IPsec Site-2-Site VPN Tunnel

Prerequisites

Make sure your edge device (firewall or router) supports IPsec point to point tunnel using IKEv1 or IKEv2 protocols.

IPSec Handshake

The IPSec Site-2-Site VPN tunnel employs a two-phase handshake.

Phase I (IKE or Gateway)

This is the security association responsible for the external IP communication between the Harmony SASE network and the remote IP through the port 500/4500. The following information is required for Phase I. This information must match in both Harmony SASE and the remote side of the tunnel:

• Shared Secret

• Public IP

• Remote ID

• IKE Version

• IKE Lifetime

• Encryption (Phase I)

• Integrity (Phase I)

• Diffie-Hellman Groups (Phase I)

Phase II (ESP or Tunnel):

This is the security association responsible for the internal LAN range or subnet handshake after establishing the IKE SA .

The following information is required for Phase II. This information must match in both Harmony SASE and the remote side of the tunnel:

• Harmony SASE Gateway Proposal Subnets

• Remote Gateway Proposal Subnets

• Tunnel Lifetime

• Dead Peer Detection (DPD)

• Encryption (Phase II)

• Integrity (Phase II)

• Diffie-Hellman Groups (Phase II)

Policy-Based and Route-Based IPSec Connection

Policy-based connection is easier to set up but is more vulnerable to IPSec tunnel value mismatch.

Depending on your device, a single missing subnet may cause the Phase II negotiation to fail.

Route-based connection is also known as a Tunnel Interface or VTI.

It is a more modern and stable method of IPSec tunneling. Once established, it uses one subnet (0.0.0.0/0) for the handshake, thereby reducing the chances of an error during renegotiation.

Supported Integrations

On-premises SD-WAN		Cloud-based SD-WAN
Firewall	Router
Barracuda Firewall Check Point Firewall Cisco ASA Firewall Cisco Meraki Router FortiGate Next Generation Firewall Juniper Networks ScreenOS Firewall Juniper (JunOS) SRX Firewall Palo Alto Firewall pfSense Firewall SonicWall Firewall Sophos XG Firewall UniFi USG Firewall WatchGuard Firewall Zyxel USG Firewall	Cisco Meraki Router D-Link DSR Series Router DrayTek Vigor2862 Router DrayTek Vigor3900 Router EdgeMax Router Linksys Router Netgear BR500 Router	Single Tunnel AWS Virtual Gateway AWS Transit Gateway Google Cloud Platform Azure Virtual Network Gateway Redundant Tunnels AWS Redundant Tunnels - Virtual Private Gateway AWS Redundant Tunnels - Transit Gateway Google Cloud Platform (GCP) Redundant Tunnels Azure Virtual Network Gateway Redundant Tunnels Azure Virtual WAN Redundant Tunnels Other Cloud Options Alibaba Cloud Heroku Enterprise IBM Cloud

High-Level Procedure

1. Make sure you have the required prerequisites.

2. Configure the tunnel in the Harmony SASEAdministrator Portal.

3. Configure the required Firewall / Router / Cloud Management Portal:

   On-premises		Cloud-based Resource
   Firewall	Router
   Barracuda Firewall Check Point Firewall Cisco ASA Firewall Cisco Meraki Router FortiGate Next Generation Firewall Juniper Networks ScreenOS Firewall Juniper (JunOS) SRX Firewall Palo Alto Firewall pfSense Firewall SonicWall Firewall Sophos XG Firewall UniFi USG Firewall WatchGuard Firewall Zyxel USG Firewall	Cisco Meraki Router D-Link DSR Series Router DrayTek Vigor2862 Router DrayTek Vigor3900 Router EdgeMax Router Linksys Router Netgear BR500 Router	Single Tunnel AWS Virtual Gateway AWS Transit Gateway Google Cloud Platform Azure Virtual Network Gateway Redundant Tunnels AWS Redundant Tunnels - Virtual Private Gateway AWS Redundant Tunnels - Transit Gateway Google Cloud Platform (GCP) Redundant Tunnels Azure Virtual Network Gateway Redundant Tunnels Azure Virtual WAN Redundant Tunnels Other Cloud Options Alibaba Cloud Heroku Enterprise IBM Cloud

4. Verify the setup.