This guide will lead you through the process of establishing a Site-to-Site VPN tunnel between your Harmony SASE network and the DrayTek Vigor environment.
Breakdown of topics
Verifying the Setup
To successfully follow this guide, ensure that:
An active Harmony SASE account with a pre-configured network.
The Harmony SASE app installed on your devices.
An active DrayTek Vigor setup and the necessary administrative permissions.
Configuring an IPSec Tunnel in the Management Platform
Go to the Gateway in your network from which you want to create the tunnel to the Cisco Meraki Firewall.
Select the three-dotted menu (...) and select Add Tunnel
Select IPSec Site-2-Site Tunnel and select Continue.
Select Single Tunnel, andClick Continue.
Under General Settings, enter the following:
Name - Set the name for the Tunnel.
Shared Secret - Put a shared secret or select Generate.
Public IP and Remote ID - input your Firewall Public WAN IP address.
In Harmony SASE Gateway Proposal Subnets Chooseyour Harmony SASE Network Subnet (By default: 10.255.0.0/16, in this screenshot: 10.254.0.0/16).
In Remote Gateway Proposal Subnets, input your internal LAN subnet.
Under Advanced Settings:
IKE Version: V1
IKE Lifetime: 8h
Tunnel Lifetime: 1h
Dead Peer Detection Delay: 30s
Dead Peer Detection Timeout: 60s
Encryption (Phase 1): aes256
Encryption (Phase 2): aes256
Integrity (Phase 1): sha1
Integrity (Phase 2): sha1
Diffie-Hellman Groups (Phase 1): 5
Diffie-Hellman Groups (Phase 2): 5
Select Add Tunnel.
Configuring the tunnel in the DrayTek Management Interface
Open the DrayTek management interface.
In the left panel, select VPN and Remote Access, then select VPN Profiles. Select the add to create a new profile.
3. Under the Basic tab, fill in the following information:
Auto Dial-Out: Enable; Always Dial-Out
Dial-Out through: Your WAN interface; Default WAN IP
Failover: Should remain with the null value.
Local IP/Subnet Mask: Insert your FW external address and specify the correlating subnets.
Remote Host: Insert your Harmony SASE Gateway IP
Remote ID/Subnet Mask: By default, upon network creation at the Harmony SASE Portal 10.255.0.0 and 255.255.255.0/16 are assign. If customized, please make sure to insert the appropriate values.
IKE Protocol: IKEv1
IKE Phase 1: Main Mode
Auth Type: PSK
Pre-shared Key: Insert the same shared secret you choose while configuring the tunnel at the Harmony SASE portal.
Security Protocol: ESP
4. Fill in the following information in the Advanced section:
Phase 1 Key Lifetime: 28800 seconds
Phase 2 Key Lifetime: 3600 seconds
Perfect Forward Secrecy Status: Enable
DPD Delay: 30 seconds
DPD Timeout: 60 seconds
Ping to Keep Alive: Disable
Route/NAT Mode: Route
Source IP: Auto-detect
Apply NAT Policy: Disable
Set VPN Default Gateway: Disable
Netbios Naming Packet: Disable
Multicast via VPN: Disable
Rip via VPN: Disable
Packet Triggered: Enable
Force UDP Encapsulation: Disable
Fill in the following information in the GRE section:
Enable GRE Function: Disable
Auto Generate GRE Key: Enable
Fill in with the following information in the Proposal section:
IKE Phase 1 Proposal: AES 256 G2
IKE Phase 1 Authentication: SHA1
IKE Phase 2 Proposal: AWS 256 with auth
IKE Phase 2 Authentication: SHA1
Accepted Proposal: Accept
Leave the checkbox unmarked in the Multiple SAs section. Make sure to enable the profile and click Apply.
If the tunnel is up, the profile will be green in the Connection Management tab:
Verifying the Setup
After following the above steps, your tunnel should be active. To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status. It should indicate that the tunnel is "Up", signifying a successful connection. Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.
If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.
If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at firstname.lastname@example.org. We're here to assist you and ensure your VPN tunnel setup is a success.
Was this article helpful?
Thank you for your feedback! Our team will get back to you