Zscaler Integration by using GRE tunnels and IPsec tunnels

The Zscaler cloud security platform acts as a series of security check posts in more than 100 data centers around the world. By simply redirecting your internet traffic to Zscaler, you can immediately secure your stores, branches, and remote locations. Zscaler connects users and the internet, inspecting every byte of traffic, even if it is encrypted or compressed.

Citrix SD-WAN appliances can connect to a Zscaler cloud network through GRE tunnels at the customer’s site. A Zscaler deployment using SD-WAN appliances supports the following functionality:

  • Forwarding all GRE traffic to Zscaler, thereby enabling direct Internet breakout.
  • Direct internet access (DIA) using Zscaler on a per customer site basis.
    • On some sites, you might want to provide DIA with on-premises security equipment and not use Zscaler.
    • On some sites, you might choose to backhaul the traffic another customer site for internet access.
  • Virtual routing and forwarding deployments.
  • One WAN link as part of internet services.

Zscaler is a cloud service. You must set it up as a service and define the underlying WAN links:

  • Configure an internet service at the data center and branch through GRE.
  • Configure a trusted Public internet link at the data center and the branch sites.

The topic provides guidelines and procedures for configuring internet breakout through Zscaler on the Citrix SD-WAN Standard and Premium Editions. For each of the options, GRE and IPSec, a series of steps is defined such that the product can be properly configured.

Note: Please review the software loaded on the Citrix SD-WAN platform before performing the following procedures.

Topology

localized image

localized image

To use GRE tunnel or IPsec Tunnel traffic forwarding:

  1. Log into the Zscaler help portal at: https://help.zscaler.com/submit-ticket.

  2. Raise a ticket and provide the static public IP address, which is used as the GRE tunnel or IPsec tunnel source IP address.

Zscaler uses the source IP address to identify the customer IP address. The source IP needs to be a static public IP. Zscaler responds with two ZEN IP addresses (Primary and Secondary) to transmit traffic to. GRE keep alive messages can be used to determine the health of the tunnels.

Zscaler uses the source IP address value to identify the customer IP address. This value must be a static public IP address. Zscaler responds with two ZEN IP addresses [DR1] to which to redirect traffic. GRE keep-alive messages can be used to determine the health of the tunnels.

Sample IP addresses

Primary

Internal Router IP address: 172.17.6.241/30 Internal ZEN IP address: 172.17.6.242/30

Secondary

Internal Router IP address: 172.17.6.245/30 Internal ZEN IP address: 172.17.6.246/30

Internet Breakout to Zscaler using GRE Tunnel

localized image

Do the following, if you need to redirect all internet traffic from Branch to Zscaler.

  1. Obtain the public IP address of the Site WAN Link. Get the Public IP address (Externally Visible NAT IP) of the Branch/Site WAN Link. In the preceding topology, it is 115.112.150.75.

  2. Add a location in Zscaler Portal. To add locations, administrator must submit the site static Public IP addresses to Zscaler Support, which can ensure that those IP addresses appear in the Admin Portal. You can submit your IP addresses by submitting a support ticket.

  3. Log in to Zscaler portal at https://admin.zscalerbeta.net using admin login credentials that was provided by Zscaler.

    localized image

  4. Submit a support ticket with Zscaler. Point to the Help icon at the left side of the UI to open the help menu. In the help menu, click on Submit a Ticket.

    localized image

  5. The Submit Ticket page opens in a new tab or you open https://help.zscaler.com/submit-ticket

    localized image

  6. After completing the fields in the Submit Ticket page, click Submit. The time it takes Zscaler Support to provision the IP addresses is 30 minutes. Once Site’s IP addresses have been provisioned, admin can add them as locations.

  7. Add a location. Go to Administration > Locations. Click Add Location.

    localized image

  8. Enter general information about the location:

    • Type the Name.
    • Choose the Country.
    • Enter a State/Province, if applicable.
    • Choose the Time Zone of the location.
    • Choose the IP addresses for the location.
    • Public IP Addresses lists the IP addresses that you sent to Zscaler. Choose IP addresses for the location from the drop-down menu.

