How to get IPSec VPN's IP and status by ZIA API

Hi,

We are using IPSec Tunnel as traffic forward method to Zscaler cloud.

For API of ZIA, is there a API to get IPSec VPN tunnel’s status and related VPN IP addresses?

I am sure GRE tunnels’ IP can be gotten by API. But, not sure if ZIA API could get IPSec Tunnel’s IP address and status?

Thanks

Hi @Jun_Xu,
Tunnel status is available via tunnel logs (in the Admin UI or NSS): https://help.zscaler.com/zia/tunnel-insights-logs-filters
VPN IP addresses are available via two APIs described here: https://help.zscaler.com/zia/sd-wan-api-integration

Can you please describe what you’re trying to accomplish?

1 Like

Hello @lpergament,

Thanks for your response. Because we are modeling Zscaler cloud in our product, we hope to get the IPSec VPN’s status and related public IP address of tunnel (include the local IP and remote IP). For example, in GRE tunnel, we can easily get the GRE tunnel’s IPs via https://{{url}}/orgProvisioning/ipGreTunnelInfo. But, we didn’t found the related REST API for IPsec VPN tunnel. That is why I raise this question here and ask for the help.

For https://help.zscaler.com/zia/tunnel-insights-logs-filters, it can only retrieve the information via UI. But, we hope to get this kind of information via REST API for integration. It could not solve our question.

For https://help.zscaler.com/zia/sd-wan-api-integration, it can get the VPN canidated IP address based on location. But, that is not the IP by the existing IPSec VPN. So, it could not solve our question as well.

So, is there any other API we can use to retrieve the existing IPSec VPN’s IP info?

Very appreciate your answer about it.

Thanks
Jun

Hi @Jun_Xu,

For getting VIP inventory, there are two options:
getVpnEndpoints - returns the healthiest and closest VPN VIPs to a source IP or coordinates
vips - returns the full inventory of VIPs of all types

For tunnel config on a specific tenant:
ipGreTunnelInfo - returns the provisioned static IPs or GRE tunnels
vpnCredentials - returns the provisioned VPN tunnels (it’s just a set of credentials from ZS standpoint, unlike GRE)

For tunnel status:
You can either get the tunnel logs via the Admin UI or you can stream them to your SIEM using NSS

Hi @lpergament,

Thanks for your information. It is very helpful. But, how to retrieve Tunnel public IP address information via API when IPsec tunnel has been establishing?

getVpnEndpoints would be used for evaluating the VPN gateway and select low latency VPN gateway before IPSec VPN set.

Tunnel logs would be a workaround solution, but that is not efficient.

Hope Zscaler could have a API to retrieve live IPSec tunnel’s info. That would be helpful to customer to identify which datacenter is using for the existing IPSec tunnel. Does it make sense?

Thanks
Jun