Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Use Custom Options to Configure Secure Edge Connector

Use custom options to configure tunnel provisioning or to support site-to-site VPN.

Juniper Mist™ offers custom option for tunnel provisioning. With minimal configuration, your WAN Edge device can establish connections to the SSE using either IPsec or GRE protocols.

Configure Tunnel Provisioning

Before You Begin: Ensure you have the local and remote network account details on hand.

To configure tunnel:

  1. From the left menu, navigate to a WAN Edge template, hub profile, or device.
  2. Scroll to the Secure Edge Connector section, click Add Provider, and enter the seetings:
    • Name—Enter the name of the service.
    • Provider—Select Custom.
    • Remote Network—Select an existing Network or create a network.
    • Protocol—Select IPsec or GRE. Then enter the settings for the selected protocol.
    Table 1: Settings
    Field Description
    Local ID (IPsec only) Enter the login ID for the local account.
    Pre-Shared Key (Clear Text) (IPsec only) Enter the preshared key (PSK) for the local account. The length of the PSK must be between 6-255 characters.
    IP or Hostname Enter the IP address or hostname.
    Source IP Enter the Source IP address of the tunnel.
    Probe IPs Enter probe IP address. You can use any well-known IP (Example: 8.8.8.8).
    Remote ID (IPsec only) Provide login ID of the remote account.
    WAN Interface Add one or more WAN interfaces to provision of primary and secondary tunnels. If you add multiple WAN interfaces, the first interface takes the priority. If first interface is down, then system uses the second interface to establish the tunnel.

    When you click Add Interface, choos from the list of WANs that have been configured for the selected template, hub profile, or device.
    IKEv2 proposal (IPsec only) Retain default values or click Add Proposal. Then select enter the settings.
    Lifetime Enter a value between 180 to 86400 seconds.
  3. Click Add at the bottom of the provider panel.
  4. Scroll down to the Routing section, click Add BGP Group, and enter the settings.

    Tips:

    • For the Peering Network, select the same SEC provider that you created in previous steps.

    • For Local AS, enter AS number or non-default AS for WAN Edge.

    • If you selected the GRE protocol, configure the BGP group as follows:

      • Name: Give the BGP group a name, such as BGP-over-GRE

      • Peering Network: Choose SEC Tunnel, and then select the tunnel you configured in step iv, above.

      • Select Advertise to the Overlay.

      • BDF: Choose Disabled.

      • Type: Choose External.

      • Local AS: Type the number of the AS you are using, for example, 65000.

      • Hold Time: Specify a time, in seconds such as 90.

      • Graceful Restart Time: Specify a time, in seconds such as 120.

    • In the Neighbors section, click Add Neighbors. Add BGP peer IP address of SSE and AS value.

    • Optionally, you can add BGP policy for import or export of routes.

    For help with other BGP settings, see BGP.
  5. Save the BGP group.
  6. Scroll to the Traffic Steering section, click Add Traffic Steering, and enter the settings.
    • Name—Enter a name for the traffic-steering profile.
    • Strategy—Select a strategy. You can configure the traffic steering profile with any strategy (Ordered or Weighted or ECMP), based on your topology and configuration.
    • Path—Click Add Paths and enter the following details.
      • Type—Select Secure Edge Connector.
      • Provider—Select Custom.
      • Name—Select the custom connector's name you have created in previous step.
  7. Save the traffic steering policy.
  8. Click Save at the top-right corner of the page to save the entire configuration.
  9. Add an application policy.

    Application policy allows the desired network to reach the more specific application using the route table. In the application policy, you can include the remote network you have created in the previous step. Use that network in an application policy to allow inbound access from the Secure Edge Connector. To create the application policy, in the Juniper Mist cloud portal, go to Organization > WAN > Application Policy. For help, see Application Policies.

Configure a Site-to-Site VPN

Support for Site-to-Site VPN

You can set up site-to-site VPN using custom option for tunnel provisioning.

A site-to-site VPN is a secure, software-defined network connection that links two or more remote sites over the internet. This type of VPN is crucial for enterprises looking to connect branch offices, data centers, or other remote locations securely and efficiently.

  1. Go to the Juniper Mist portal and navigate to the Secure Edge Connector section at the WAN Edge Templates level, hub profile, or site level.

  2. Click Add Providers and select the Custom option.

  3. Enter the necessary details for tunnel provisioning, such as local and remote network account details, IP addresses, and preshared keys

  4. Define the IKEv2 and IPsec proposals, including encryption and authentication algorithms, Diffie-Hellman groups, and lifetimes. You must select IKE and IPsec values which match the device on another end of the tunnel.

  5. Assign WAN interfaces for primary and secondary tunnels.

  6. Create a Traffic Steering profile. This profile defines how traffic is routed through the VPN tunnel. This profile is then used in an Application Policy to apply these settings to specific types of traffic.

  7. Create inbound or outbound Application Policies. If you want to allow traffic from the remote network to enter your local network, you need to create a Network representing the remote network. Attach this network to the Custom Secure Edge Connector (SEC) Provider and use it as the source in an Application Policy.

Verification

On Juniper Mist portal, you can verify the established tunnels details in WAN Insights of the device once WAN Edge Tunnel Auto Provision Succeeded event appears under WAN Edge Events.

Once you update the template, the IPsec configuration will be pushed to the WAN Edge device. For first time IPSec deployment, the system takes time to download the software and configuration.

Once the IPSec configuration has been deployed, you can see the IPsec status by navigating to WAN Edge > WAN Edge Name > Secure Edge Connector Details.

You can view BGP neighbor status by navigating to Monitor > Insights > WAN Edge.

To verify the BGP over GRE session you created, you can use the WAN Edge testing tools:

  • WAN Edge > Utilities > Testing Tools.

    Open the BGP > Summary tab, or Routes > Show Routes.