Acquire GRE Tunnel details from Zscaler

  1. Raise a support ticket at https://help.zscaler.com/submit-ticket from the registered account mentioning the intention to create GRE Tunnel with Zscaler to redirect internet traffic towards Zscaler Cloud. In this ticket you need to mention Public IP address (115.112.150.75).

    localized image

  2. As a response to this ticket, Zscaler provides GRE Tunnel details something as follows.

    localized image

As observer, the Public IP address (115.112.150.75) that was provided in the ticket is mentioned as Tunnel source IP. Zscaler provided TWO tunnel destination addresses, which are used as destination address while configuring Primary and secondary GRE Tunnel on SDWAN. Create two GRE Tunnels with Zscaler towards two different Destination addresses provided using the same Source IP address from SDWAN. Two tunnels are established to provide redundancy. Internal IPs are provided by Zscaler. These IPs should be used for routing traffic through GRE Tunnel. Internal router IP should be used to configure Tunnel Interface IP in SDWAN appliance. Following steps provides information about further process to create Tunnel on SD-WAN and redirect internet traffic towards Zscaler.

Adding an internet Service on SD-WAN

Add internet service. Go to Connections > site-name > Internet Services and associate a WAN Link through which the tunnel should be established. This internet service is used when adding a route to the Zscaler Tunnel destination IPs, so that you use internet service and the accounting happens properly for all internet traffic.

localized image

Configure the GRE Tunnel on SD-WAN

Add GRE Tunnel configuration. Go to Connections > Site-Name > GRE Tunnels and add tunnels as follows.

localized image

  • Source IP: Is the internal VIP that was hosted on SDWAN appliance (172.16.1.2 used here was the wan link access interface IP address, as mentioned in the initial topology)
  • Public Source IP: This is the Public IP address to which internal VIP (172.16.1.2) is NAT’ed. This is 115.112.150.75, which we have provided as our public IP address to Zscaler as part of initial ticket that we have reported with them. This is to inform Zscaler to allow GRE tunnel creation with this source public IP from our end
  • Destination IP: This has to be taken from the response that Zscaler has provided for the ticket reported. As mentioned previously in STEP-2 Zscaler has provided Primary and secondary Tunnel destination addresses. These addresses have to be used as Tunnel destination IP.
  • Tunnel IP/Prefix: This is the tunnel interface IP, which is used for routing traffic through GRE Tunnel. As can be seen in STEP-2, Zscaler has mentioned their ZEN IP and Internal Router IP. This Internal router IP has to be used to configure Tunnel IP/Prefix (172.17.6.241/30 used as Primary Tunnel IP/Prefix).
  • Checksum: This checkbox can be enabled to have GRE Checksum enabled.
  • Keepalive Period: This was to monitor GRE Tunnel status. This is the interval in seconds at which GRE Keepalive messages are sent to the other peer.
  • Keepalive Retries: This was used to make the tunnel to dead state after which if we are not getting any response for Keepalive messages

Similar to Primary GRE Tunnel configure Secondary GRE Tunnel on SD-WAN using the Tunnel destination and IP prefix provided by Zscaler.

Configure the relevant routes on SD-WAN

localized image

Note: As part of the configuration of GRE Tunnel in preceding step, Two routes are added automatically with service Type as GRE Tunnel, to reach Zscaler’s internal ZEN IPs with next hop as Zscaler Primary and Secondary Tunnel Destination IPs respectively (Route No. 3 & 4 in the preceding screen-shot).

  • Ensure the GRE Tunnel comes up. Add routes to the Zscaler Primary and Secondary Tunnel Destination IPs respectively with service type as Internet (Route No. 1 & 2 in the preceding screen-shot).

    • To route ALL Internet Traffic through GRE Tunnel: Default Internet route Cost is 5 by default. We have to manipulate costs in such a way that below mentioned 2 routes should be given more priority than the default Internet route. Within the 2 default routes via GRE Tunnel, we manipulate cost further to give more priority for PRIMARY Tunnel IP by giving lower cost than Secondary.

Note: SDWAN automatically creates a DEFAULT (0.0.0.0/0) route with service type as Internet as part of creating an Internet service in Step-3.

  • Create default routes (0.0.0.0/0) with service type as GRE Tunnel with next hop as Zscaler internal ZEN IP of Primary Tunnel with cost as 3. (Similar to Route No. 7 in the preceding screen-shot). Mark eligibility based on Path so that the switchover during link failover is seamless.
  • Create default routes (0.0.0.0/0) with service type as GRE Tunnel with next hop as Zscaler internal ZEN IP of Secondary Tunnel with cost as 4. (Similar to Route No. 8 in the preceding screen-shot). Mark eligibility based on Path so that the switchover during link failover is seamless.

