Does anyone have a sample config, or guidance based on field experience, based on the following scenario:
-Traffic forwarding through tunnel to Zscaler for inspection
-Traffic source has a dynamic IP address (static addressing cannot be used)
-IKEv1 aggressive mode cannot be used to due to security standards
-Edge device is a Cisco ISR router
I have seen sample configs for dynamic IPSec tunnels using IKEv1 aggressive mode, which we cannot use; and sample configs for a Cisco ASA, which we don’t have.
I believe this might be possible using the following:
-IKEv2 (no aggressive mode)
but would appreciate and samples or guidance on the above.
In most cases main mode and FQDN can’t work on most vendors and I think this includes also Zscaler:
Also better configure the VPN responder option to either the firewall or zscaler depending which is providing better visibility for error messages and that could be the Cisco ASA as I think in Zscaler there is no option to select it as passive/responder so playing with this option from the Cisco ASA is possible to switch between who is the responder or not. This is what I can tell you.