Google Cloud Platform (GCP) Redundant Tunnels

Prerequisites

  • An active Harmony SASE Administrator Portal account and network.

  • Make sure you have installed the Harmony SASE Agent on your devices.

  • Administrator account in the Firewall/ Router/ Cloud Management Portal.

  • Your Harmony SASE network must have at least two different gateways in the same network.

    Notes -

    • You can deploy the gateways in two separate regions for comprehensive ISP redundancy.

    • You can scale up the network. Adding another region does not affect the connection.

Step 1 - Configurations in the GCP Console

Creating a VPN Gateway

  1. Access the GCP console and in the Network Connectivity section, click VPN.

  2. Click Cloud VPN Gateways > Create VPN Gateway.

  3. Enter these:

    1. Name - Name of the gateway.

    2. Network - GCP network you want to access through Harmony SASE.

    3. Region - Region where your resources are located.

  4. Click Create.

    The system creates two interfaces, Interface 0 and Interface 1.

Adding a Redundant VPN Tunnel

  1. Access the GCP console and go to the VPN gateway you created and click Add VPN Tunnel.

  2. Enter these:

    1. Peer VPN gateway - On-prem or Non-Google Cloud.

    2. Click the drop-down menu in Peer VPN gateway name and select Create new peer VPN gateway.

      The Add a peer VPN gateway window appears.

    3. In the Name field, enter the name of the peer VPN gateway that represents the setup at the Harmony SASE side.

    4. In the Peer VPN gateway interfaces section, select two interfaces.

    5. In theInterface 0 IP address field, enter the IP address of the first Harmony SASE gateway.

    6. In theInterface 1 IP address field, enter the IP address of the second Harmony SASE gateway.

    7. Click Create.

    8. In the High availability section, select Create a pair of VPN tunnels.

    9. In the Routing options section, click the Cloud Router drop-down menu, and select Create a new router.

      The Cloud router in GCP manages your BGP ASN routes.

      1. Name your Cloud router.

      2. Set Google ASN to 65111 (This can be any value. Note this value as it is required to configure the tunnel in the Harmony SASE Administrator Portal).

        Following steps are optional. Perform them only if you have a peered VPC to reach through the tunnel:

        1. In Advertised routes, select Create custom routes.

        2. Select Advertise all subnets visible to the Cloud Router.

        3. In Custom ranges, click Add Custom Route.

        4. In New custom route, enter the network CIDR for the peered VPC and click Done.

        5. Repeat the last two steps for each range you need to route through the tunnel.

      3. Click Create.

    10. In the VPN tunnel section, select the first VPN tunnel and name it according to the gateway you created in Harmony SASE.

      1. In the IKE pre-shared key field, click Generate and copy.

        Special characters except dot (.) and underscore (_) are not allowed.

    11. Select the second VPN tunnel and name it according to the gateway you created in Harmony SASE.

      1. In the IKE pre-shared key field, paste the IKE pre-shared key you copied in the previous step.

        Note - This IKE Pre-shared key is used later to establish a handshake between the sites.

      2. Click Done.

    12. Click Create and continue.

Configuring Border Gateway Protocol (BGP) Routes

  1. Access the GCP console and go to the tunnel where you want to configure the route and click Configure.

  2. For Tunnel 1, set the BGP routes according to this image.

    1. In the Peer ASN field, set the value as 65000. It represents the BGP route for Harmony SASE.

    2. For Cloud Router BGP IP and BGP peer IP fields, select a unique Link-local address.

  3. Click Save and Continue.

  4. For Tunnel 2, set the BGP routes according to this image.

    1. In the Peer ASN field, set the value as 65000. It represents the BGP route for Harmony SASE.

    2. For Cloud Router BGP IP and BGP peer IP fields, select a unique Link-local address.

  5. Click Save and Continue.

  6. Click Save BGP Configuration.

    When the tunnel setup is complete, the BGP status is displayed as Waiting for peer until the tunnels are setup in Harmony SASE.

Step 2 - Creating the Tunnels in the Harmony SASE Administrator Portal

  1. Access the Harmony SASEAdministrator Portal and click Networks.

  2. Click the network where you want to create the tunnel.

  3. In one of the gateways, click > Add Tunnel.

  4. Click IPSec Site-2-Site Tunnel and click Continue.

  5. Select Redundant Tunnels and click Continue.

    The Redundant IPSec Tunnels window appears.

  6. In the General Settings section:

    1. In the Name field, enter a name for your tunnel.

    2. In your GCP console, in Network Connectivity > VPN, copy and paste the values for Tunnel 1 and Tunnel 2 according to the image below.

      Enter ASN value as 65111 for both tunnels.

      Example - Tunnel 1

      Example - Tunnel 2

  7. In the Shared Settings section:

    1. In Proposal Subnets, select Any(0.0.0.0/0) for both sides.

    2. Set ASN as 65000.

      Warning - You cannot edit the ASN in Harmony SASE after you create the tunnel.

  8. In the Advanced Settings section, enter the information for your tunnel type:

    Field

    IKE Version

    IKE Lifetime

    Tunnel Lifetime

    Dead Peer Detection Delay

    Dead Peer Detection Timeout

    Encryption (Phase 1)

    Encryption (Phase 2)

    Integrity (Phase 1)

    Integrity (Phase 2)

    Diffie Hellman Groups (Phase 1)

    Diffie Hellman Groups (Phase 2)

    Cloud Vendor

    Amazon AWS

    Single Tunnel - AWS Virtual Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Single Tunnel - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Virtual Private Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21
    Redundant Tunnels - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Google Cloud Platform

    Single Tunnel 1 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21 21

    Redundant Tunnels

    		 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 21

    21
    Microsoft Azure  

    Single Tunnel -

    Azure Virtual Network Gateway

    V2

    3600s

    27000s

    10s

    45s

    		 aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual Network Gateway

    V2

    9h

    9h

    		 10s 30s aes256 aes256 sha1 sha1

    2

    2

    Redundant Tunnels - Virtual WAN

    V2

    8h

    		 1h 10s 30s aes256 aes256

    sha256

    sha256

    14

    14

    Other tunnel types

     
    Alibaba Cloud V1 8h 1h 10s 30s aes256 aes256 sha1 sha1 2 2

    IBM Cloud

    V1

    		 8h 1h 10s 30s aes256 aes256

    sha256

    sha256

    21

    21

    1 Suggested values. For other supported ciphers, see this Google article.

  9. Click Add Tunnel.

Verifying the Setup in GCP Console

  1. Access the GCP console and go to Network Connectivity > VPN.

  2. Verify that the VPN tunnel status and BGP session status appears with a green tick mark.