Supported config params by Zscaler as below :
IPSec – IKE Phase1
Aggressive mode
Diffie-Hellman Group 2
Encryption algorithm: AES-128,3DES,DES
HMAC: SHA1-128
SA Lifetime: 24 hours
Lifebytes: Unlimited
Authentication: Pre-shared keys, digital signature using RSA, external authentication and pre-shared keys, or external authentication and RSA
Enable dead-peer-detection keepalives ( timeout is 20 secs and max retry 5)
NAT-T : NAT-T is supported if the device initiating the IPsec VPN is behind another firewall or router performing NAT.
NAT Keep alive interval: 20 secs
IPSec – IKE Phase2
Mode: Quick mode
Encryption: NULL / AES-128
Authentication: MD5
Lifetime: 8 hours
Lifebytes: Unlimited
Perfect Forward Secrecy (PFS) option disabled
Site-to-site VPN config on Cisco ISA500 Series:
The idea of site-to-site VPN tunnel connects two routers/gateway to secure traffic between two sites
that are physically separated.
To establish a site-to-site VPN tunnel, complete the following configuration tasks:
1- Add the subnet IP address objects for your local network and remote
network. Can be created during IPSEC policies creation also.
2- Enable the site-to-site VPN feature on the security appliance. Click VPN > Site-to-Site > IPsec Policies.
3- Configure IKE policies. Click VPN > Site-to-Site > IKE Policies.
4- Configure transform policies. Click VPN > Site-to-Site > Transform Policies.
5- Configure IPsec VPN policies. Click VPN > Site-to-Site > IPsec Policies.
6- Check an enabled IPsec VPN policy and click the Connect icon to initiate the VPN connection. IPsec VPN policy in which
this router’s Remote Network is set to Any (a “site-to-any” tunnel), a connection cannot be set up automatically. Instead you must manually
establish the VPN connection by clicking the Connect icon.
7- View the status and statistic information for all IPsec VPN sessions. VPN > VPN Status > IPsec VPN Status.
IKE Policies Configurations:
An authentication method to verify the identity of devices that are trying to connect to your network.
1-Add new IKE policy
2-Name: Enter the name for the IKE policy.
3-Encryption: Choose the algorithm used to negotiate the security association.
4-Hash: Specify the authentication algorithm for the VPN header.
NOTE: Ensure that the authentication algorithm is configured identically on both sides.
5-Authentication: Specify the authentication method that the security appliance uses to establish the identity of each IPsec peer. Pre-shared Key: Uses a simple, password-based key to authenticate.
6-D-H Group: Choose the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. Choose Group 2
7-Lifetime: Enter the number of seconds for the IKE Security Association (SA) to remain valid.
8-Click OK to save your settings.
Configuring Transform Sets
Transform set specifies the algorithms of integrity and encryption that the peer will use to protect data communications. Two peers must use the same algorithm to communicate.
1-Add a new transform set, click Add.
2-Name: Enter the name for the transform set.
3-Integrity: Choose the HASH algorithm used to ensure the data integrity. It ensures that a packet comes from where it says it comes from, and that it has not been modified in transit.
4-Encryption: Choose the symmetric encryption algorithm that protects data transmission between two IPsec peers.
5-Click OK to save your settings.
Configuring IPsec VPN Policies
The IPsec VPN policy is used to establish the VPN connection between two peers.
1-Add a new IPsec VPN policy, click Add.
2-Basic Settings tab, enter the following information:
i-Description: Enter the name for the IPsec VPN policy.
ii-IPsec Policy Enable: Click On to enable the IPsec VPN policy, or click Off to create only the IPsec VPN policy.
iii-Remote Type: Specify the remote peer/(Zscaler VPN gateway). Choose static or FQDN.
iv-Authentication Method:Choose Pre-shared Key. The pre-shared key must be entered exactly the same here and on the remote peer.
v-WAN Interface: Choose the WAN port that traffic passes through over the IPsec VPN tunnel.
vi-Local Network: Choose the IP address for the local network.
vii-Remote Network: Choose the IP address of the remote network. Choose "Any".
Note: If the address object that you want is not in the list, choose Create a new address to add a new address object or choose Create a new address
group to add a new address group object. To maintain the address and address group objects, go to the Networking > Address Management page.
3-Advanced Settings tab, enter the following information:
i-PFS Enable: Click On to enable Perfect Forward Secrecy (PFS) to improve security, or click Off to disable it. Choose "OFF".
ii-DPD Enable: Click "ON" to enable Dead Peer Detection (DPD). DPD is a method of detecting a dead Internet Key Exchange (IKE) peer.
iii-DPD Action: Choose "Hold". Traffic from your local network to the remote network can trigger the security appliance to re-initiate the VPN connection over the detection timeout. Recommend use Hold when the remote peer uses a static IP address.
iv-IKE Policy: Choose the IKE policy used for the IPsec VPN policy.
v-Transform: Choose the transform set used for the IPsec VPN policy.
vi-SA-Lifetime: Enter the lifetime of the IPsec Security Association (SA). The IPsec SA lifetime represents the interval after which the IPsec SA becomes invalid. The IPsec SA is renegotiated after this interval.
NOTE: The VPN firewall rules that are automatically generated by the zone access control settings will be added to the list of firewall rules with the
priority higher than default firewall rules, but lower than custom firewall rules.
Viewing IPsec VPN Status
Use the IPsec VPN Status page to view the status of all IPsec VPN sessions. This page is automatically updated every 10 seconds. Click Refresh to manually refresh the data.
Active Sessions
To manually terminate an active IPsec VPN session, click the Disconnect icon in the Connect column. To manually terminate multiple active IPsec VPN sessions, check them and click the Disconnect button. If an IPsec VPN session is terminated, you can manually establish the VPN
connection by clicking the Connect icon in the Connect column.
First time need to click the icon to initiate tunnel connection.