Step 2: Creating a Juniper IPSec Site-to-Site Tunnel

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
  1. On the Juniper J-Web console, select VPN in the side menu, then "IPSec VPN".
  2. Click Create VPN.
  3. Click Site to Site to create a new Site-to-Site tunnel.
  4. Define the new tunnel as follows:
    1. Choose a name, for example Jamf_Private_Access).
    2. (Optional) Enter a Description.
    3. Set Routing Mode to "Traffic Selector (Auto Route Insertion)".
      Note:

      This is the recommended setting, but your network architecture may mean you need to use a different setting.

    4. Set Authentication method to "Pre-Shared Key".
    5. Set Auto-create firewall policy to "Yes".
      Note:

      This is the recommended setting, but your routing configuration may mean you need to use a different setting.

  5. Open the Remote Gateway configuration section and configure as follows:
    1. Set IKE Identity to "Host name".
    2. Set Host name to "wpa.wandera.com".
    3. In External IP Address enter a comma-separated list of the Jamf external IPs provided in Jamf Security Cloud when setting up the gateway.
    4. In Protected Networks select the "Jamf Security Side" subnet as defined in the Encryption Domain field in Jamf Security Cloud.

      If the Jamf Security Cloud-side subnet is not yet defined in the Available table of networks, click Add to enter it.

    5. Click OK.
    6. Commit the changes.
  6. Open the Local Gateway configuration settings and configure as follows:
    1. Set Local Identity to "Host name".
    2. Set Host Name to the value defined for the Customer IKE Domain in Jamf Security Cloud.
    3. For External interface, select the external interface that is assigned to the IP address defined in Jamf Security Cloud for Customer Primary IP Address.
    4. Select the tunnel interface to use, or add/edit one as required.
    5. In Pre-shared key, paste the pre-shared key that was generated in Jamf Security Cloud, and then select "ASCII" for the format.
    6. For Protected Networks, select the networks that were defined in the customer-side configuration of the Encryption Domain in Jamf Security Cloud using the button.
    7. Click Add to define any subnets that are missing from the Available list.
    8. Click OK.
  7. Click the IKE and IPsec Settings menu at the bottom of the page.
    1. Verify that the settings here are identical to the settings created when you set up the interconnect in Jamf Security Cloud.
    2. Under IKE Settings, configure the detailed configurations of the tunnel, adjusting as required if you applied settings other than those suggested:
      • IKE version

        V2

      • Encryption algorithm

        AES-GCM 256-bit

      • DH group

        Group 19

      • Lifetime seconds

        28800

      • Dead peer detection

        (on)

      • DPO mode

        Optimized

      • DPO interval

        10

      • DPO threshold

        5

      • IKEv2 re-authentication

        0

      • IKEv2 fragmentation

        (on)

      • NAT-T

        (on)

    3. Under IPsec Settings, configure the detailed configurations of the tunnel, adjusting as required if you applied settings other than those suggested
      • Protocol

        ESP

      • Encryption algorithm

        AES-CBC 256-bit

      • Authentication algorithm

        HMAC-SHA-256-128

      • Perfect forward secrecy

        Group 19

      • Establish tunnel

        None

      • Anti replay

        (on)

      • DF bit

        Clear

      • Copy outer DSCP

        (on)

      • Lifetime seconds

        28800

  8. Review the configuration, then click Commit to publish the new configuration.