Professional Documents
Culture Documents
Training Manual
Copyright Notice
Information in this document is subject to change without notice. The names of companies, products,
people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent
any real individual, company, product, or event, unless otherwise noted. Complying with all applicable
copyright laws is the responsibility of the user.
Zscaler and the Zscaler logo are registered trademarks of Zscaler, Inc. in the United States. The Cloud
Security Company is claimed as a trademark by Zscaler. All other brand and product names are
trademarks or registered trademarks of their respective owners.
Specifications and other information may be subject to change without notice. Portions of this manual
have been reprinted in part or in whole from other copyrighted sources owned by Zscaler.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted
without the express prior written consent of Zscaler, Inc.
Table of Contents
1.1 > INTRODUCTION ..............................................................................................................................................2
1.2 > IPSEC GOALS .................................................................................................................................................2
1.2.1 Ensuring Confidentiality .......................................................................................................................3
1.2.2 Verifying Packet Integrity .....................................................................................................................3
1.2.3 Authenticating Peers ............................................................................................................................3
1.3 > IPSEC PROTOCOLS ..........................................................................................................................................3
1.3.1 IKE ........................................................................................................................................................4
1.3.2 Diffie-Hellman ......................................................................................................................................5
1.4 > PHASE 1 .......................................................................................................................................................5
1.4.1 Main Mode ...........................................................................................................................................5
1.4.2 Aggressive Mode ..................................................................................................................................7
1.5 > PHASE 2 .......................................................................................................................................................8
1.5.1 Basics ...................................................................................................................................................8
1.5.2 Dead Peer Detection ............................................................................................................................8
2.1 > ZSCALER SETTINGS ..........................................................................................................................................9
2.1.1 Prerequisites ........................................................................................................................................9
2.1.2 Adding VPN Credentials .......................................................................................................................9
2.1.3 Creating a New Location ....................................................................................................................10
2.1.4 Select Zscaler VPN concentrator ........................................................................................................10
2.2 > CUSTOMER NETWORK EQUIPMENT CONFIG ........................................................................................................11
2.3 > WORKING WITH ZSCALER IPSEC ......................................................................................................................11
2.3.1 Only two SPI per customer IP address ................................................................................................12
2.3.2 IPSec Tunnel doesnt come up ............................................................................................................12
3.1 > UNDERSTAND ZSCALER COMPONENTS...............................................................................................................13
3.1.1 Architecture........................................................................................................................................13
3.1.2 Capturing network traffic ...................................................................................................................13
3.2 > READ IPSEC STATUS ......................................................................................................................................15
3.2.1 Phase 1 ...............................................................................................................................................15
3.2.2 Phase 2 ...............................................................................................................................................15
3.3 > ESCALATING AN IPSEC CONNECTIVITY ISSUE .......................................................................................................16
4.1 > CONFIGURATION EXAMPLE: CISCO ASA 5505 ...................................................................................................17
4.1.1 Configuring the Firewall .....................................................................................................................17
4.1.2 Configuring the Interfaces..................................................................................................................17
4.1.3 Defining Security Parameters.............................................................................................................20
4.1.4 Troubleshooting .................................................................................................................................23
4.2 > CONFIGURATION EXAMPLE: JUNIPER SSG5 .......................................................................................................27
4.2.2 Configuring the Firewall .....................................................................................................................29
4.2.3 Configuring the Interfaces..................................................................................................................29
4.2.4 Configuring Tunnel Interfaces ............................................................................................................30
4.2.5 Defining IKE Parameters ....................................................................................................................32
4.2.6 Configuring Policy-Based Routing ......................................................................................................33
4.2.7 Creating Policies .................................................................................................................................38
4.3 > PRE-SHARED KEY (PSK) VPN BETWEEN JUNIPER SRX 210/ SRX 220 AND ZVPN: ..................................................39
4.3.1 Steps to be done on Juniper SRX 220 .................................................................................................39
4.3.2 Overall config for the Juniper SRX-220 ...............................................................................................44
4.4 > PRE-SHARED KEY (PSK) VPN BETWEEN CISCO 881 AND 2821 ROUTER AND ZVPN: ................................................50
4.4.1 Steps to be done on Cisco 881 and 2821 Router ................................................................................50
4.4.2 Overall config for the Cisco 881 router: .............................................................................................53
4.4.3 Debugging Cisco 881 VPN tunnel .......................................................................................................58
Notes: Zscaler supports only HTTP, HTTPS, SMTP, FTP over HTTP/HTTPS and native FTP (passive) traffic through IPsec
VPNs. When the Security Cloud receives traffic it does not support, it converts the source address to a public address, with
source NAT, and then sends it out to the Internet with no control over this traffic. Zscaler recommends that you send only
HTTP/HTTPS/SMTP/ FTP over HTTP/HTTPS and native FTP (passive) traffic to the Security Cloud.
