Summary:
Get Cloudi-Fi required information
Networking
IPsec configuration
Firewalling
Testing enviromment:
Integration tested on 2.5.0-RELEASE using a virtual machine
1) Get Cloudi-Fi required information
Go to your Cloudi-Fi administration interface and guet the VPN Id and VPN key that will be used to create the VPN Tunnel.
Go to Location Menu
Select a location
Click on Edit Location
2) Networking
A) Create a Vlan Interface
Go to Interfaces > Vlans and add new
Parent interface: LAN interface (or a dedicated interface for the guests)
Vlan: 10 for example
Priority: 0 by default
Description: Vlan Interface for the guests

B) Interface Assignment
Go to Interface > Assignments > Interface assignments
General Configuration
Check enable interface
Description: give it a name (VPN Guest for example)
IPv4 configuration type: Static IPv4
Static IPv4 Configuration
We choose a 192.168.5.1/24 subnet
IPv4 Address: 192.168.5.1
IPv4 Upstream gateway add new One

C) Create a DHCP server (Optional if you use an external DHCP server)
We configured the PfSense firewall to act as a DHCP Server
Go to Services > DHCP Server > VPN Guest interface
Check "Enable DHCP on VPN Guest Interface"
Deny unkown clients: Allow All clients
Range: From 192.168.5.2 to 192.168.5.253

3) IPsec Configuration
Go to VPN > IPsec > Tunnels
Phase 1
General Information
Key Exchange version: IKEv2
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: Zscaler VPN remote gateway (165.255.76.35 for Paris)
Phase 1 Proposal (Authentication)
Authentication Method: Mutual PSK
My identifier: User distinguished name
VPN Id gived by Cloudi-fi
Peer Identifier:IP Address
Zscaler VPN remote gateway (165.255.76.35 for Paris)
Pre-Shared key:VPN Key gived by Cloudi-fi
Phase 1 Proposal (Encryption Algorithm)
Encryption Algorithm:
Algorithm: AES
Key length: 256 bits
Hash: SHA256
DH Group: 2(1024 bits)
Expiration and Replacement
Life Time: 43200

Phase 2
General Information
Mode: Tunnel IPv4
Local Network: VPN Guest subnet
Nat/BINAT translation: None
Remote Network: Network
0.0.0.0./0
Phase 2 Proposal (SA/Key Exchange)
Protocol: ESP
Encryption Algorithms: AES (Auto)
Hash Algorithms: MD5
PFS key group: 2 (1024 bits)
Expiration and Replacement
Life Time: 43200

Go to Status > IPsec, in order to check the tunnel status:

4) Firewalling
Go to Firewall > Rules > VPN Guest and add new
Edit Firewall Rule
Action: Pass
Interface: VPN Guest
Address Family: IPv4
Protocol: Any
Source: VPN Guest Net
Destination: Any

Go to Firewall > Rules > IPsec and add new
Edit Firewall Rule
Action: Pass
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: Any
Destination: Any