  • Default route via Internet Service Route Cost - 5
  • Default route via GRE Tunnel service (with Primary ZEN IP as next hop) Cost - 3
  • Default route via GRE Tunnel service (with Secondary ZEN IP as next hop) Cost – 4

Packet flow:

  1. Branch Host sends packet to a destination (Internet web server IP).
  2. Packet comes to SDWAN.
  3. It hits the default route having cost as “3” with service type as GRE Tunnel and Gateway IP as Internal ZEN IP of Primary Tunnel.
  4. To go to Internal ZEN IP of Primary Tunnel, Route No.3 is used which in turn have the Gateway IP as Zscaler Primary Tunnel destination IP.
  5. This traffic is further encapsulated with Source and Destination IPs as configured in the GRE Tunnel (Source IP is internal VIP and destination IP is PRIMARY Tunnel destination IP of Zscaler).
  6. Now traffic is routed via INTERNET service for accounting the traffic from SD-WAN appliance using the route No.1 to reach Zscaler Primary destination.
  7. The packet then goes to the default gateway where the Internal VIP is NAT’ed to the Public IP (which we informed ZScaler as part of account creation)

If the Primary Tunnel goes DOWN, the traffic chooses the routes related to Secondary GRE Tunnel and route internet traffic towards Zscaler.

Monitor the GRE Tunnel and routes on SD-WAN

Start browsing internet from the LAN hosts of SDWAN on Branch, in this case we should see that the traffic was going through GRE Tunnel. Tunnel statistics should be updated properly. The same can be monitored in Monitoring > Statistics > GRE Tunnel.

localized image

To monitor the routes go to Monitoring > Statistics > Routes.

localized image

In the preceding screen-shot it can be observed that the hit count for the default route pointing towards Primary GRE Tunnel towards Zscaler is getting incremented and this route is processing internet traffic which in turn points to the route towards Primary tunnel destination (165.255.72.38) with service type as Internet. Based on this we can say that the internet traffic is going towards Zscaler using Primary GRE Tunnel.

Monitor and validate traffic on Zscaler Portal

Log in to Zscaler Admin portal and to see the application traffic that SD-WAN has redirecting towards Zscaler reflected in the dashboard. In the preeding example, tried accessing “Youtube” through Zscaler. And this application can be observed on Zscaler Dashboard as follows.

localized image

Internet Breakout to Zscaler using IPsec Tunnel

In the following topology, assume that you to redirect all internet traffic from Branch to Zscaler using IPsec Tunnel.

localized image

  1. Obtain the public IP address of the Site WAN Link. Get the Public IP address (Externally Visible NAT IP) of the Branch/Site WAN Link. In the preceding topology, it was 115.112.150.75.

  2. Add a location with VPN Credentials in Zscaler Portal. To add locations, you must submit your static IP addresses to Zscaler Support, who can then ensure that those IP addresses appear in the Admin Portal. You can submit your IP addresses by submitting a support ticket. Log in to Zscaler portal at https://admin.zscalerbeta.net using admin login credentials that was provided by Zscaler.

  3. Submit a support ticket with Zscaler. Point to the Help icon at the left side of the UI to open the help menu. In the help menu, click on Submit a Ticket.

  4. The Submit Ticket page opens in a new tab or you directly open https://help.zscaler.com/submit-ticket.

  5. After completing the fields in the Submit Ticket page, click Submit. The time it takes Zscaler Support to provision the IP addresses is 30 minutes. Once the branch IP addresses have been provisioned, can use that IP to add VPN credentials and locations.

  6. Add VPN Credentials. VPN Credential option is used to Add Preshared key that is used while establishing IPsec Tunnel. To add VPN Credentials in Zscaler Portal go to Administration > Resources > VPN Credentials as shown below.

localized image

  1. Add VPN Credential by using “Add VPN Credential” as follows. The Authentication Type should be IP, IP Address has drop-down populating the Branch Public IP address that we have provided as part of preceding step. Pre shared key provided should be used while configuring IPsec Tunnel on SD-WAN Branch.

localized image

  1. Link VPN Credentials to the Location. Go to Administration > Locations. Click Add Location.

localized image

Enter general information about the location:

  • Type the Name.
  • Choose the Country.
  • Enter a State/Province, if applicable.
  • Choose the Time Zone of the location.
  • Choose the IP addresses for the location.
  • Public IP Addresses lists the IP addresses that you sent to Zscaler. Choose IP addresses for the location from the drop-down menu.
  • Choose the VPN Credentials from the Dropdown. This lists the VPN Credential(115.112.150.75) that was created in the preceding step. Save and Activate the configuration that we have added.