IPsec (Internet protocol security) is a suite of protocols that provide network-layer security to a VPN
(virtual private network). A VPN is a virtual network that provides a secure communication path between
two peers in a public network. The peers can be two hosts, a remote host and a network gateway, or the
gateways of two networks, such as the gateway of your corporate network and a ZEN (Zscaler
Enforcement Node) in the Security Cloud.
IPsec provides the following types of protection:
Confidentiality: Ensures that data cannot be read by unauthorized parties.
Integrity: Verifies that data was not modified during transit.
Authentication: Verifies the identity of the peers.
As shown in Figure 1, IPsec provides a number of options for applying each type of protection. The peers
in the IPsec VPN use a negotiation process called IKE (Internet Key Exchange) to define the security
mechanisms they will use to protect their communications. IKE has two phases.
In the first phase, the peers define the security parameters they will use to communicate in the
second phase. This collection of security parameters is called a security association (SA).
In the second phase, the peers define the SA that they will use to protect the actual data exchange.
negotiations. The selected protocol then uses the algorithms and authentication method defined in the
IPsec SA to encode the data packets.
AH provides authentication and integrity protection through a keyed hash algorithm described in
Verifying Packet Integrity. ESP encrypts IP packets as described in Ensuring Confidentiality. The earlier
version of ESP did not provide authentication and integrity protection, so most IPsec implementations
used AH and ESP. But since the current version of ESP can also use a keyed hash algorithm to verify the
authenticity and integrity of packets, most IPsec implementations use ESP, but not necessarily AH.
ESP can operate in either of two modes: transport mode or tunnel mode. Figure 2 illustrates an IP packet
in transport mode and in tunnel mode. As shown in the illustration, ESP adds a header, a trailer, and if
authentication is used, an authentication section at the end. The ESP header contains an SPI (Security
Parameter Index) value, which is a unique identifier, and a sequence number. The ESP trailer contains
fields such as additional bytes for padding and the padding length.
As shown in Figure 2, in transport mode, ESP encrypts the data payload and ESP trailer. It uses the
original IP header with the original source and destination IP addresses. In implementations that involve
communications from or to a gateway, the source and/or destination IP addresses need to be changed to
the gateway IP addresses. Since transport mode does not alter the IP header, this mode is used
specifically for host-to-host communications.
In tunnel mode, ESP encapsulates the entire packet, including the original IP header. It adds a new IP
header that lists the IPsec peers as the source and destination of the packet. ESP tunnel mode is used in
VPNs that include at least one gateway, because the gateway address can be specified as the source
and/or destination in the new IP header.
1.3.1 IKE
IKE provides a secure way to establish the IPsec services that the peers use to protect their
communications. As described in an earlier section, IKE has two phases. In the first phase, the peers
Page | 4 Copyright 2012 Zscaler, Inc. All rights reserved.
negotiate the parameters for a secure communication channel through which they negotiate the
parameters for the second phase. This first set of parameters is referred to as the IKE SA. This SA is bi-
directional, so only one SA is established for both directions of traffic.
In the second phase, the peers negotiate the parameters for the actual exchange of IP packets. The
second set of parameters is referred to as the IPsec SA. The IPsec SA is uni-directional, therefore one SA
is established for each connection.
1.3.2 Diffie-Hellman
Diffie-Hellman is a method for peers to generate a shared key in a secure manner, without having to
exchange shared secrets in the first place. Diffie-Hellman specifies group numbers that correspond to a
key length and an encryption generator type. During the IKE negotiations, the peers agree on the Diffie-
Hellman group number that they use to generate the shared key. For more information on Diffie-
Hellman, refer to RFC 2631, Diffie-Hellman Key Agreement Method.
1.5.1 Basics
The Phase 2 negotiations are similar to those in Phase 1, wherein the peers negotiate security
parameters that includes the encryption and keyed hashed algorithms, and authentication method.
