Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure a Third-Party Tunnel

With Juniper Mist, you can create a tunnel to third-party VPN concentrators by using Layer 2 Tunneling Protocol version 3 (L2TPv3), which is the default protocol, or dynamic multipoint VPN (DMVPN). Additional tunnel options include aggregating the Ethernet interfaces on the access point (AP), supporting dynamic or static tunnels, and IPsec.

To configure a third-party tunnel:

  1. Select Organization > Wireless | WLAN Templates, and click the WLAN template that you want to add the tunnel to.
  2. In the 3rd Party Tunnels section, click Add Tunnel.
  3. When the Create Tunnel page appears, enter a name for the tunnel.
  4. Specify the IP address or hostname of the remote peer at the opposite end of the tunnel.
  5. Specify the outer maximum transmission unit (MTU) value of the TCP packet.
    Packets larger than this are split. Note that GRE tunnels add a 24-byte header to the packet.
  6. Select an authentication method.
    We recommend Hashed Message Authentication Code (HMAC)-SHA1.
  7. If you need to support multipoint VPN tunneling, select DMVPN, or leave it unselected to use L2TPv3.

    For example, you would enable DMVPN for multisite communication over a service provider network where IP address assignment is subject to change.

    If you enable DMVPN, also configure the settings:

    • Hosts Routed via DMVPN—Enter the IP addresses (separated with a comma) that you want to route through this tunnel.

      IPSec—Enable this option (recommended) to encrypt traffic on the tunnel. In the PSK field, type your preshared key.

  8. Under Protocol, specify whether to use an IP or UDP port for the remote peer.
    If you select UDP, also enter the port number used by the peer.
  9. Select the type of tunnel:
    • Dynamic—These tunnels are set up only for the time of use. If you select this option, also specify the Router ID and host names in the SCCRQ Control Message Overrides field to identify the endpoints for which you want to override the SCCRQ messages.

      Static—These tunnels remain established even when not in use.

  10. Under SessionS (pseudowireS), set up Ethernet-based or VLAN-based sessions to tunnel client AP traffic to the remote end.
    • Enter the Remote End ID.

      Specify connection type. Select Ethernet to tunnel native Ethernet frames, or select VLAN. With VLAN, you can select 802.1ad to support double-tagging.

    • If needed, click Create a Session to add more sessions.

  11. Click Create at the bottom of the Create Tunnel page to add the tunnel to the WLAN template.
  12. To save the template changes, click Save at the top of the page.