ZTNA-IPsec

ZTNA-IPsec is a feature that configures a Site-to-Site (IPsec) tunnel between an On-premises or Cloud branch and a ZTNA-Gateway.
It allows branch traffic to securely communicate with the Internet via the gateway or interconnect with headquarters/cloud resources.

How to Configure ZTNA-IPsec

To use ZTNA-IPsec, Cloud Provider settings and Hub Type Site Settings are required in advance.

1. Go to System -> Site -> Click the created Hub Type Site, and change ZTNA-IPsec Application Mode to Enabled.

2. Configure Pre-Shared Key value and Advance settings.

Warning

To configure IPsec tunneling with third-party VPN dedicated equipment, the Pre-Shared Key value and Advance options must be identical.

Item

Item Description

Remarks

Pre-Shared Key

Secret key shared in advance for connection between Hub and Branch

IKE Version

IKE version to use for IPsec connection

Supports IKEv1, IKEv2

IKE encryption

Algorithm to encrypt authentication information

Supports AES-128, AES-256, blowfish-128, blowfish-192, blowfish-256, Twofish-128, Twofish-192, Twofish-256

IKE integrity

Encryption algorithm for integrity assurance

Supports SHA1, SHA2-256, SHA2-384, SHA2-512

Pseudo random function

Encryption algorithm for providing randomness

Supports None, SHA1, SHA2-256, SHA2-384, SHA2-512

IKE DH group

Symmetric key exchange algorithm to generate keys for encrypting authentication information

Supports Off, DH group(5,14,15,16,17,18)

IKE Lifetime

Cycle for generating new keys

ESP encryption

Algorithm to encrypt data packets

Supports AES-128, AES-256, blowfish-128, blowfish-192, blowfish-256, Twofish-128, Twofish-192, Twofish-256

ESP integrity

Encryption algorithm for integrity assurance

Supports SHA1, SHA2-256, SHA2-384, SHA2-512

ESP DH group

Encryption algorithm to generate keys for encrypting data packets

Supports Off, DH group(5,14,15,16,17,18)

Lifetime

Tunnel maintenance time

3. Go to System -> Site -> Select Tasks -> Click Create, and create a Branch Type Site.

  • Site Name : Enter the name to be used as the site name.

  • Type : Select the Hub site to proceed with IPsec connection.

  • Infrastructure : Select the configuration environment of the equipment to connect (Cloud, On-prem). If Cloud is selected, set Cloud Provider, Region, and VPC ID together.

  • Network Address : Enter the network range to use. If Cloud, enter the configured VPC range.

4. Change ZTNA-IPsec Application Mode to Enabled, and proceed with detailed settings.

  • Public IP : Enter the public IP of the VPN equipment.

  • Pre-Shared Key : Enter the Pre-Shared Key configured in the Hub site.

  • Networks : Enter the subnet of the VPN equipment.

  • Assigned Sensor : Select the sensor to run the VPN of the Branch site. Do not select if using VPN equipment.

5. After configuration is complete, go to System -> Site -> Created Hub or Branch Site -> Click Top Tab ZTNA IPsec Status -> Check if the IPsec tunnel is connected normally.