Additionally, in this phase, the peers negotiate the IPsec protocol to be applied to the IP packets. They
determine whether to use AH, ESP and AH, or ESP. As stated earlier, most VPNS today use ESP.
After the IPsec SA is established, the peers then exchange the IP packets using the security parameters
defined in the IPsec SA.
Note: For Phase 2, Zscaler supports Null Encryption or AES for the encryption algorithm and MD5 for the
authentication algorithm. The Zscaler recommended algorithms are Null Encryption with MD5.
IKE Phase 2
Mode: Quick mode
Encryption and Authentication Algorithms: NULL/MD5, AES-128/MD5
Diffie-Hellman Group 2
SA Lifetime: 8 hours
Lifebytes: Unlimited
Perfect Forward Secrecy (PFS) option is disabled. This option enables each IPsec SA to generate a
new shared secret through a Diffie-Hellman exchange. This option is not recommended for Zscaler
VPNs.
Chapter 3: Troubleshooting
3.1.1 Architecture
Our IPSec VPN terminator is based on racoon IKE project. It has been adapted, patched and improved for
Zscaler needs. The VPN service is tied to the BSD system.
This service receives traffic on the MGMT interface and forwards the unencrypted traffic through a GRE
Tunnel to the Datacenter VIP service. Racoon service is listening on the MGMT interface on a dedicated
CARP VIP.
Every VPN IPSec enabled system has one racoon service running on the BSD system. Racoon
configuration file is available at the following folder: $ZSINSTANCE/conf/racoon/
o UDP port 500 for Internet Key Exchange (IKE) negotiation traffic
o UDP port 4500 for IPSec Encapsulating Security Protocol (ESP) traffic
Encrypted traffic:
[support@cdg1b ~]$ sudo tcpdump -i igb0 -n ip proto 50 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 96 bytes
13:37:18.335781 IP 109.1.168.99 > 77.242.202.241: ESP(spi=0x096b0bd7,seq=0x75aa), length 76
13:37:18.336002 IP 109.6.237.25 > 77.242.202.241: ESP(spi=0x026b09f5,seq=0xae65), length 64
13:37:18.336115 IP 109.1.158.23 > 77.242.202.241: ESP(spi=0x0fb39e29,seq=0x97ad), length 64
13:37:18.336254 IP 77.242.202.241 > 109.1.158.104: ESP(spi=0x75f584d3,seq=0x5ad1), length 64
13:37:18.336340 IP 82.234.143.192 > 77.242.202.241: ESP(spi=0x08eed1b3,seq=0x1a3c8), length 64
13:37:18.336390 IP 77.242.202.241 > 109.1.168.99: ESP(spi=0x9bbc7d26,seq=0x6f81), length 76
13:37:18.336474 IP 77.242.202.241 > 109.1.158.155: ESP(spi=0xa7392a51,seq=0x54aa), length 64
13:37:18.336493 IP 77.242.202.241 > 109.1.158.155: ESP(spi=0xa7392a51,seq=0x54ab), length 64
13:37:18.336514 IP 77.242.202.241 > 109.1.168.94: ESP(spi=0xd658a914,seq=0x9d63), length 64
13:50:50.932610 (authentic,confidential): SPI 0x09334f6a: IP 89.224.187.12 > 77.242.202.241: IP 10.227.224.125.58686 > 176.34.108.101.80: .
ack 3329942478 win 255 <nop,nop,timestamp 2083790 558647981> (ipip-proto-4)
13:50:50.932628 (authentic,confidential): SPI 0x048e9b11: IP 146.255.170.58 > 77.242.202.241: IP 172.23.90.163.62903 > 157.56.252.38.443:
P 4046759419:4046759936(517) ack 409380733 win 64 (ipip-proto-4)
3.2.2 Phase 2
When a phase2 session is successfully established with Zscaler, two SPI are created (one in each
direction). The following command will return all attributes corresponding to this session.
Figure 6: VPN between a Cisco ASA 5505 and the Security Cloud
Configuration:
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
Configuration:
crypto ipsec transform-set test esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
tunnel-group TunnelGroup1 type ipsec-l2l
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group 10.10.104.71 type ipsec-l2l
tunnel-group 10.10.104.71 general-attributes
default-group-policy GroupPolicy1
tunnel-group 10.10.104.71 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group 10.10.104.235 type ipsec-l2l
tunnel-group 10.10.104.235 general-attributes
default-group-policy GroupPolicy1
tunnel-group 10.10.104.235 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
4.1.4 Troubleshooting
Following are some sample commands that you can use to monitor and troubleshoot the VPNs.