Save and Activate the configuration.

Configure SD-WAN Branch with IPsec Tunnel

To configure IPsec Tunnel on SD-WAN, admin should be aware of Zscaler IKE end point IP. This can be found using https://help.zscaler.com/zia/locating-the-hostnames-and-ip-addresses-your-zens or https://ips.zscalerbeta.net/cenr. The web page is as follows.

localized image

From the list pick any location with which Branch SD-WAN intends to establish IPsec Tunnel. Against each location there is GRE Virtual IP and VPN Host Name. Resolve “VPN Host Name” to get the IKE Peer IP of Zscaler that can be used as IPsec Tunnel destination on Branch SD-WAN Configuration. For the following configuration, “Frankfurt IV” Location was used. Resolving VPN Host name fra4-vpn.zscalerbeta.net provides IP address “165.225.72.39” which is used as IPsec Tunnel destination on SD-WAN Branch.

Add Intranet Service:

Add Intranet service which is used for creating IPsec Tunnel over Internet towards Zscaler and associate WAN link.

localized image

Add IPsec Tunnel:

Add an IPsec Tunnel towards Zscaler Peer IP(165.255.72.39) with service type as Intranet and with Keepalive option enabled so that SD-WAN initiates the Tunnel.

Go to Configuration > Connections > Site > IPsec Tunnels to add ipsec tunnel.

localized image

IKE Settings:

  • IKE Version: IKEv1
  • Mode: Main
  • Authentication: Pre-Shared Key
  • Pre-Shared Key: Enter the Pre-shared key matching the one used while adding VPN Credentials on Zscaler Portal in Step-2
  • DH Group: Group-2
  • Hash Algorithm: SHA1
  • Encryption: AES 128

localized image

IPsec Settings and Protected Networks: Configure IPsec Algorithms and Protected networks as follows.

  • Tunnel Type: ESP+NULL, this provides only ESP Authentication and No Encryption to the internet traffic redirected towards Zscaler.
  • HASH Algorithm: SHA1
  • PFS Group: Source IP/Prefix should be the LAN subnet of the Branch Network and Destination IP/Prefix should be 0.0.0.0/0(This is to match all the Internet traffic)
  • Protected Networks: This automatically adds a route towards 0.0.0.0/0 with service type as Intranet.

localized image

Add route to reach Zscaler IKE Peer IP:

To establish IPsec Tunnel towards Zscaler ZEN IP (165.255.72.39), SD-WAN should have a route. Add a route towards Zscaler IP with service type as Intranet with the intranet service used while configuring IPsec Tunnel in the preceding step.

Default route with service type as Intranet is added automatically as part of addition of Protected network with Destination IP/Prefix as 0.0.0.0/0 while addition of IPsec Tunnel in the steps provided earlier.

localized image

Monitor the IPsec Tunnel on SD-WAN

To monitor IPsec Tunnel status go to Monitoring > IPsec Tunnel. The stats is updated after the internet traffic goes over the tunnel towards Zscaler.

localized image

IKE and IPsec SAs can be monitored at Monitoring > IKE/IPsec.

localized image

Monitor routes on the SDWAN

Check for proper routes to get updated while sending traffic towards Zscaler through IPsec Tunnel. While sending Internet traffic, the hit count for the default route(0.0.0.0/0) with service type as Intranet should get incremented and also the Hit Count for the Route towards Zscaler ZEN(169.255.72.39) also should get incremented as the data traffic gets encapsulated inside the tunnel packet with destination as Zscaler ZEN IP.

localized image

Monitor and validate traffic on Zscaler Portal

Log in to Zscaler Admin portal and to see the application traffic that SD-WAN has redirecting towards Zscaler reflected in the dashboard. In the preceding example, tried accessing “Youtube” through Zscaler. And this application can be observed on Zscaler Dashboard as follows.

localized image

More deployments

There are more deployments where an enterprise is using more than one WAN Link to redirect internet traffic towards Zscaler.

