.. _ztna-ipsec:

.. role:: raw-html(raw)
    :format: html


ZTNA-IPsec
===============
| ZTNA-IPsec is a feature that configures a Site-to-Site (IPsec) tunnel between an On-premises or Cloud branch and a ZTNA-Gateway.
| It allows branch traffic to securely communicate with the Internet via the gateway or interconnect with headquarters/cloud resources.



How to Configure ZTNA-IPsec
---------------------------
To use ZTNA-IPsec, :ref:`Cloud Provider <cloud-provider>` settings and :ref:`Hub Type Site Settings <site>` are required in advance.

1. Go to System -> Site -> Click the created **Hub Type Site**, and change ZTNA-IPsec Application Mode to **Enabled**.
:raw-html:`<br/>`

2. Configure **Pre-Shared Key** value and **Advance** settings.
:raw-html:`<br/>`

    .. warning:: To configure IPsec tunneling with third-party VPN dedicated equipment, the **Pre-Shared Key** value and **Advance** options must be identical.
          
    .. csv-table:: 
        :header: "Item", "Item Description","Remarks"
        :widths: 15, 35, 60

        "Pre-Shared Key", "Secret key shared in advance for connection between Hub and Branch",""
        "IKE Version", "IKE version to use for IPsec connection","Supports IKEv1, IKEv2"
        "IKE encryption", "Algorithm to encrypt authentication information","Supports AES-128, AES-256, blowfish-128, blowfish-192, blowfish-256, Twofish-128, Twofish-192, Twofish-256"
        "IKE integrity", "Encryption algorithm for integrity assurance", "Supports SHA1, SHA2-256, SHA2-384, SHA2-512"
        "Pseudo random function", "Encryption algorithm for providing randomness", "Supports None, SHA1, SHA2-256, SHA2-384, SHA2-512"
        "IKE DH group", "Symmetric key exchange algorithm to generate keys for encrypting authentication information","Supports Off, DH group(5,14,15,16,17,18)"
        "IKE Lifetime", "Cycle for generating new keys", ""
        "ESP encryption", "Algorithm to encrypt data packets", "Supports AES-128, AES-256, blowfish-128, blowfish-192, blowfish-256, Twofish-128, Twofish-192, Twofish-256" 
        "ESP integrity", "Encryption algorithm for integrity assurance", "Supports SHA1, SHA2-256, SHA2-384, SHA2-512"
        "ESP DH group", "Encryption algorithm to generate keys for encrypting data packets", "Supports Off, DH group(5,14,15,16,17,18)"
        "Lifetime","Tunnel maintenance time"

3. Go to System -> Site -> Select Tasks -> Click Create, and create a **Branch Type Site**.
:raw-html:`<br/>`

    - **Site Name** : Enter the name to be used as the site name.
    - **Type** : Select the Hub site to proceed with IPsec connection.
    - **Infrastructure** : Select the configuration environment of the equipment to connect (Cloud, On-prem). If Cloud is selected, set Cloud Provider, Region, and VPC ID together.
    - **Network Address** : Enter the network range to use. If Cloud, enter the configured VPC range.

4. Change **ZTNA-IPsec Application Mode to Enabled**, and proceed with detailed settings.
:raw-html:`<br/>`

    - **Public IP** : Enter the public IP of the VPN equipment.
    - **Pre-Shared Key** : Enter the Pre-Shared Key configured in the Hub site.
    - **Networks** : Enter the subnet of the VPN equipment.
    - **Assigned Sensor** : Select the sensor to run the VPN of the Branch site. Do not select if using VPN equipment.

5. After configuration is complete, go to System -> Site -> **Created Hub or Branch Site** -> Click **Top Tab ZTNA IPsec Status** -> Check if the IPsec tunnel is connected normally.
:raw-html:`<br/>`