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: 10.10.120.34
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
4.2.1.1 Prerequisites
Before you start configuring the Security Service and the firewall, you must send Zscaler the following
information:
The FQDN of the peer. In this example, it is abc@test.net.
The PSK. In this example, the PSK is abc.
o Sequence No. 80
o Destination Port: 53~53
o Protocol: UDP
The following figure shows the completed extended ACL:
After you have completed the configuration, you can monitor the status of the tunnel by navigating to
VPNs > Monitor Status, as shown in the following figure.
We will be creating 2 VPN tunnels to the Zscaler cloud using IP address based PSK credentials using lds
as PSK. Two tunnels are created to make sure that if one fails the traffic can go to other tunnel. In the
design we are making sure that DPD is enabled and also VPN Monitoring is turned on. In this example we
have used Route Based VPN where we are creating two tunnels and inserting them as the default route
in the routing table. Detailed steps are shown below:
Interface ge-0/0/0 is configured in Untrust Zone. This is Internet port which is getting IP address
using DHCP.
Interfaces ge-0/0/1 to ge-0/0/07 are configured in Trust Zone. All of them are part of trust vlan 0.
Tunnels are created using st0 interface. Unit0 and unit1 sub interfaces are configured in st0. Two
default routes are configured using st0.0 and st0.1.
Config corresponding to above steps is shown below:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
st1 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop [ st0.0 st0.1 ];
route 10.10.104.0/24 next-hop 10.10.120.1;
}
}
Now security configuration will be started as shown below:
Create ike proposal named as test with attributes:
o authentication-method set to pre-shared-keys
o dh-group set to group2
o authentication-algorithm set to sha1
o encryption-algorithm set to aes-128-cbc
o lifetime set to 86400 seconds.
Now create ike-policy say ike-policy1 with:
o Mode aggressive
o Pre-shared key: lds
o Proposal is test.
Now create two ike gateways say ike-gate and ike-gate-secondary with:
o Ike-policy set to ike-policy1
o Address set to the ZVPN Node IPsec address e.g. 10.10.104.71 and
10.10.104.235 in this case.
o Enable dead-peer-detection (DPD)
o Set external-interface to the internet port e.g. in this test it is set to ge-
0/0/0
lifetime-seconds 86400;
}
policy ike-policy1 {
mode aggressive;
proposals test;
pre-shared-key ascii-text "$9$rYllMXdVYoZj"; ## SECRET-DATA
}
policy test {
mode aggressive;
proposals test;
pre-shared-key ascii-text "$9$iHfz9Cu1Eyp0"; ## SECRET-DATA
}
gateway ike-gate {
ike-policy ike-policy1;
address 10.10.104.71;
dead-peer-detection {
always-send;
interval 20;
threshold 5;
}
nat-keepalive 20;
external-interface ge-0/0/0;
}
gateway ike-gate-secondary {
ike-policy ike-policy1;
address 10.10.104.235;
dead-peer-detection {
always-send;
interval 20;
threshold 5;
}
nat-keepalive 20;
external-interface ge-0/0/0;
}
}
ipsec {
vpn-monitor-options {
interval 30;
threshold 4;
}
proposal test {
protocol esp;
authentication-algorithm hmac-sha1-96;
lifetime-seconds 1800;
}
policy vpn-policy1 {
proposal-set standard;
}
vpn ike-vpn {
bind-interface st0.0;
df-bit set;
vpn-monitor {
optimized;
source-interface ge-0/0/0;
destination-ip 10.10.104.70;
}
ike {
gateway ike-gate;
idle-time 4000;
ipsec-policy vpn-policy1;
}
establish-tunnels immediately;
}
vpn ike-vpn-secondary {
bind-interface st0.1;
df-bit set;
vpn-monitor {
optimized;
source-interface ge-0/0/0;
destination-ip 10.10.104.246;
}
ike {
gateway ike-gate-secondary;
idle-time 4000;
ipsec-policy vpn-policy1;
}
establish-tunnels immediately;
}
}
Now configure nat part of the config to make sure that is traffic is not going thru
the tunnel interface then it is natted out:
nat {
source {
rule-set nat-out {
from zone trust;
to zone untrust;
rule interface-nat {
match {
source-address 192.168.0.0/16;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
st1 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop [ st0.0 st0.1 ];
optimized;
source-interface ge-0/0/0;
destination-ip 10.10.104.246;
}
ike {
gateway ike-gate-secondary;
idle-time 4000;
ipsec-policy vpn-policy1;
}
