EdgeMax Router

To configure the tunnel in the EdgeMax Router through CLI:

Connect to the router through SSH and then enter the configuration mode. For example, using PuTTY.
Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall. Run:
```
set vpn ipsec auto-firewall-nat-exclude enable
```

Create IKE / Phase 1 (P1) Security Associations (SAs). Run:

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30
                                                    

Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS). Run:

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
                                                    

Define the remote peering address. Run:

set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> authentication mode pre-shared-secret
 set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> authentication pre-shared-secret <secret key from Quantum SASE Administrator Portal>
 set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> description ipsec
 set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> local-address <Your Edgerouter WAN IP>
                                                    

Link the SAs created above to the remote peer and bind the VPN to a virtual tunnel interface (vti0). Run:

set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> ike-group FOO0
 set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> vti bind vti0
 set vpn ipsec site-to-site peer <Your Perimeter81 Gateway IP> vti esp-group FOO0
                                                    

Configure the virtual tunnel interface (vti0) and assign an internal IP address that is not used in any site. Run:
```
set interfaces vti vti0 address 192.168.20.20/32
```
Create a static route for the Harmony SASE subnet (the default is 10.255.0.0/16). Run:
```
set protocols static interface-route 10.255.0.0/16 next-hop-interface vti0
```
Commit the changes and save the configuration. Run:
```
commit ; save
```
In the EdgeMax Management portal, go VPN - site to site connection.
Verify that the peer associated with the gateway IP address obtained from Harmony SASE has:
- Remote subnet: 10.255.0.0/16 (or the local Harmony SASE gateway that you selected)
- Local subnet: All the subnet range (CIDR) of your LAN devices