IPSec/IKEv2 Tunnel from Cisco ISR w/Dynamic source IP

Does anyone have a sample config, or guidance based on field experience, based on the following scenario:

-Traffic forwarding through tunnel to Zscaler for inspection
-Traffic source has a dynamic IP address (static addressing cannot be used)
-IKEv1 aggressive mode cannot be used to due to security standards
-Edge device is a Cisco ISR router

I have seen sample configs for dynamic IPSec tunnels using IKEv1 aggressive mode, which we cannot use; and sample configs for a Cisco ASA, which we don’t have.

I believe this might be possible using the following:
-IKEv2 (no aggressive mode)
-FQDN-based identity

but would appreciate and samples or guidance on the above.

In most cases main mode and FQDN can’t work on most vendors and I think this includes also Zscaler:

Also better configure the VPN responder option to either the firewall or zscaler depending which is providing better visibility for error messages and that could be the Cisco ASA as I think in Zscaler there is no option to select it as passive/responder so playing with this option from the Cisco ASA is possible to switch between who is the responder or not. This is what I can tell you.

Hello Niokolay,

Yes, this is why I specified IKEv2. IKEv2 no longer has separate main/aggressive modes.

Thank you,

1 Like