• Introduction

Generic Routing Encapsulation (GRE) or a Site-to-Site IPsec VPN helps in achieving inter-operability between VOS and ZScaler. Customers request ZScaler parameters which acts as a pre-requisite to Versa configuration.

 

This document will focus on the GRE implementation with reference to the below topology in figure 1. The IPsec implementation is explained in this doc.

 

Diagram Description automatically generated

Figure 1

 

Traffic coming on the LAN-VR will take intermediate Zscalar-VR, which further takes GRE tunnel towards respt. Zscalar endpoint.

 

  • Configuration

            It is recommended to make all the config changes on Template level from Versa Director UI.

 

  1. Create ZScaler-Transport-VR and GRE interfaces

            i. Create one interface in each Zscalar-VR for the GRE endpoint.

            -> tvi-0/160 and tvi-0/162 are created below.

ii. Create paired tvi between the LAN-VR and the Zscalar-VR.

   -> tvi-0/166 -- tvi-0/167 and tvi-0/168 -- tvi-0/169 pairs are created below

Graphical user interface, application, website Description automatically generated

  

iii. Create the PRI and the SEC Zscalar VR.

      Under Configuration - Networking - Virtual-Routers - create Zscalar-PRI-VR and Zscalar-SEC-VR

iv. Add the tvis on their respective VRs, for the Zscalar-VR and LAN-VR.

       Zscalar-PRI-VR: tvi-0/160.0 and tvi-0/167.0

       Zscalar-SEC-VR: tvi-0/162.0 and tvi-0/169.0

       LAN-VR: tvi-0/166.0 and tvi-0/168.0

2. Org Resources and Traffic Identification

Add the newly created interfaces in traffic-identification. Add the newly created routing instances under Limits - Resources - Available_routing_instances - Owned_routing_instances 

Graphical user interface, application Description automatically generated

3. Zones and Security policies

Create appropriate zones for the tvi interfaces for the LAN-VR and Zscalar-VRs. Under Configuration - Networking - Zones, put all the newly created tvi interfaces in their respective zones.

 

Add a security policy to Allow the traffic between the zones created above.

 

Graphical user interface, text, application Description automatically generated

 

4. Routing

  1. Add BGP on LAN-VR towards Zscalar-PRI-VR and Zscalar-SEC-VR

               -> Under Configuration - Networking - Virtual Routers - LAN-VR - BGP - Peer-group - Create Peer group for Zscalar and add neighbor configuration for the paired tvi endpoint on Zscalar VR.

 

Similarly, add BGP config on each of the Zscalar-VR. Under Zscalar-VR - BGP - Peer-group - add LAN endpoint of tvi as neighbor

5. Policy configuration to select Zscalar tunnels    

 Users can used SDWAN policies to prefer routing to either of the Zscalar endpoint  or choose to load balance.

 

6. Tracking Zscalar endpoints

Create IP-SLA monitor towards Zscalar endpoint to track the remote end. If the remote endpoint doesn’t allow to track using ICMP then SAAS-App-Mon can be used to track using specific IP, port or protocol.