GRE and authentication - IP of


(Holger Schwickart) #1

we migrated some locations on a customer to GRE tunnels.
All traffic will be routed per default route into the tunnel (only IP of GRE tunnel end is routed outside the tunnel).
In this scenario we now get problems with traffic authentication that is handled through redirection to I.e. in Vienna -> resolving per DNS leads to the same IP address as GRE tunnel endpoint address of this ZEN.
(does not work that way ! Tunnel end IP is routed besides the tunnel and not inside!

This problem does not come up in every location. Only a few locations will resolve to the same IP that is is used as gre tunnel end at the same ZEN.

Not a good idea to use such a important IP twice which could lead to such a Problem in this scenario.

Our Default route directs to an tunnel Interface. We do not want to build a more complex routing contruct using global zen ips etc. etc. as it is not really necessary - just to keep things simple (double usage of the IP is no good idea and will lead to a problem in this scenario).

Is it just an accidental slip or is there a hard reason why this has to be that way?


(Scott Bullock) #2

Hi Holger,
In the past GRE and Proxy IP’s have been served from the same IP addresses, we’re moving away from this architecture and separating IP’s as DC’s are refreshed, as you may imagine this is rolling project.

Today the path forward would be to ether move to a totally transparent forwarding model (no-proxy when on-net), or to take advantage of the Global IP’s we implemented for no default-route environments. You may also look to using your internal IP’s as proxy destinations when on net, and these internal IP’s can DNAT to a Zscaler Global IP when the traffic is placed into the tunnel, meaning you do not need to distribute the global IP’s into the network. You may also use the inside addresses of the GRE tunnel in place to the $GATEWAY variable the resolution from

Can you please DM me your business email? You may benefit from session with the Zscaler Customer Success and/or Architecture teams and i’d like to ensure your team is across this.



(Holger Schwickart) #3

additionally to my following DM just short comment on this.
nice to hear that it is moving into right direction, I have been not aware that the effect is moving out. that this will take time is ok.
But in our customer scenario we are fully transparent (not PAC if on-net).
BUT -> Option “auth required” is active. your IE or other browser will then be redirected to “” automatically. We don´t use a $GATEWAY variable in this case.
looking forward to discuss this.