- play_arrow Overview
- play_arrow Platform Considerations
- play_arrow WAN Configuration for Session Smart Routers
- WAN Assurance Configuration Overview
- Configure Sites and Variables for Session Smart Routers
- Configure Networks for Session Smart Routers
- Configure Applications for Session Smart Routers
- Configure Application Policies on Session Smart Routers
- Configure Hub Profile for Session Smart Routers
- Configure Path Selection from Hub-to-Spoke with Traffic Steering
- Configure WAN Edge Templates for Session Smart Routers
- Routing Configuration on Session Smart Routers
- Onboard Session Smart Routers for WAN Configuration
- Onboard Session Smart Routers with Static IP Address
- IDP-Based Threat Detection on Session Smart Routers
- Upgrade a WAN Edge Session Smart Router
- Configure VRF Route Leaking for Session Smart Routers
- Revoke DHCP Lease on a WAN Edge Device
- Reserve DHCP IP Address
- play_arrow WAN Configuration for SRX Series Firewalls
- WAN Assurance Configuration Overview
- Configure Sites and Variables for SRX Series Firewalls
- Configure Applications for SRX Series Firewalls
- Configure Networks for SRX Series Firewalls
- Configure Application Policies on SRX Series Firewalls
- Configure Hub Profiles for SRX Series Firewalls
- Configure WAN Edge Templates for SRX Series Firewalls
- Routing Configuration on SRX Series Firewalls
- Onboard SRX Series Firewalls for WAN Configuration
- IDP-Based Threat Detection for SRX Series Firewalls
- Enable Application Visibility on SRX Series Firewalls
- Monitor the Service Status of SRX Series Firewalls
- Upgrade a WAN Edge SRX Series Firewalls
- Configure a Custom VR for SRX Series Firewalls
- Revoke DHCP Lease on a WAN Edge Device
- Reserve DHCP IP Address
- play_arrow WAN Assurance Design
- play_arrow Cellular Edges
- play_arrow Monitor and Troubleshoot
- WAN Assurance Monitoring, SLE, and Troubleshooting Overview
- Monitor SRX Series Firewall Deployed as WAN Edge
- Monitor Session Smart Router Deployed as WAN Edge
- Service-Level Experiences for Session Smart Router Deployed as WAN Edge
- Troubleshoot Session Smart Router Deployed as WAN Edge
- Speed Tests for Session Smart Router Deployed as a WAN Edge (BETA)
- Dynamic and Manual Packet Captures
- Troubleshoot SRX Series Firewalls
- Replace a WAN Edge Device
- WAN Edge Testing Tools
Setup Secure Edge Connector with Custom Provider
Juniper Mist offers custom option for tunnel provisioning. With minimal configuration, your WAN Edge device can establish connections to the SSE using either IPsec or GRE protocols.
Configure Secure Edge Connector with Custom Option
Prerequisites
- Ensure you have the local and remote network account details prepared.
Configure Tunnel Provisioning
- On Juniper Mist portal, go to Secure Edge Connector
at WAN Edge Templates-level, hub profile, or at Site-level. Figure 1: Add Provider for Secure Edge Connector
- Click Add Providers.
- In Add Provider window, select Custom option.
- Enter the details for provisioning of tunnels.
- Name—Enter the name of the service.
- Provider—Select Custom.
- Remote Network—Select an existing Network or create a network.
- Provider—Select IPsec or GRE.
For IPsec, enter the following options:
- Local ID—Provide login ID of the local account.
- Preshared Key—Provide preshared key (PSK). The length of the PSK must be between 6-255 characters.
- IP or Hostname—IP address or hostname.
- Source IP—Source IP address of the tunnel.
- Probe IPs—Enter probe IP address. You can use any well-known IP (Example: 8.8.8.8).
- Remote ID—Provide login ID of the remote account.
- WAN Interface—Assign WAN interfaces for provisioning of primary and secondary tunnels. You can add multiple WAN interfaces and the first interface takes the priority. If first interface is down, then system uses the second interface to establish the tunnel.
- IKEv2 proposal—Retain default values or select Encryption Algorithm, Authentication Algorithm, DH Group from drop-down and enter Life Time between 180 to 86400 seconds.
- IPsec proposal—Retain default values or select Encryption Algorithm, Authentication Algorithm, DH Group from drop-down and enter Life Time between 180 to 86400 seconds.
For GRE, enter the following options:
- IP or Hostname—IP addresses or hostname.
- Source IP—Source IP address of the tunnel.
- Probe IPs—Enter probe IP address. You can use any well-known IP (Example: 8.8.8.8).
- Remote ID—Provide login ID of the remote account.
- WAN Interface—Assign WAN interfaces for provisioning of primary and secondary tunnels. You can add multiple WAN interfaces and the first interface takes the priority. If first interface is down, then system uses the second interface to establish the tunnel.
- Click Add to continue.
- Create new BGP Group.
- Scroll down to Routing pane and click Add BGP
Group.Figure 2: Add BGP Group
- In the Add BGP Group window, add details for the BGP group
- For the Peering Network, select the same SEC provider (created in previous steps).
- For Local AS, enter AS number or non-default AS for WAN Edge.
- In Neighbors pane, click Add Neighbors.
- Add BGP peer IP address of SSE and AS value.
- Optionally, you can add BGP policy for import or export of routes
For instructions to create BGP groups, see Configure BGP Groups.
- Scroll down to Routing pane and click Add BGP
Group.
Add a traffic steering profile on the WAN Edge Templates page or on WAN Edge Device page.
Figure 3: Add Traffic Steering for Secure Edge Connector
- Enter the details for the traffic-steering path:
- Name—Enter a name for the traffic-steering profile.
- Strategy—Select a strategy. You can configure the traffic steering profile with any strategy (Ordered or Weighted or ECMP), based on your topology and configuration.
- Path—Click Add
Paths and enter the following details.
- Type—Select Secure Edge Connector.
- Provider—Select Custom.
- Name—Select the custom connector's name you have created in previous step.
- Click Add.
- Enter the details for the traffic-steering path:
- Add an application policy. Application policy allows the desired network to
reach the more specific application using the route table. In the
application policy, you can include the remote network you have created in
the previous step. Use that network in an application policy to allow
inbound access from the Secure Edge Connector. To create the application
policy, in the Juniper Mist cloud portal, go to
Organization > WAN >
Application Policy.
Following image shows an example of application policy with traffic steering configured in previous step.
Figure 4: Create Application Policies for Secure Edge Connectors
For instructions to create Application Policies, see Configure Application Policies .
Verification
On Juniper Mist portal, you can verify the established tunnels details in WAN Insights of the device once WAN Edge Tunnel Auto Provision Succeeded event appears under WAN Edge Events.
Once you update the template, the IPsec configuration will be pushed to the WAN Edge device. For first time IPSec deployment, the system takes time to download the software and configuration.
Once the IPSec configuration has been deployed, you can see the IPsec status by navigating to WAN Edge > WAN Edge Name > Secure Edge Connector Details.
You can view BGP neighbor status by navigating to Monitor > Insights > WAN Edge.
You can view learned routes by navigating to WAN Edge > Utilities > Testing Tools > Routes > Show Routes.