establish-tunnels immediately;
}
}
nat {
source {
rule-set nat-out {
from zone trust;
to zone untrust;
rule interface-nat {
match {
source-address 192.168.0.0/16;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
address-book {
address local-net 192.168.0.0/16;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
}
}
}
}
}
security-zone vpn {
address-book {
address remote-net 0.0.0.0/0;
}
interfaces {
st0.0;
st0.1;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy any-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy vpn-tr-vpn {
match {
source-address local-net;
destination-address remote-net;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-vpn-tr {
match {
source-address remote-net;
destination-address local-net;
application any;
}
then {
permit;
}
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1300;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
[edit]
To list the routing table to make sure that st0.0 and st0.1 routes are present in the routing table:
show route
To list the Phase-2 tunnel execute the command show security ipsec security-associations
To list the Phase-1 tunnel execute the command show security ike security-
associations
To clear IPsec and ike sa use the respective clear commands as shown
below:
root>
show security ipsec security-associations
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 10.10.104.71 500 ESP:3des/sha1 3491a9ba 2758/ unlim U root
>131073 10.10.104.71 500 ESP:3des/sha1 6840028 2758/ unlim U root
Similarly use command clear security isakmp command to clear Phase-1 tunnels
4.4 > Pre-Shared Key (PSK) VPN between Cisco 881 and
2821 Router and ZVPN:
In this test we have created two FQDN based VPN from Cisco 881 and 2821 Router to the Zscaler Cloud
for redundancy. Also VPN Monitoring is enabled so that if VPN tunnel going down can be detected as
soon as possible and the route is marked as down by the Cisco IOS and traffic goes thru the secondary
tunnel. As 881 and 2821 support Cisco IOS so the commands to create the tunnel configuration are same
on both platform.
881 router is an access device with 1 WAN port(fa4) and multiple lan( fa0,1,2,3) ports.
Clinet devices like laptop etc are getting address via DHCP pool configured on the 881 router. WAN
port i.e. fa4 is getting address via DHCP from the service provider.
Natting is enabled on the WAN port to make sure that traffic going outbound from the LAN ports is
getting natted before going to internet.
Using the access-list only tcp traffic for port 80, 443 and icmp traffic are tunneled via the VPN tunnel.
Steps to create the tunnel:
Create isakmp (Phase-1 tunnel policy say policy1) with following attributes:
o Encryption set to aes
o Authentication set to pre-share
o Group-2
o Lifetime 14400
authentication pre-share
group 2
lifetime 14400
Now create isakmp peer address as shown below with following attributes set:
o Set aggressive mode and the password for that
o Set user-fqdn e.g. lds@test.net
Now create the ipsec transform-set say test for Phase-2 as shown below:
Now create ipsec profile say VTI as shown below with following attributes:
o Set transform-set to the test
o Set pfs group to group2
o Set security-association(sa) lifetime to 14400
o Set sa idle-time to 14400
Now create a Tunnel interface say 400 for one Zscaler gateway and 500 for another Zscaler ZVPN
gateway as shown below with attributes:
Mtu set to 1400
o Tcp-mss set to 1300
o Tunnel-source set to the WAN port i.e. fastethernet4 (fa4)
o Tunnel mode set to ipsec ipv4
o Tunnel destination should be Zscaler ZVPN IP addresss
o Tunnel protection ipsec profile set to VTI
o Ip address should be derived from fa4
interface Tunnel400
ip unnumbered FastEthernet4
ip mtu 1400
ip tcp adjust-mss 1300
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination 10.10.104.71
tunnel protection ipsec profile VTI
interface Tunnel500
no ip address
ip mtu 1400
ip tcp adjust-mss 1300
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination 10.10.104.81
tunnel protection ipsec profile VTI
Now create access-list to separate the http/https/ftp and icmp traffic which will be sent to the tunnel
Create a route-map for above traffic and set the next-hop for that as the above tunnels
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
!
!
!
