Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Setup Secure Edge Connector with Custom Provider

Juniper Mist offers custom option for tunnel provisioning. With minimal configuration, your WAN Edge device can establish connections to the SSE using either IPsec or GRE protocols.

Configure Secure Edge Connector with Custom Option

Prerequisites

  • Kepp ready local and remote network account details.

Configure Tunnel Provisioning

  1. On Juniper Mist portal, go to Secure Edge Connector at WAN Edge Templates-level, hub profile, or at Site-level.
    Figure 1: Add Provider for Secure Edge Connector Add Provider for Secure Edge Connector
  2. Click Add Providers.
  3. In Add Provider window, select Custom option.
  4. Enter the details for provisioning of tunnels.
      1. Name—Enter the name of the service.
      2. Provider—Select Custom.
      3. Remote Network—Select an existing Network or create a network.
      4. Provider—Select IPsec or GRE.

      5. For IPsec, enter the following options:

        1. Local ID—Provide login ID of the local account.
        2. Preshared Key—Provide preshared key (PSK). The length of the PSK must be between 6-255 characters.
        3. IP or Hostname—IP address or hostname.
        4. Source IP—Source IP address of the tunnel.
        5. Probe IPs—Enter probe IP address. You can use any well-known IP (Example: 8.8.8.8).
        6. Remote ID—Provide login ID of the remote account.
        7. WAN Interface—Assign WAN interfaces for provisioning of primary and secondary tunnels. You can add multiple WAN interfaces and the first interface takes the priority. If first interface is down, then system uses the second interface to establish the tunnel.
        8. IKEv2 proposal—Retain default values or select Encryption Algorithm, Authentication Algorithm, DH Group from drop-down and enter Life Time between 180 to 86400 seconds.
        9. IPsec proposal—Retain default values or select Encryption Algorithm, Authentication Algorithm, DH Group from drop-down and enter Life Time between 180 to 86400 seconds.

      6. For GRE, enter the following options:

        1. IP or Hostname—IP addresses or hostname.
        2. Source IP—Source IP address of the tunnel.
        3. Probe IPs—Enter probe IP address. You can use any well-known IP (Example: 8.8.8.8).
        4. Remote ID—Provide login ID of the remote account.
        5. WAN Interface—Assign WAN interfaces for provisioning of primary and secondary tunnels. You can add multiple WAN interfaces and the first interface takes the priority. If first interface is down, then system uses the second interface to establish the tunnel.
  5. Click Add to continue.
  6. Create new BGP Group.
    1. Scroll down to Routing pane and click Add BGP Group.
      Figure 2: Add BGP Group Add BGP Group
    2. In the Add BGP Group window, add details for the BGP group
    3. For the Peering Network, select the same SEC provider (created in previous steps).
    4. For Local AS, enter AS number or non-default AS for WAN Edge.
    5. In Neighbors pane, click Add Neighbors.
      • Add BGP peer IP address of SSE and AS value.
      • Optionally, you can add BGP policy for import or export of routes

      For instructions to create BGP groups, see Configure BGP Groups.

  7. Add a traffic steering profile on the WAN Edge Templates page or on WAN Edge Device page.

    Figure 3: Add Traffic Steering for Secure Edge Connector Add Traffic Steering for Secure Edge Connector
    • Enter the details for the traffic-steering path:
      • Name—Enter a name for the traffic-steering profile.
      • Strategy—Select a strategy. You can configure the traffic steering profile with any strategy (Ordered or Weighted or ECMP), based on your topology and configuration.
      • Path—Click Add Paths and enter the following details.
        1. Type—Select Secure Edge Connector.
        2. Provider—Select Custom.
        3. Name—Select the custom connector's name you have created in previous step.
      • Click Add.
  8. Add an application policy. Application policy allows the desired network to reach the more specific application using the route table. In the application policy, you can include the remote network you have created in the previous step. Use that network in an application policy to allow inbound access from the Secure Edge Connector. To create the application policy, in the Juniper Mist cloud portal, go to Organization > WAN > Application Policy.

    Following image shows an example of application policy with traffic steering configured in previous step.

    Figure 4: Create Application Policies for Secure Edge Connectors Create Application Policies for Secure Edge Connectors

For instructions to create Application Policies, see Configure Application Policies .

Verification

On Juniper Mist portal, you can verify the established tunnels details in WAN Insights of the device once WAN Edge Tunnel Auto Provision Succeeded event appears under WAN Edge Events.

Once you update the template, the IPsec configuration will be pushed to the WAN Edge device. For first time IPSec deployment, the system takes time to download the software and configuration.

Once the IPSec configuration has been deployed, you can see the IPsec status by navigating to WAN Edge > WAN Edge Name > Secure Edge Connector Details.

You can view BGP neighbor status by navigating to Monitor > Insights > WAN Edge.

You can view learned routes by navigating to WAN Edge > Utilities > Testing Tools > Routes > Show Routes.