Scenario-1: Two WAN Links establishing tunnels with Same Zscaler end points (ZENs)

localized image

As a response to the support ticket, while adding a location (Customer end IP) Zscaler provides Two Tunnel end points (Active and Backup, Ex: ZEN-1 and ZEN-2 IPs). Can be referred from initial steps preceding (3.3).

As part of this scenario, if a customer had Two WAN links through which they want to redirect internet traffic towards Zscaler. Customer has to add two separate locations corresponding to two different WAN Links (Which acts as Tunnel source IP addresses). As a response, Zscaler provides Two Tunnel end points (Active and Backup, Ex: ZEN-1 and ZEN-2 IPs) per each WAN Link.

Zscaler response is based on Geo location, in this case as both the WAN Links belong to same Enterprise and hence in the same geolocation. So, as a response Zscaler provides same Tunnel destinations for both the wan links.

In this case the tunnel Source and Destinations look as follows. Tunnels related to WAN Link-1:

  • Tunnel-1: 100.100.100.1 to 165.100.100.1
  • Tunnel-2: 100.100.100.1 to 175.100.100.1

Tunnels related to WAN Link-2:

  • Tunnel-3: 200.200.200.1 to 165.100.100.1
  • Tunnel-4: 200.200.200.1 to 175.100.100.1

To establish Tunnel and redirect Internet traffic we need to add route to reach Zscaler end points. To reach Zscaler end points (165.100.100.1 and 175.100.100.1), add two separate routes with service type as Internet. Using internet service you are able to use only one WAN link at any point using Primary/secondary options as Balance mode is not applicable over here. In Balance mode there are chances of leaking packets related to one tunnel destination through another WAN Link in which case Zscaler drops those packets. In this case, the tunnels related to Primary WAN link is UP all the time and the tunnels related to Secondary WAN link is UP only if Primary WAN link is Down. This is because of having Internet service configured with two WAN links in Primary/Secondary Mode.

If you use Intranet service instead of Internet service while adding routes to reach Zscaler Destination IPs, Only Primary Tunnel related to Each WAN Link is UP all the time and not the secondary.

To resolve these issues use the following scenario.

Scenario-2:

Two WAN Links establishing tunnels with Different Zscaler end points (ZENs)

localized image

With the current implementation of tunneling mechanism on SD-WAN, we can solve the preceding issue as follows. While raising ticket to get Tunnel destination IPs from Zscaler, request for separate Tunnel destination IPs for each WAN Link. In this case the tunnel Source and Destinations look as follows.

Tunnels related to WAN Link-1:

  • Tunnel-1: 100.100.100.1 to 165.100.100.1
  • Tunnel-2: 100.100.100.1 to 175.100.100.1

Tunnels related to WAN Link-2:

  • Tunnel-3: 200.200.200.1 to 166.100.100.1
  • Tunnel-4: 200.200.200.1 to 176.100.100.1

Add Two Intranet services using WAN link-1 and two more intranet services using WAN Link-2

To reach four different Zscaler Destination IPs, use four different Intranet services.

  • Go to 165.100.100.1 via Intranet-1
  • Go to 175.100.100.1 via Intranet-2
  • Go to 166.100.100.1 via Intranet-3
  • Go to 176.100.100.1 via Intranet-4

To route internet traffic add default routes as follows:

  • Route -1: 0.0.0.0/0 via Tunnel-1 with cost as 1
  • Route -2: 0.0.0.0/0 via Tunnel-2 with cost as 2
  • Route -3: 0.0.0.0/0 via Tunnel-3 with cost as 3
  • Route -4: 0.0.0.0/0 via Tunnel-4 with cost as 4

With this configuration in place, as long as WAN link-1 is UP, traffic goes through Tunnels related to that WAN link, else it goes through the next available Tunnels.

Note: Load balancing of internet traffic across the Tunnels is not supported.

FAQs and troubleshoot

What is ZEN?

  • ZEN stands for Zscaler Enforcement Nodes. Zscaler Enforcement Nodes (ZENs) are full-featured inline proxies that inspect all web traffic bi-directionally for malware, and enforce security and compliance policies. Each ZEN can handle hundreds of thousands of concurrent users with millions of concurrent sessions.
  • Zscaler has ZENs worldwide to ensure a seamless user experience. An organization can forward its traffic to any ZEN in the world or use the geolocation capability of the Zscaler service to direct its user traffic to the nearest ZEN

What is the significance of Primary and Secondary Tunnels towards Zscaler?