!
route-map zscaler-tunnel permit 10
match ip address 101
set interface Tunnel400 Tunnel500
interface FastEthernet4
description $ES_WAN$
ip address dhcp client-id FastEthernet4 hostname 10.35.3.41
ip access-group 80 in
ip access-group 80 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip access-group 100 in
VPN-test#show run
Building configuration...
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2721864363
revocation-check none
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-2721864363
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373231 38363433 3633301E 170D3132 30353138 32333538
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37323138
36343336 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B562 8F07F3C9 27A51798 A200FB7B 8831144D 079464DF E5CE2E69 7031F3A7
DFBF74A0 BB20E910 057F95DC 5384059C 2FDAB310 AFA9CA61 B745CA98 C987A664
E0FF66C0 11D0C069 F8BDE9C5 25291420 68A5316E 1B2153B7 2541C1EB 526F227B
B8E2F74B FAE66C82 B7F8347C 108DE12B 6824C1B2 7FF930A3 4A8650C8 0C5A99D2
277B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1423C3EE 7927E46A FA1516B0 CDA87259 032CF389 7E301D06
03551D0E 04160414 23C3EE79 27E46AFA 1516B0CD A8725903 2CF3897E 300D0609
2A864886 F70D0101 04050003 81810038 ACE3269E 1E006AC8 F3C2CD23 FFF4195B
81EE3586 81892F66 88CD9CB4 4BC74747 68119E52 EE3664DA E38F3122 DCD08985
200FF48D 74D754A0 05DE46FC FD9645B0 85F134F4 6060798B A2079359 8B80F979
3C52396A E10A7347 2ACFDE8D C4DF117B 78CBDE1E EEB18972 E6F7D103 A8E90A7A
E3992466 B720B237 B5AA0A06 B2950E
quit
ip source-route
!
!
!
ip dhcp excluded-address 10.65.199.129
!
ip dhcp pool ccp-pool
import all
network 10.65.199.128 255.255.255.128
default-router 10.65.199.129
dns-server 10.10.104.23
lease 0 2
!
!
ip cef
ip domain name yourdomain.com
ip name-server 10.10.104.23
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ1510C25F
!
!
username root privilege 15 secret 5 $1$tNw1$LDdmzCh/UNWcL.odwKkyD1
username sachin privilege 15 secret 5 $1$lXn2$gxtDItkOXiDydXTA0Netu.
username skumar privilege 15 secret 5 $1$ZnCs$B/0DfujHTS6.Kr/uIIYbq.
!
!
!
!
!
track 400 ip sla 400 reachability
!
track 500 ip sla 500 reachability
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 14400
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 20
!
crypto isakmp peer address 8.28.19.66
set aggressive-mode password C9dYfsdtd8
set aggressive-mode client-endpoint user-fqdn MHVPN-000010@lds.org
!
crypto isakmp peer address 8.28.19.78
set aggressive-mode password C9dYfsdtd8
set aggressive-mode client-endpoint user-fqdn MHVPN-000010@lds.org
!
crypto isakmp peer address 10.10.100.244
set aggressive-mode password t35tu5er
set aggressive-mode client-endpoint user-fqdn testuser@sdev.com
!
crypto isakmp peer address 10.10.104.71
set aggressive-mode password lds
set aggressive-mode client-endpoint user-fqdn lds@test.net
!
crypto isakmp peer address 10.10.104.81
set aggressive-mode password lds
set aggressive-mode client-endpoint user-fqdn lds@test.net
!
crypto isakmp peer address 10.10.104.90
set aggressive-mode password test
set aggressive-mode client-endpoint user-fqdn test@skumar.com
!
crypto isakmp peer address 10.10.104.91
set aggressive-mode password hello
set aggressive-mode client-endpoint user-fqdn hello@test.net
!
crypto isakmp peer address 10.10.104.235
set aggressive-mode password lds
set aggressive-mode client-endpoint user-fqdn lds@test.net
!
crypto isakmp peer address 10.10.104.237
set aggressive-mode password lds
set aggressive-mode client-endpoint user-fqdn lds@test.net
!
crypto isakmp peer address 10.65.199.3
set aggressive-mode password test
set aggressive-mode client-endpoint user-fqdn test@skumar.com
!
crypto isakmp peer address 152.26.228.202
set aggressive-mode password letmein
set aggressive-mode client-endpoint ipv4-address 152.26.228.202
!
crypto isakmp peer address 199.168.148.130
set aggressive-mode password testpassword
set aggressive-mode client-endpoint user-fqdn MHVPN-000010@lds.org
!
crypto isakmp peer address 216.52.207.120
set aggressive-mode password C9dYfsdtd8
set aggressive-mode client-endpoint user-fqdn MHVPN-000010@lds.org
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile VTI
set security-association lifetime seconds 14400
set security-association idle-time 14400
set transform-set myset
set pfs group2
!
crypto ipsec profile VTI1
set security-association idle-time 1800
set transform-set myset
!
