Introduction
Welcome to our guide on establishing a Site-to-Site VPN tunnel between your Harmony SASE network and the Juniper ScreenOS environment.
Breakdown of topics
- Pre-requisites
- Configuration Steps
- Verifying the Setup
- Troubleshooting
- Support Contacts
Pre-requisites
To successfully follow this guide, ensure that:
- Have an active Harmony SASE account and an established network.
- Have the Harmony SASE application installed on your devices.
- Possess an active Juniper ScreenOS setup with the necessary administrative rights.
Configuration Steps
Configuring an IPSec Tunnel in the Management Platform
- Go to the Gateway in your network from which you want to create the tunnel to the Juniper SSG (ScreenOS) Firewall,
- Select the three-dotted menu (...) and select Add Tunnel.
- Select IPSec Site-2-Site Tunnel and select Continue.
- Select Single Tunnel, and Click Continue.
- Under General Settings, enter the following:
- Name - Set the name for the Tunnel.
- Shared Secret - Put a shared secret or select Generate.
- Public IP and Remote ID - input your Juniper SSG (ScreenOS) Public WAN IP address.
- In Harmony SASE Gateway Proposal Subnets Choose your Harmony SASE Network Subnet (By default: 10.255.0.0/16, in this screenshot: 10.254.0.0/16).
- In Remote Gateway Proposal Subnets, input your internal LAN subnet.
- Under Advanced Settings:
- IKE Version: V1
- IKE Lifetime: 8h
- Tunnel Lifetime: 1h
- Dead Peer Detection Delay: 10s
- Dead Peer Detection Timeout: 50s
- Encryption (Phase 1): aes256
- Encryption (Phase 2): aes256
- Integrity (Phase 1): sha1
- Integrity (Phase 2): sha1
- Diffie-Hellman Groups (Phase 1): 5
- Diffie-Hellman Groups (Phase 2): 5
- Select Add Tunnel.
Configuring the Tunnel on the Juniper SSG
- Navigate to the Admin Console of the Juniper device.
- In the left-hand menu, click on Network, then go to Interfaces.
- Create a new Unnumbered Tunnel interface.
- In the left-hand menu, under Network, click on Routing, then Source/Destination.
- Select the correct zone (usually Trust) and Click New.
- Under IP Address/Netmask, enter your Harmony SASE Network Subnet. (Usually 10.255.0.0/16)
- In the left-hand menu, click on VPNs.
- Select AutoKey Advanced.
- Verify that the Following P1 Proposal exists:
- Navigate to P2 Proposal, and ensure that the following Proposal exists:
- Verify that the Following P1 Proposal exists:
- In the left-hand menu, click on Gateway,
- Select a Gateway Name.
- Under Static IP Address, enter your Harmony SASE Gateway IP Address.
- Click Advanced.
- Fill in the Preshared Key you generated in your Harmony SASE Admin Console earlier.
- Under Security Level, Select Custom. in Phase 1 Proposal, Select "pre-g5-aes256-sha1-28800s"
- Enable DPD.
- Set DPD Interval to 10s.
- Set DPD Retry to 5.
- In the left-hand menu, click on Autokey IKE.
- Under VPN Name, choose a name. (for example "Harmony SASE")
- In Remote Gateway, select Predefined and choose the AutoKey Advanced Gateway you created during the previous step.
- Click Advanced.
- Under Security Level, Click Custom and select the Phase 2 Proposal named "g5-esp-aes256-sha1-3600s"
- Under Bind to, Click Tunnel Interface and select the Tunnel Interface you created in Step 3.
- Make sure Proxy-ID Check is enabled.
- Configure a Proxy ID
- Local Proxy ID: Enter your local LAN Subnet (For example 192.168.120.0/24)
- Remote Proxy ID: Your Harmony SASE Subnet (By default: 10.255.0.0/16)
- Service: Any
Verifying the Setup
After following the above steps, your tunnel should be active.
To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
It should indicate that the tunnel is "Up", signifying a successful connection.
Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.
Troubleshooting
If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.
Support Contacts
If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.