  • Primary and secondary tunnels are meant for Redundancy. As long as Primary tunnel towards Zscaler is UP, all the internet traffic is re-directed through it. If Primary tunnel goes down, then the internet traffic is sent through Secondary Tunnel towards Zscaler

Can we have Tunnel established from SD-WAN sitting behind NAT router?

  • Yes, we can have tunnel established towards Zscaler from SD-WAN appliance sitting behind a NAT router.

What are the supported Tunneling mechanisms?

  • We support GRE and IPsec Tunneling mechanisms towards Zscaler.

Can we route internet traffic towards Zscaler through more than one WAN Link?

  • You are able to route traffic through only one WAN Link.

Can we route internet traffic from multiple routing domains towards Zscaler?

  • No.

Can we route specific application traffic towards Zscaler?

  • Yes, you do that using the Application Routes feature. For example, if you want to redirect all Office 365 towards Zscaler and all other internet traffic to directly breakout into internet. We can add application route for office 365 application to be sent through GRE tunnel pointing towards Zscaler. To send all other internet traffic add internet service.

Apart from default provisioning, can we change the bandwidth allocated for traffic redirected towards Zscaler?

  • Yes, we can do that using provisioning section in which we need to change the allocation percentage for internet service. If at all there are specific applications being redirected towards Zscaler then we need to add Application QoS rules and allocate bandwidth using the Class share percentage.

What is the Maximum number of Tunnels that Citrix SD-WAN Supports?

  • Support MAX 8 GRE and 8 IPsec Tunnels.

Troubleshoot

GRE Tunnel towards Zscaler was shown DEAD:

  • Check if there is a route configured towards Zscaler destination using proper service (Internet or intranet). Also check for the status of the route in Monitoring routes section.
  • Check if the WAN link associated to the service mentioned previously was UP
  • If both the preceding steps are fine, capture the packets on the WAN link to check if we are sending and receiving Keepalives to and from the Zscaler IP.

If the first two statements are fine, you can send out the packets. If you are sending and not receiving the packets from Zscaler, raise a ticket with Zscaler to confirm if they are receiving GRE packets from our Public IP.

Based on that you are able to know if we are sending to proper destination with proper source.

IPsec Tunnel towards Zscaler was DEAD:

  • Check if there is a route configured towards Zscaler IPsec Tunnel destination using proper Intranet service. Also check for the status of the route in Monitoring routes section.
  • Check if the WAN link associated to the service mentioned previously was UP
  • If both the preceding steps are fine, capture the packets on the WAN link to check if we are sending and receiving IKE packets to and from the Zscaler Tunnel destination IP.

If the first two statements are fine, you can send out the packets. If you are sending and not receiving the packets from Zscaler, raise a ticket with Zscaler to confirm if they are receiving IKE packets from our Public IP.

Based on that you are able to know, if you are sending to proper destination with proper source.

If we are receiving the response and still IKE negotiation is failing, then we need to check for IKE and IPsec algorithm configuration. That should be matching with the Zscaler configuration

Tunnel is UP but not able to route internet traffic towards Zscaler:

  • Check for the Default route to be configured with service type as GRE Tunnel/ IPsec Tunnel. Also check for that route status to be eligible.
  • Check for the hit count of the internet traffic against the routes in Monitoring > Routes section.

How to check if the internet traffic was going through the Tunnel towards Zscaler?

  • This can be monitored in statistics of GRE or IPsec Tunnels. Packets sent and received gets incremented. Also check for hit count against the routes in Monitoring > routes section.

How to validate Tunnel failover scenario?

  • Based on the default route cost you route internet traffic through the route with lowest cost. Bring down primary tunnel by making the WAN link as down or even the tunnel can be brought down. In this case the default route related to Primary tunnel is marked as In-eligible and hence the internet traffic goes through the next available default route.

Configure Internet Service

To configure an internet service:

  1. Navigate to Connections - Internet Services. Configure internet service.

    localized image

    localized image

    localized image

Configure GRE Tunnel

  1. Source IP address is the Tunnel Source IP address. If the Tunnel Source IP address is NATted, the Public Source IP address is the public Tunnel Source IP address, even if it is NATted on a different intermediate device.

