIKE) and use the following settings: IKE proposal Identitfication e.g. ZSCALERIKE Encryption AES-CBC Key length 256 bit Hash SHA256 Authentication Preshared key Lifetime 86.400 seconds

0 kBytes


Now you need to set up an IKE proposal list with this newly created IKE proposal. This can be done in “Configuration – VPN – IKE/IPsec – IKE proposal lists”. There create a new entry named as desired (e.g. ZSCALERIKEPROP) and add the previously created proposal to the list:



2.4 IPSec proposal The next step is to set up an IPSec proposal for the desired VPN tunnel. This can be done under “Configuration – VPN – IKE/IPsec – IPSec proposals”. There create a new entry named es desired (e.g. ZSCALERIPSEC1) and use the following settings: IPSec proposal Identification e.g. ZSCALERIPSEC1 Mode Tunnel ESP encryption NULL ESP authentication HMAC-MD5 AH authentication No AH IPCOMP compression No IPCOMP Lifetime 0 seconds

2.000.000 kBytes



Next you need to create an IPSec proposal list entry. You can do that in “Configuration – VPN – IKE/IPsec – IPSec proposal lists”. There create a new entry named as desired (e.g. ZSCALERIPSECPROP) and add the previously created proposal to the list:


2.5 IKE key and identitiy The next step is to set up the IKE key and identity for the desired VPN tunnel. This can be done under “Configuration – VPN – IKE/IPsec – IKE keys and identities”. There create a new entry named as desired (e.g. ZSCALERKEY) and use the following settings: IKE keys and identities Identification e.g. ZSCALERKEY Preshared key as given Local identity type Domain name (FQDN) Local identity as given Remote identity type No identity Remote identity -


2.6 Connection parameters Now you need to link the created proposal and key information to a connection parameter entry. This can be done in “Configuration – VPN – IKE/IPsec – Connection parameters”. Please use the following settings: Connection parameters Identification e.g. ZSCALER PFS group No PFS IKE group 2 (MODP-1024) IKE proposals ZSCALERIKEPROP (as created in step 2.3) IKE key ZSCALERKEY (as created in step 2.5) IPSec proposals ZSCALERIPSECPROP (as created in step

2.4)


2.7 VPN peer Now you need to create a VPN peer entry for the VPN connection. This can be done in “Configuration – VPN – IKE/IPsec – Connection list”. Please use the following settings: Connection list Name of connection e.g. ZSCALER Short hold time 9.999 (keep alive) Dead peer detection 30 Extranet address 0.0.0.0 Gateway e.g. fra4-vpn.zscloud.net (or as given) Routing tag 1 Connection parameters ZSCLAER (as created in step 2.6) Dynamic VPN connection No dynamic VPN IKE exchange Aggressive mode OCSP check No IKE-CFG Off XAUTH Off IPsec-over-HTTPS Off Rule creation Manual IPv4 rules ANY-TO-ANY (as created in step 2.2) IPv6 rules -



2.8 Routing entry The next step is to change the default route to the VPN tunnel. To do this go to “Configuration – IP Router – Routing – IPv4 routing table”. There please change the default route to use the VPN tunnel created above: IPv4 routing table IP address 255.255.255.255 Netmask 0.0.0.0 Routing tag 0 Enable state Route is enabled and will always be

propagated via RIP (sticky) Router ZSCALER (as created in step 2.7) Distance 0 IP masquerading IP Masquerading switched off Comment -


Now all traffic which is not routed anywhere else (e.g. local networks) will be forwarded to the Zscaler cloud security platform. Note: Please make sure that you have a second default route (WAN) to be able to connect to the VPN tunnel endpoint as configured in step 2.7 (->”Gateway”), otherwise the router won’t be able to establish a VPN connection. To do that please set up your original default route (WAN) to your local internet provider again, but this time with the routing tag 1: IPv4 routing table IP address 255.255.255.255 Netmask 0.0.0.0 Routing tag 1 Enable state Route is enabled and will always be

propagated via RIP (sticky) Router INTERNET (or as named during set up of

the internet connection) Distance 0 IP masquerading masking Intranet and DMZ (default) Comment -


The routing table will then look like that:

The first route is for the VPN tunnel to be established. The second route will route all other traffic to the Zscaler cloud security platform.

2.9 DNS forwarding The last step is to create a DNS forwarding entry for a proper DNS resolution. To do this go to “Configuration – IPv4 – DNS – Forwarding”: DNS Forwarding Domain * Routing tag 0 Remote site INTERNET (or as named during set up of

the internet connection)


2.10 Service validation To verify your configuration works fine please visit the webpage http://ip.zscaler.com/. There you can see if the data is sent through the newly created VPN tunnel.

Zscaler Deployment Guide · This deployment guide describes the configuration of a VPN connection to the “Zscaler Cloud Security Platform”. The use of IPSec allows the use of

Documents