Hello ZIA gurus,
in my lab I am currently testing IPsec tunneling using an OPNsense appliance to transport all the traffic on the local LAN to the closest ZIA node.
Things work more or less fine, yet I do have a question that I’d like to share with the community here before opening a TAC case.
My question is, how would I be able to tell if the tunnel is still up, if there is no active traffic exchanged on the Security Association?
OPNsense allows me to turn on a gateway monitoring feature, using a plain ICMP ping.
Problem is, if I ping the VPN endpoint IP address, the ICMP ping works both inside AND outside the tunnel, so I would need a different IP address that responds to a ping only from within an active IPsec tunnel, and use that as an indication that the tunnel is up or down.
Is there any IP address within the pool of each Zscaler DC which is only reachable from within an active IPsec or GRE tunnel?
Hope my explanation makes sense, I look forward to any feedback you might have on the issue.