SDWAN / ZSCALER / IPSEC from Service VPN

H21 · ‎03-28-2024

Is it possible to build an IPSec VPN tunnel between a cEdge device and Zscaler with the source of the tunnel being in the service VPN say VPN 5 rather than VPN 0?

Kanan Huseynli · ‎03-28-2024

Hi,

tunnel can be in service VPN, but source destination should be via VPN0.

Note: Service-side tunnels, where the tunnel interface itself resides in the service VPN, but the
source and destination of the tunnel resides in the transport VPN is supported only for IPsec
tunnels for both vEdge and IOS XE SD-WAN routers

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/zscaler-cisco-sdwan-deployment-guide-2020feb.pdf

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-zscaler-deploy-guide.html

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

H21 · ‎04-03-2024

Hi Kanan,

Thanks for the prompt response.

I followed the second document you referred to, as this more what I'm trying to implement (IOS-XE (WAN Edge B) - Service side tunnel).

I built the IPsec tunnel with the tunnel interface in VPN/VRF10. all configuration loaded OK. However, the tunnel never comes up. I tried this on vmanage 20.6 and 20.12 and got the same results. I'm somewhat perplexed with page 81 of https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/zscaler-cisco-sdwan-deployment-guide-2020feb.pdf it asks to setup 12.1.1.2 and 12.1.2.2 as the next hop addresses.

Prefix(vpn1_ipv4_prefix_to_zscaler) = 0.0.0.0/0
Address(vpn1_next_hop_zscaler_remote_end1) = 12.1.1.2
Address(vpn1_next_hop_zscaler_remote_end2) = 12.1.2.2

Where are these addresses configured on the Zscaler side?

On a somewhat related topic, I have not managed to locate the Change mode section as requested in 3.3.13 in 20.12, vmanage doesn't show that option.

Configuration>Devices in 20.6

Configuration>Devices in 20.12

As you can see from the 2 screenshots the "Change mode" option is not visible in 20.12, is there a reason for this?