  2. Destination IP address is the ZEN IP address that Zscaler provides.

  3. The Source IP address and the Destination IP address are the router GRE headers when the original payload is encapsulated.

  4. Tunnel IP address and Prefix are the IP addressing on the GRE tunnel itself. This is useful for routing traffic over the GRE tunnel. The traffic needs this IP address as the gateway address.

    localized image

To configure GRE Tunnel:

  1. In the configuration editor, navigate to Connections > Site > GRE Tunnels, and configure routes to forward internet prefix services to the Zscaler GRE Tunnels.

    The source IP address can only be chosen from the Virtual network interface on trusted links. See. How to configure GRE tunnel](/en-us/citrix-sd-wan/10-2/gre-tunnel.html).

    localized image

Configure routes for GRE tunnels

Configure routes to forward internet prefix services to the Zscaler GRE Tunnels.

  • The ZEN IP address (Tunnel destination IP, shown as 104.129.194.38 in the preeding figure) must be set to service-type Internet. This is required so that traffic destined to Zscaler is accounted from the Internet service.
  • All traffic destined to Zscaler must matches the default route 0/0 and be transmitted over the GRE tunnel. Ensure that the 0/0 route used for [DR1 the GRE tunnel has a lower Cost than Passthrough or any other Service type.
  • Similarly, the backup GRE tunnel to Zscaler must have a higher cost than that of the Primary GRE tunnel.
  • Ensure that nonrecursive routes exist for the ZEN IP address.

To configure routes for GRE Tunnel:

  1. Navigate to Connections > Site > Routes, and follow the procedures described in Configuring Routes for instructions about creating routes.

    localized image

    Note

    If you do not have specific routes for the Zscaler IP address, configure the route prefix 0.0.0.0/0 to match the ZEN IP address and route it through a GRE tunnel encapsulation loop. This configuration uses the tunnels in an active-backup mode. With the values shown in the preceding figure, traffic automatically switches over to the tunnel with gateway IP address 172.17.6.242. If desired, configure a backhaul virtual path route. Otherwise, set the keep-alive interval of the backup tunnel to zero. This enables secure internet access to a site even if both the tunnels to Zscaler fail.

    GRE keep-alive messages are supported. A new field called Public Source IP that provides the NAT address of the GRE Source address is added to the Citrix SD-WAN GUI interface (in the case when SD-WAN appliance Tunnel Source is NATted by an intermediate device). The Citrix SD-WAN GUI includes a field called Public Source IP, which provides the NAT address of the GRE Source address when the Citrix SD-WAN appliance’s Tunnel Source is NATted by an intermediate device.

Limitations

  • Multiple VRF deployments are not supported.
  • Primary backup GRE tunnels are supported for a high-availability design mode only.

Configure IPsec Tunnels

localized image

To configure IPsec Tunnels for intranet or LAN services in the Citrix SD-WAN appliance GUI:

  1. In the Configuration Editor, navigate to Connections > <siteName> > IPsec Tunnels and choose a service type (LAN or Intranet).

  2. Enter a Name for the service type. For Intranet service type, the configured intranet server determines which Local IP addresses are available.

  3. Select the available Local IP address and enter the Peer IP address for the virtual path to the remote peer.

    localized image

    localized image

  4. Select IKEv1 for IKE Settings. Zscaler supports only IKEv1.

    localized image

  5. Under IPsec Settings, select ESP-NULL for Tunnel type, to redirect traffic to Zscaler through the IPSec tunnel. The IPSec tunnel does not encrypt the traffic.

    localized image

  6. Because internet traffic is redirected, the destination IP/Prefix can be any IP address.

    localized image

For more information about configuring IPSec Tunnels by using the Citrix SD-WAN web interface, see; the IPsec Tunnels topic.

Configure routes for IPsec tunnels

To configure IPsec routes:

  1. Navigate to Connections > DC > Routes and follow the procedures described in Configuring Routes for instructions about creating routes.

localized image

To monitor GRE and IPSec tunnel statistics:

In the SD-WAN web interface, navigate to Monitoring > Statistics > [GRE Tunnel IPsec Tunnel].

For more information, see; monitoring IPsec tunnels and GRE tunnels topics.

Zscaler Integration by using GRE tunnels and IPsec tunnels