!
!
!
!
!
!
interface Loopback1000
ip address 4.4.4.1 255.255.255.255
!
interface Tunnel1
no ip address
!
interface Tunnel200
ip unnumbered FastEthernet4
ip mtu 1500
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 Tunnel400 track 12
ip route 0.0.0.0 0.0.0.0 10.10.120.1
ip route 10.10.100.153 255.255.255.255 Tunnel400
ip route 10.10.100.210 255.255.255.255 Tunnel400
ip route 10.10.104.70 255.255.255.255 Tunnel400 permanent
ip route 10.10.104.80 255.255.255.255 Tunnel500 permanent
ip route 65.55.206.203 255.255.255.255 Tunnel400
ip route 98.139.183.24 255.255.255.255 Tunnel500 permanent
ip route 173.194.79.74 255.255.255.255 Tunnel400 permanent
!
ip access-list extended NAT
permit ip 10.65.199.0 0.0.0.255 any
deny ip any any
!
ip sla 2
icmp-echo 173.194.79.94
frequency 500
timeout 3000
threshold 2000
ip sla 400
icmp-echo 10.10.104.70
ip sla schedule 400 life forever start-time now
ip sla 500
icmp-echo 10.10.104.80
ip sla schedule 500 life forever start-time now
logging esm config
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 30.30.30.0 0.0.0.7
access-list 23 permit 10.65.199.0 0.0.0.255
access-list 80 permit any
access-list 100 permit ip any any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 120 permit ip any any
access-list 180 permit ip 10.0.0.0 0.255.255.255 any
no cdp run
!
!
!
!
route-map zscaler-tunnel permit 10
match ip address 101
set interface Tunnel400 Tunnel500
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Replace <myuser> and <mypassword> with the username and password you want
to use.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
password askjans
login local
length 0
transport input telnet ssh
!
end
To dump the Phase-1 tunnel use the command show crypto isakmp sa and to
dump Phase-2 tunnel use show crypto ipsec sa commands as shown below:
VPN-test#show crypto ipsec sa
interface: Tunnel500
Crypto map tag: Tunnel500-head-0, local addr 10.10.120.39
inbound ah sas:
outbound ah sas:
interface: Tunnel400
Crypto map tag: Tunnel400-head-0, local addr 10.10.120.39
inbound ah sas:
outbound ah sas:
To see the track status use the command show track as shown below:
VPN-test#show track
Track 400
IP SLA 400 reachability
Reachability is Down
3 changes, last change 00:16:23
Latest operation return code: Timeout
Track 500
To see the tunnel status use the command show crypto session as shown
below:
VPN-test#show crypto session
Crypto session current status
Interface: Tunnel400
Session status: UP-ACTIVE
Peer: 10.10.104.237 port 500
IKEv1 SA: local 10.10.120.41/500 remote 10.10.104.237/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Interface: Tunnel500
Session status: UP-NO-IKE
Peer: 10.10.104.71 port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Now simulate fail condition for the tunnel 400 and make sure after some time you see tunnel 500 becoming up and taking care of traffic:
VPN-test#show crypto session
Crypto session current status
Interface: Tunnel500
Session status: UP-ACTIVE
Peer: 10.10.104.71 port 500
IKEv1 SA: local 10.10.120.41/500 remote 10.10.104.71/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Interface: Tunnel400
Session status: DOWN-NEGOTIATING
Peer: 10.10.104.237 port 500
IKEv1 SA: local 10.10.120.41/500 remote 10.10.104.237/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
To clear the Phase-1 sa use the command clear crypto isakmp as shown
below:
VPN-test#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.104.81 10.10.120.39 QM_IDLE 2017 ACTIVE
10.10.104.71 10.10.120.39 QM_IDLE 2016 ACTIVE