IPsec tunnel to ZIA ZEN: how to check if it's still up?

Hello ZIA gurus,

in my lab I am currently testing IPsec tunneling using an OPNsense appliance to transport all the traffic on the local LAN to the closest ZIA node.

Things work more or less fine, yet I do have a question that I’d like to share with the community here before opening a TAC case.

My question is, how would I be able to tell if the tunnel is still up, if there is no active traffic exchanged on the Security Association?

OPNsense allows me to turn on a gateway monitoring feature, using a plain ICMP ping.

Problem is, if I ping the VPN endpoint IP address, the ICMP ping works both inside AND outside the tunnel, so I would need a different IP address that responds to a ping only from within an active IPsec tunnel, and use that as an indication that the tunnel is up or down.

Is there any IP address within the pool of each Zscaler DC which is only reachable from within an active IPsec or GRE tunnel?

Hope my explanation makes sense, I look forward to any feedback you might have on the issue.

Many thanks,

Luca

Hi @lucaberta . Have you tried the Global ZEN IPs published at the bottom of our IPs pages? Config | Zscaler

These should only be reachable within an IPSec/GRE tunnel

1 Like

@racingmonk thanks Nick, that works as requested!

Pinging those IP addresses inside of the tunnel works, outside of the tunnel doesn’t. Just perfect!

Too bad those IP addresses are somehow not liked by OPNsense, I need to better understand what kind of issues monitoring an IP address which is on a completely different subnet creates.

Happy to have found a great solution via this community!

Bye, Luca