Introduction
This guide will lead you through the process of establishing a Site-to-Site VPN tunnel between your Harmony SASE network and the DrayTek Vigor environment.
Breakdown of topics
- Pre-requisites
- Configuration Steps
- Verifying the Setup
- Troubleshooting
- Support Contacts
Pre-requisites
To successfully follow this guide, ensure that:
- An active Harmony SASE account with a pre-configured network.
- The Harmony SASE app installed on your devices.
- An active DrayTek Vigor setup and the necessary administrative permissions.
Configuration Steps
Configuring an IPSec Tunnel in the Management Platform
- Go to the Gateway in your network from which you want to create the tunnel to the Cisco Meraki Firewall.
- Select the three-dotted menu (...) and select Add Tunnel
- Select IPSec Site-2-Site Tunnel and select Continue.
- Select Single Tunnel, and Click Continue.
- Under General Settings, enter the following:
- Name - Set the name for the Tunnel.
- Shared Secret - Put a shared secret or select Generate.
- Public IP and Remote ID - input your Firewall Public WAN IP address.
- In Harmony SASE Gateway Proposal Subnets Choose your Harmony SASE Network Subnet (By default: 10.255.0.0/16, in this screenshot: 10.254.0.0/16).
- In Remote Gateway Proposal Subnets, input your internal LAN subnet.
- Under Advanced Settings:
- IKE Version: V1
- IKE Lifetime: 8h
- Tunnel Lifetime: 1h
- Dead Peer Detection Delay: 30s
- Dead Peer Detection Timeout: 60s
- Encryption (Phase 1): aes256
- Encryption (Phase 2): aes256
- Integrity (Phase 1): sha1
- Integrity (Phase 2): sha1
- Diffie-Hellman Groups (Phase 1): 5
- Diffie-Hellman Groups (Phase 2): 5
- Select Add Tunnel.
Configuring the tunnel in the DrayTek Management Interface
- Open the DrayTek management interface.
- In the left panel, select VPN and Remote Access, then select VPN Profiles. Select the add to create a new profile.
3. Under the Basic tab, fill in these information:
- Auto Dial-Out: Enable; Always Dial-Out.
- Dial-Out Through: Your WAN interface; Default is WAN IP.
- Failover to: Should remain with the null value.
- Local IP/Subnet Mask: Enter your FW external address and specify the correlating subnets.
- Remote Host: Enter your Harmony SASE Gateway IP.
- Remote IP/Subnet Mask: By default, upon network creation in the Harmony SASE Portal, 10.255.0.0 and 255.255.0.0/16 are assigned. If customized, please make sure to enter the appropriate values.
- IKE Protocol: IKEv1
- IKE Phase 1: Main Mode
- Auth Type: PSK
- Pre-shared Key: Enter the same shared secret you choose while configuring the tunnel at the Harmony SASE portal.
- Security Protocol: ESP
4. Fill in the following information in the Advanced section:
- Phase 1 Key Lifetime: 28800 seconds
- Phase 2 Key Lifetime: 3600 seconds
- Perfect Forward Secrecy Status: Enable
- DPD Status: Enable
- DPD Delay: 30 seconds
- DPD Timeout: 60 seconds
- Ping to Keep Alive: Disable
- Route/NAT Mode: Route
- Source IP: Auto-detect
- Apply NAT Policy: Disable
- Set VPN Default Gateway: Disable
- Netbios Naming Packet: Disable
- Multicast via VPN: Disable
- Rip via VPN: Disable
- Packet Triggered: Enable
- Force UDP Encapsulation: Disable
- Fill in the following information in the GRE section:
- Enable GRE Function: Disable
- Auto Generate GRE Key: Enable
- Fill in with the following information in the Proposal section:
- IKE Phase 1 Proposal: AES 256 G2
- IKE Phase 1 Authentication: SHA1
- IKE Phase 2 Proposal: AWS 256 with auth
- IKE Phase 2 Authentication: SHA1
- Accepted Proposal: Accept
Leave the checkbox unmarked in the Multiple SAs section. Make sure to enable the profile and click Apply.
If the tunnel is up, the profile will be green in the Connection Management tab:
Verifying the Setup
After following the above steps, your tunnel should be active.
To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
It should indicate that the tunnel is "Up", signifying a successful connection.
Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.
Troubleshooting
If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.
Support Contacts
If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.