AWS Redundant Tunnels - Virtual Private Gateway

Prerequisites

  • An active Harmony SASE Administrator Portal account and network.

  • Make sure you have installed the Harmony SASE Agent on your devices.

  • Administrator account in the Firewall/ Router/ Cloud Management Portal.

  • Your Harmony SASE network must have at least two different gateways in the same network.

    Notes -

    • You can deploy the gateways in two separate regions for comprehensive ISP redundancy.

    • You can scale up the network. Adding another region does not affect the connection.

Step 1 - Configurations in the AWS Management Console

Creating a Virtual Private Gateway

Note - If you already have a Virtual Private Gateway in your AWS region, skip this procedure.

  1. Access the AWS Management Console and go to the VIRTUAL PRIVATE NETWORK (VPN) section.

  2. Click Virtual Private Gateways > Create Virtual Private Gateway.

  3. Create the Virtual Private Gateway with the default settings.

  4. Select the newly created Virtual Private Gateway and on the top, click Actions > Attach to VPC.

    The Attach to VPC window appears.

  5. From the VPC drop-down list, select the relevant VPC.

  6. Click Yes, Attach.

Creating Two Customer Gateways

  1. Access the AWS Management Console and go to the VIRTUAL PRIVATE NETWORK (VPN) section.

  2. Click Customer Gateway > Create Customer Gateway.

    The Create Customer Gateway window appears.

  3. Enter these:

    1. Name - Name of the gateway.

    2. Routing - Dynamic.

    3. IP Address - IP address of the first Harmony SASE gateway.

    4. BGP ASN - ASN for the Harmony SASE gateway. Keep it as 65000.

  4. Click Create Customer Gateway.

  5. To create the second customer gateway, repeat steps 1- 4.

    In the IP Address field, enter the IP address of the second Harmony SASE gateway.

Creating Two Site-to-Site VPN Connections

  1. Access the AWS Management Console.

  2. In your AWS VPC, in the VIRTUAL PRIVATE NETWORK(VPN) section, click Site-to-Site VPN Connections > Create VPN Connection.

    The Create VPN Connection window appears.

  3. Enter these:

    1. Target Gateway Type - Virtual Private Gateway.

    2. Virtual Private Gateway - Select the first Virtual Private Gateway created.

    3. Customer Gateway - Existing.

    4. Customer Gateway ID - Select the first Customer Gateway created.

    5. Routing Options - Dynamic (requires BGP).

      Keep the other options to default.

  4. Click Download Configuration.

    The Download configuration window appears.

  5. Enter these:

    1. Vendor - Generic

    2. Platform - Generic

    3. Software - Vendor Agnostic

    4. Ike version - Ikev2

  6. Click Download.

    The system downloads the file. Rename the file as Tunnel1.txt.

  7. Repeat steps 1-6 for the second Customer Gateway.

  8. Rename the second downloaded file as Tunnel2.txt.

Creating Static Routes

  1. Access the AWS Management Console and Go to VPC.

  2. Select the corresponding VPC attached to the Virtual Private Gateway and then select the Main Route Table for the VPC.

  3. Edit the main Route Table for the VPC:

    1. In the Destination column, add the subnet mask of your Harmony SASE network.

    2. In the Target column, select Virtual Private Gateway (Route for reverse traffic).

      Note - If this is not the Main Route Table for the VPC, locate each subnet associated with the VPC and add the reverse route for the Harmony SASE internal subnet range.

Step 2 - Creating the Tunnels in the Harmony SASE Administrator Portal

  1. Access the Harmony SASEAdministrator Portal and click Networks.

  2. Click the network where you want to create the tunnel.

  3. In one of the gateways, click > Add Tunnel.

  4. Click IPSec Site-2-Site Tunnel and click Continue.

  5. Select Redundant Tunnels and click Continue.

    The Redundant IPSec Tunnels window appears.

  6. For the first tunnel:

    1. Expand the Tunnel 01 drop-down.

    2. To automatically populate the tunnel configuration values, click Upload File and upload Tunnel_1.txt file.

    3. For manual configuration, copy the values from Tunnel_1.txt file as shown below.

    1. Shared Secret - Pre-Shared Key

    2. Harmony SASE gateway Internal IP - Inside IP Addresses of Customer Gateway.

    3. Remote Public IP & Remote ID - Outside IP Addresses of Virtual Private Gateway.

    4. Remote Gateway internal IP - Inside IP Addresses of Virtual Private Gateway. The IP on the AWS side has a subnet (/30), discard it when pasting.

    5. Remote Gateway ASN - BGP Configuration Options of Virtual Private Gateway ASN from the file.

  7. Enter the above copied values:

  8. For the second tunnel, expand the Tunnel 02 drop-down and repeat step 6 with the values from Tunnel_2.txt file.

  9. In the Shared Settings section:

    1. In the Proposal Subnets field, select Any(0.0.0.0/0) for both sides.

    2. The ASN number should be the same as the Customer Gateway ASN you configured on the AWS Management console.

  10. In the Advanced Settings section, enter the information for your tunnel type:

    Field

    IKE Version

    IKE Lifetime

    Tunnel Lifetime

    Dead Peer Detection Delay

    Dead Peer Detection Timeout

    Encryption (Phase 1)

    Encryption (Phase 2)

    Integrity (Phase 1)

    Integrity (Phase 2)

    Diffie Hellman Groups (Phase 1)

    Diffie Hellman Groups (Phase 2)

    Cloud Vendor

    Amazon AWS

    Single Tunnel - AWS Virtual Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Single Tunnel - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Virtual Private Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Google Cloud Platform

    Single Tunnel 1 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Redundant Tunnels

    		 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21

    21
    Microsoft Azure  

    Single Tunnel -

    Azure Virtual Network Gateway

    V2

    3600s

    27000s

    10s

    45s

    		 aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual Network Gateway

    V2

    9h

    9h

    		 10s 30s aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual WAN

    V2

    8h

    		 1h 10s 30s aes256 aes256

    sha256

    sha256

    14

    14

    Other tunnel types

     
    Alibaba Cloud V1 8h 1h 10s 30s aes256 aes256 sha1 sha1 2 2

    IBM Cloud

    V1

    		 8h 1h 10s 30s aes256 aes256

    sha256

    sha256

    21

    21

    1 Suggested values. For other supported ciphers, see this Google article.

  11. Click Add Tunnel.