Step 1: Creating a Custom IPSec Gateway in Jamf Security Cloud

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Use this process to create a secure connection with your Juniper router.

Requirements

Jamf Security Cloud Super Admin access

  1. In Jamf Security Cloud, navigate to Integrations > Access gateways.
  2. On the Dedicated gateways tab in the Dedicated IPSec gateways section, click Create gateway.
  3. Under Custom IPSec, click Create gateway.
  4. In the General pane, configure the following settings:
    1. Enter an IPSec name for the gateway.

      This name will be used when selecting it as a routing destination within access policies.

    2. Select the the name of your router vendor in the IPSec network vendor menu.
    3. Enter your VPN technical contact's name and email address.
    4. Click Next.
  5. In the Provisioning pane, configure the following settings:
    1. Use the Egress region menu to select the global Jamf data center in which this gateway should be provisioned.
      Note:

      The selected region generally should be as geographically close to your destination network equipment as possible.

    2. Under Jamf Security Cloud IPSec source IP addresses, select Dynamic addressing.
    3. Click Next.
  6. In the Connectivity and Authentication pane, configure the following settings:
    1. In the Your IPSec gateway IP address field, enter your router's IP address.
    2. The Jamf Security Cloud IKE domain ID is set to wpa.wandera.com by default. If your router or firewall does not support the use of fully qualified domain names as IPSec domain IDs, you must replace the default value with one of the Jamf Security Cloud Cloud IPSec source outbound IP addresses from the Provisioning step.
    3. Enter Your IKE Domain ID.

      This is a unique identifier used to identify and establish this IPSec tunnel. This must be a fully qualified domain name, with a value like jamf.mycompany.com. You will need to use this exact value when configuring your router.

    4. Click Generate secret then Copy secret.
    5. Paste the password into a secure location, such as a note in a password manager.
    6. Select the I have saved the authentication secret checkbox.
      Note:

      You can change the shared secret in the future, but cannot view it for security purposes.

    7. Click Next.
  7. In the Proposals and Cyphers pane, configure the following settings:
    1. Ensure the Key exchange protocol is set to "IKEv2".
    2. Set Phase 1: Encryption and Phase 2: Encryption to "AES-256".
    3. Set Phase 1: Integrity and Phase 2: Integrity to "SHA-256".
    4. Set Phase 1: Diffie-Hellman Groups and Phase 2: Diffie-Hellman Groups to "Group 19 (ecp256)".
    5. Set Security Association (SA) Lifetime and Child Security Association (SA) Lifetime to 28800 seconds.
      Note:

      If your organization has specific encryption and cipher requirements, modify the above settings accordingly. Also, modify your router settings when setting up that side of the tunnel.

    6. Click Next.
  8. On the Encryption domain pane, configure the following settings:
    1. Select a Jamf Security Cloud Subnet using the IP address picker.

      The picker limits available IPs to those in the RFC1918 defined range.

      Jamf suggests the 192.168.233.0/24 range, provided that it isn't already defined elsewhere in your network.

    2. Note the resulting Last IP from range (Pingable ICMP Test Address) that is generated.

      You can use this IP address to validate that the Jamf side of the tunnel is reachable from your router.

    3. In the Customer Subnets field, type your network subnet in CIDR format and click Add.

      These are the network subnets (typically your application servers) that remote Jamf Trust users will be able to reach via this gateway, provided that their device is allowed by all Zero Trust policies. If you want to make all IPs reachable via this gateway, set this field to 0.0.0.0/0.

      Note:

      Encryption domains are the IP addresses (network subnets) at either end of the tunnel that should be encrypted and able to route to each other. These can be single hosts or multiple networks

  9. Click Next.
  10. Confirm that your settings are all correct, then click Save and create.
The VPN route is created on the Jamf side of the gateway. Click the name of the newly created gateway from the Dedicated gateways tab if you want to review the details.