Netgear BR500

Introduction

This guide provides you with the essential instructions to establish a Site-to-Site VPN tunnel between your Harmony SASE network and the NETGEAR BR500 environment.

Breakdown of topics

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

Pre-requisites

To successfully follow this guide, ensure that:

1. An activated Harmony SASE account with an already set up network.
2. The Harmony SASE app is downloaded and installed on your devices.
3. An operative NETGEAR BR500 system along with the requisite administrative access.

   
   

Configuration Steps

Configuring the tunnel in the Management Platform

1. Select the network tab from the menu on the left side of the screen. Choose the network that contains the gateway in your network to which you'd like to create the tunnel. Select the three-dotted icon beside the gateway's name and select Add Tunnel.
   

2. Select IPSec Site-2-Site Tunnel and select Continue.

3. In the General Settings section fill in the following information:

• Name: Choose whatever name you find suitable for the tunnel.
• Shared Secret: Enter a character string of your own or use Generate.
• Public IP/Remote ID: Enter the public IP of the Netgear device.
• Harmony SASE Gateway Proposal Subnets: Choose the specified subnet. By default, this should be set to 10.2XX.0.0/16.
• Remote Gateway Proposal Subnets: Select Specified Subnets and specify according to your local LAN Subnets.

4. In the Advanced Settings section fill in the following:

• IKE Version: V2
• Encryption (Phase 1): AES256
• Encryption (Phase 2): AES256
• Integrity (Phase 1): SHA1
• Integrity (Phase 2): SHA1
• Diffie-Hellman Groups (Phase 1): 5
• Diffie-Hellman Groups (Phase 2): 5
• DPD detection: 30s
• DPD timeout: 10s

Leave the rest of the fields with the default values (as shown in the attached image) and click on Add Tunnel.

Configuring the tunnel in the Netgear Management Interface

1. Open the Netgear management interface.
2. In the left panel, select Security, then select IPSec VPN.
   

3.  Select the Add to create a new profile.

4. Fill in the following information :

• Policy Name: Enter a name of your choice.
• Mode: Net-2-Net
• Remote Gateway IP: Enter your Harmony SASE Gateway address.
• Local Subnet and Local Mask: Enter your LAN subnet and subnet mask.
• Remote Subnet: Enter your Harmony SASE Subnet (as shown in the tunnel creation module in the Harmony SASE Platform).
• Remote Mask: 255.255.0.0

5. Enter the same pre-shared key you choose while defining the tunnel at the Harmony SASE Platform) and choose IKEv2.

6. At the Advanced Settings fill in the following information:

• Phase 1 Proposal: sha1-aes256-dh5
• Exchange Mode: main
• Negotiation Mode: Initiator
• Phase 1 SA Lifetime: 28800 seconds
  
• DPD: Enable
• DPD Interval: 10 seconds
• Encapsulation Mode: Tunnel Mode
• Proposal (Phase 2): esp-sha1-aes256
• SA Lifetime (Phase 2): 3600 seconds

Verifying the Setup

After following the above steps, your tunnel should be active.
To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
It should indicate that the tunnel is "Up", signifying a successful connection.
Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.

Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.